From d7cbf10b07e214e211feb9484125d65a4c7f150e Mon Sep 17 00:00:00 2001 From: jasper Date: Wed, 18 Jul 2012 11:15:30 +0000 Subject: [PATCH] Security fix for CVE-2012-3368 Memory portion (random stack data) disclosure to the client by unclean client disconnect --- misc/dtach/Makefile | 4 ++-- misc/dtach/patches/patch-attach_c | 33 +++++++++++++++++++++++++++---- misc/dtach/patches/patch-master_c | 27 +++++++++++++++++++++---- 3 files changed, 54 insertions(+), 10 deletions(-) diff --git a/misc/dtach/Makefile b/misc/dtach/Makefile index 48d75fc44bc..954f8ef85db 100644 --- a/misc/dtach/Makefile +++ b/misc/dtach/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.6 2010/11/05 08:24:50 sthen Exp $ +# $OpenBSD: Makefile,v 1.7 2012/07/18 11:15:30 jasper Exp $ COMMENT= tiny program emulating the detach feature of screen DISTNAME= dtach-0.8 -REVISION= 0 +REVISION= 1 CATEGORIES= misc HOMEPAGE= http://dtach.sourceforge.net/ diff --git a/misc/dtach/patches/patch-attach_c b/misc/dtach/patches/patch-attach_c index c960e4fa7a4..4f3c2a6ad29 100644 --- a/misc/dtach/patches/patch-attach_c +++ b/misc/dtach/patches/patch-attach_c @@ -1,7 +1,14 @@ -$OpenBSD: patch-attach_c,v 1.1.1.1 2006/03/05 17:05:36 niallo Exp $ ---- attach.c.orig Sun Feb 26 01:16:57 2006 -+++ attach.c Sun Feb 26 01:17:00 2006 -@@ -59,7 +59,7 @@ connect_socket(char *name) +$OpenBSD: patch-attach_c,v 1.2 2012/07/18 11:15:30 jasper Exp $ + +Last chunk: +Security fix for CVE-2012-3368 +Memory portion (random stack data) disclosure to the client by unclean client disconnect + +Patch from upstream CVS. + +--- attach.c.orig Thu Jan 31 06:59:54 2008 ++++ attach.c Wed Jul 18 13:13:39 2012 +@@ -56,7 +56,7 @@ connect_socket(char *name) if (s < 0) return -1; sockun.sun_family = AF_UNIX; @@ -10,3 +17,21 @@ $OpenBSD: patch-attach_c,v 1.1.1.1 2006/03/05 17:05:36 niallo Exp $ if (connect(s, (struct sockaddr*)&sockun, sizeof(sockun)) < 0) { close(s); +@@ -237,12 +237,15 @@ attach_main(int noerror) + /* stdin activity */ + if (n > 0 && FD_ISSET(0, &readfds)) + { ++ ssize_t len; ++ + pkt.type = MSG_PUSH; + memset(pkt.u.buf, 0, sizeof(pkt.u.buf)); +- pkt.len = read(0, pkt.u.buf, sizeof(pkt.u.buf)); ++ len = read(0, pkt.u.buf, sizeof(pkt.u.buf)); + +- if (pkt.len <= 0) ++ if (len <= 0) + exit(1); ++ pkt.len = len; + process_kbd(s, &pkt); + n--; + } diff --git a/misc/dtach/patches/patch-master_c b/misc/dtach/patches/patch-master_c index cb92efbbed0..225ff84db9d 100644 --- a/misc/dtach/patches/patch-master_c +++ b/misc/dtach/patches/patch-master_c @@ -1,6 +1,13 @@ -$OpenBSD: patch-master_c,v 1.1.1.1 2006/03/05 17:05:36 niallo Exp $ ---- master.c.orig Sun Jul 4 17:07:03 2004 -+++ master.c Sun Feb 26 01:19:14 2006 +$OpenBSD: patch-master_c,v 1.2 2012/07/18 11:15:30 jasper Exp $ + +Last chunk: +Security fix for CVE-2012-3368 +Memory portion (random stack data) disclosure to the client by unclean client disconnect + +Patch from upstream CVS. + +--- master.c.orig Thu Jan 31 06:59:54 2008 ++++ master.c Wed Jul 18 13:14:08 2012 @@ -17,6 +17,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ @@ -9,7 +16,7 @@ $OpenBSD: patch-master_c,v 1.1.1.1 2006/03/05 17:05:36 niallo Exp $ /* The pty struct - The pty information is stored here. */ struct pty -@@ -124,7 +125,7 @@ create_socket(char *name) +@@ -189,7 +190,7 @@ create_socket(char *name) if (s < 0) return -1; sockun.sun_family = AF_UNIX; @@ -18,3 +25,15 @@ $OpenBSD: patch-master_c,v 1.1.1.1 2006/03/05 17:05:36 niallo Exp $ if (bind(s, (struct sockaddr*)&sockun, sizeof(sockun)) < 0) { close(s); +@@ -351,7 +352,10 @@ client_activity(struct client *p) + + /* Push out data to the program. */ + if (pkt.type == MSG_PUSH) +- write(the_pty.fd, pkt.u.buf, pkt.len); ++ { ++ if (pkt.len <= sizeof(pkt.u.buf)) ++ write(the_pty.fd, pkt.u.buf, pkt.len); ++ } + + /* Attach or detach from the program. */ + else if (pkt.type == MSG_ATTACH)