NetBSD Problem Report #46519
From www@NetBSD.org Sat Jun 2 15:16:25 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 4E1A163BEE1
for <gnats-bugs@gnats.NetBSD.org>; Sat, 2 Jun 2012 15:16:25 +0000 (UTC)
Message-Id: <20120602151623.D2B8A63B89C@www.NetBSD.org>
Date: Sat, 2 Jun 2012 15:16:23 +0000 (UTC)
From: wenheping@gmail.com
Reply-To: wenheping@gmail.com
To: gnats-bugs@NetBSD.org
Subject: [Patch]sysutils/ups-nut: a security patch for CVE-2012-2944
X-Send-Pr-Version: www-1.0
>Number: 46519
>Category: pkg
>Synopsis: [Patch]sysutils/ups-nut: a security patch for CVE-2012-2944
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jun 02 15:20:01 +0000 2012
>Closed-Date: Sun Feb 17 01:56:34 +0000 2013
>Last-Modified: Sun Feb 17 01:56:34 +0000 2013
>Originator: wen heping
>Release: NetBSD-5.1.2
>Organization:
netbsd
>Environment:
>Description:
apply a patch from upstream to fix CVE-2012-2944:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2944
>How-To-Repeat:
>Fix:
Index: Makefile.common
===================================================================
RCS file: /cvsroot/pkgsrc/sysutils/ups-nut/Makefile.common,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile.common
--- Makefile.common 29 Jul 2011 15:11:40 -0000 1.3
+++ Makefile.common 2 Jun 2012 15:09:46 -0000
@@ -6,6 +6,7 @@
# used by sysutils/p5-ups-nut/Makefile
DISTNAME= nut-2.6.1
+PKGREVISION= 1
CATEGORIES= sysutils
MASTER_SITES= http://www.networkupstools.org/source/2.6/
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/sysutils/ups-nut/distinfo,v
retrieving revision 1.27
diff -u -p -r1.27 distinfo
--- distinfo 29 Jul 2011 15:11:40 -0000 1.27
+++ distinfo 2 Jun 2012 15:09:46 -0000
@@ -6,3 +6,4 @@ Size (nut-2.6.1.tar.gz) = 1776645 bytes
SHA1 (patch-aa) = 53825abe2f7c6f5285a73edd5e990518bb8d0c84
SHA1 (patch-ab) = 2321e8c5a53c0a6fb2e227b4a5ffc2793641f7bf
SHA1 (patch-ac) = d0f31a48d35c66f5c0405b4a40799769ed0930f6
+SHA1 (patch-ad) = 429f6c04ebbd1a1e6f16243f551def4bcb393493
Index: patches/patch-ad
===================================================================
RCS file: patches/patch-ad
diff -N patches/patch-ad
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ad 2 Jun 2012 15:09:46 -0000
@@ -0,0 +1,17 @@
+$NetBSD$
+
+--- common/parseconf.c.orig 2012-06-02 22:51:52.000000000 +0000
++++ common/parseconf.c
+@@ -171,6 +171,12 @@ static void addchar(PCONF_CTX_t *ctx)
+
+ wbuflen = strlen(ctx->wordbuf);
+
++ /* CVE-2012-2944: only allow the subset Ascii charset from Space to ~ */
++ if ((ctx->ch < 0x20) || (ctx->ch > 0x7f)) {
++ fprintf(stderr, "addchar: discarding invalid character (0x%02x)!\n",ctx->ch);
++ return;
++ }
++
+ if (ctx->wordlen_limit != 0) {
+ if (wbuflen >= ctx->wordlen_limit) {
+
>Release-Note:
>Audit-Trail:
From: "OBATA Akio" <obache@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/46519: [Patch]sysutils/ups-nut: a security patch for
CVE-2012-2944
Date: Sun, 03 Jun 2012 21:48:06 +0900
On Sun, 03 Jun 2012 00:20:01 +0900, <wenheping@gmail.com> wrote:
> Index: Makefile.common
> ===================================================================
> RCS file: /cvsroot/pkgsrc/sysutils/ups-nut/Makefile.common,v
> retrieving revision 1.3
> diff -u -p -r1.3 Makefile.common
> --- Makefile.common 29 Jul 2011 15:11:40 -0000 1.3
> +++ Makefile.common 2 Jun 2012 15:09:46 -0000
> @@ -6,6 +6,7 @@
> # used by sysutils/p5-ups-nut/Makefile
> DISTNAME= nut-2.6.1
> +PKGREVISION= 1
> CATEGORIES= sysutils
> MASTER_SITES= http://www.networkupstools.org/source/2.6/
Please not put PKGREVISION in Makefile.common.
It may be bumped separately for each sub packages.
> RCS file: patches/patch-ad
> diff -N patches/patch-ad
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-ad 2 Jun 2012 15:09:46 -0000
Please use new patch name scheme (patch-common_parseconf.c).
For PKGREVISION, patched files is common file, I don't know which sub
packages are using the code.
How about simply update to 2.6.4, it contains the fix?
--
OBATA Akio / obache@NetBSD.org
From: wen heping <wenheping@gmail.com>
To: gnats-bugs@netbsd.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, pkgsrc-bugs@netbsd.org
Subject: Re: pkg/46519: [Patch]sysutils/ups-nut: a security patch for CVE-2012-2944
Date: Sun, 3 Jun 2012 21:13:24 +0800
--20cf3071cc4ab50fc004c1912ec0
Content-Type: text/plain; charset=UTF-8
2012/6/3 OBATA Akio <obache@netbsd.org>
> The following reply was made to PR pkg/46519; it has been noted by GNATS.
>
> From: "OBATA Akio" <obache@netbsd.org>
> To: gnats-bugs@netbsd.org
> Cc:
> Subject: Re: pkg/46519: [Patch]sysutils/ups-nut: a security patch for
> CVE-2012-2944
> Date: Sun, 03 Jun 2012 21:48:06 +0900
>
> On Sun, 03 Jun 2012 00:20:01 +0900, <wenheping@gmail.com> wrote:
>
> > Index: Makefile.common
> > ===================================================================
> > RCS file: /cvsroot/pkgsrc/sysutils/ups-nut/Makefile.common,v
> > retrieving revision 1.3
> > diff -u -p -r1.3 Makefile.common
> > --- Makefile.common 29 Jul 2011 15:11:40 -0000 1.3
> > +++ Makefile.common 2 Jun 2012 15:09:46 -0000
> > @@ -6,6 +6,7 @@
> > # used by sysutils/p5-ups-nut/Makefile
> > DISTNAME= nut-2.6.1
> > +PKGREVISION= 1
> > CATEGORIES= sysutils
> > MASTER_SITES= http://www.networkupstools.org/source/2.6/
>
> Please not put PKGREVISION in Makefile.common.
> It may be bumped separately for each sub packages.
>
> > RCS file: patches/patch-ad
> > diff -N patches/patch-ad
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-ad 2 Jun 2012 15:09:46 -0000
>
> Please use new patch name scheme (patch-common_parseconf.c).
>
> For PKGREVISION, patched files is common file, I don't know which sub
> packages are using the code.
> How about simply update to 2.6.4, it contains the fix?
>
Update to 2.6.4 is a better way but it need more work.
I would try it later.
wen
>
> --
> OBATA Akio / obache@NetBSD.org
>
>
--20cf3071cc4ab50fc004c1912ec0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<br><br><div class=3D"gmail_quote">2012/6/3 OBATA Akio <span dir=3D"ltr">&l=
t;<a href=3D"mailto:obache@netbsd.org" target=3D"_blank">obache@netbsd.org<=
/a>></span><br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .=
8ex;border-left:1px #ccc solid;padding-left:1ex">
The following reply was made to PR pkg/46519; it has been noted by GNATS.<b=
r>
<br>
From: "OBATA Akio" <<a href=3D"mailto:obache@netbsd.org">obach=
e@netbsd.org</a>><br>
To: <a href=3D"mailto:gnats-bugs@netbsd.org">gnats-bugs@netbsd.org</a><br>
Cc:<br>
Subject: Re: pkg/46519: [Patch]sysutils/ups-nut: a security patch for<br>
=C2=A0CVE-2012-2944<br>
Date: Sun, 03 Jun 2012 21:48:06 +0900<br>
<div class=3D"im"><br>
=C2=A0On Sun, 03 Jun 2012 00:20:01 +0900, <<a href=3D"mailto:wenheping@g=
mail.com">wenheping@gmail.com</a>> wrote:<br>
<br>
=C2=A0> Index: Makefile.common<br>
=C2=A0> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
=C2=A0> RCS file: /cvsroot/pkgsrc/sysutils/ups-nut/Makefile.common,v<br>
=C2=A0> retrieving revision 1.3<br>
=C2=A0> diff -u -p -r1.3 Makefile.common<br>
=C2=A0> --- Makefile.common =C2=A029 Jul 2011 15:11:40 -0000 =C2=A0 =C2=
=A0 =C2=A01.3<br>
=C2=A0> +++ Makefile.common =C2=A02 Jun 2012 15:09:46 -0000<br>
=C2=A0> @@ -6,6 +6,7 @@<br>
=C2=A0> =C2=A0# used by sysutils/p5-ups-nut/Makefile<br>
=C2=A0> DISTNAME=3D =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0nut-2.6.1<b=
r>
=C2=A0> +PKGREVISION=3D =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=
=C2=A01<br>
=C2=A0> =C2=A0CATEGORIES=3D =C2=A0 =C2=A0 =C2=A0 =C2=A0 sysutils<br>
=C2=A0> =C2=A0MASTER_SITES=3D =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 <a href=3D"http://www.networkupstools.org/source/2.6/" target=3D"_bl=
ank">http://www.networkupstools.org/source/2.6/</a><br>
<br>
</div>=C2=A0Please not put PKGREVISION in Makefile.common.<br>
=C2=A0It may be bumped separately for each sub packages.<br>
<div class=3D"im"><br>
=C2=A0> RCS file: patches/patch-ad<br>
=C2=A0> diff -N patches/patch-ad<br>
=C2=A0> --- /dev/null =C2=A0 =C2=A0 =C2=A0 =C2=A01 Jan 1970 00:00:00 -00=
00<br>
=C2=A0> +++ patches/patch-ad 2 Jun 2012 15:09:46 -0000<br>
<br>
</div>=C2=A0Please use new patch name scheme (patch-common_parseconf.c).<br=
>
<br>
=C2=A0For PKGREVISION, patched files is common file, I don't know which=
sub<br>
=C2=A0packages are using the code.<br>
=C2=A0How about simply update to 2.6.4, it contains the fix?<br></blockquot=
e><div><br></div><div>Update to 2.6.4 is a better way but it need more work=
.</div><div>I would try it later.</div><div><br></div><div>wen</div><div>=
=C2=A0</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<br>
=C2=A0--<br>
=C2=A0OBATA Akio / obache@NetBSD.org<br>
<br>
</blockquote></div><br>
--20cf3071cc4ab50fc004c1912ec0--
State-Changed-From-To: open->closed
State-Changed-By: obache@NetBSD.org
State-Changed-When: Sun, 17 Feb 2013 01:56:34 +0000
State-Changed-Why:
updated to 2.6.5.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.36 2007/11/24 03:27:39 kano Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home