Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1
silc-toolkit
silc-toolkit-1.1.10-security.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File silc-toolkit-1.1.10-security.patch of Package silc-toolkit
commit 25a6a61ecf6561bdb00e289175989e28d0fb26bb Author: kp@valhallalegends.com <kp@valhallalegends.com> Date: Sat May 31 16:37:45 2008 -0500 ASN1: Fix stack variable overwrite when encoding OID. The call to sscanf specifies a format string of "%lu", a long unsigned int. The pointer argument was cast to unsigned long *, but this is wrong for 64 bit systems. On 64 bit systems, unsigned long is 64 bits, but the oid value is a SilcUInt32 on all systems. As a result, sscanf will overwrite a neighboring variable on the stack. Fix this by changing the format string to "%u" and removing the cast. commit 9c93e2c6df752c32bcb64335b418523aae331715 Author: Pekka Riikonen <priikone@silcnet.org> Date: Fri Jul 31 22:32:57 2009 +0300 Fixed string format vulnerability in client entry handling. Reported and patch provided by William Cummings. commit a785cba501a940921d215c18bc410a53bf1b12e8 Author: Pekka Riikonen <priikone@silcnet.org> Date: Fri Aug 7 14:48:46 2009 +0300 More string format fixes in silcd and client libary commit f9acb085b819a7d0c6b3e9f40bc78f26bc2d429b Author: kp@valhallalegends.com <kp@valhallalegends.com> Date: Fri Dec 12 21:38:54 2008 -0600 HTTP: fix stack overwrite due to format string error. On AMD64, %lu refers to a 64-bit unsigned value, but the address passed to sscanf points to a 32-bit unsigned value. This causes an adjoining value on the stack to be overwritten with data from the converted integer. Fix the format string to match the size of the supplied value, and remove the pointer cast. ================================================================================ --- silc-toolkit-1.1.7/lib/silcasn1/silcasn1_encode.c +++ silc-toolkit-1.1.7/lib/silcasn1/silcasn1_encode.c @@ -351,7 +351,7 @@ /* Get OID words from the string */ cp = strchr(oidstr, '.'); while (cp) { - if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) { + if (sscanf(oidstr, "%u", &oid) != 1) { SILC_LOG_DEBUG(("Malformed OID string")); goto fail; } @@ -362,7 +362,7 @@ cp = strchr(oidstr, '.'); if (!cp) { - if (sscanf(oidstr, "%lu", (unsigned long *)&oid) != 1) { + if (sscanf(oidstr, "%u", &oid) != 1) { SILC_LOG_DEBUG(("Malformed OID string")); goto fail; } --- silc-toolkit-1.1.7/lib/silcclient/client_entry.c +++ silc-toolkit-1.1.7/lib/silcclient/client_entry.c @@ -800,10 +800,10 @@ client_entry->server, sizeof(client_entry->server)); if (nickname && client->internal->params->full_nicknames) silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - nickname); + "%s", nickname); else if (nickname) silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - parsed); + "%s", parsed); silc_parse_userfqdn(username, client_entry->username, sizeof(client_entry->username), @@ -890,10 +890,10 @@ client_entry->server, sizeof(client_entry->server)); if (client->internal->params->full_nicknames) silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - nickname); + "%s", nickname); else silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - parsed); + "%s", parsed); /* Normalize nickname */ nick = silc_identifier_check(parsed, strlen(parsed), @@ -1186,7 +1186,7 @@ return NULL; silc_snprintf(client_entry->nickname, sizeof(client_entry->nickname), - cp); + "%s", cp); silc_free(cp); } --- silc-toolkit-1.1.7/lib/silcclient/command.c +++ silc-toolkit-1.1.7/lib/silcclient/command.c @@ -955,7 +955,7 @@ } if (client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, @@ -2143,7 +2143,7 @@ } if (client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, @@ -2553,7 +2553,7 @@ } if (client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, @@ -2620,7 +2620,7 @@ } if (conn->client->internal->params->full_channel_names) - silc_snprintf(tmp, sizeof(tmp), conn->current_channel->channel_name); + silc_snprintf(tmp, sizeof(tmp), "%s", conn->current_channel->channel_name); else silc_snprintf(tmp, sizeof(tmp), "%s%s%s", conn->current_channel->channel_name, --- silc-toolkit-1.1.7/lib/silchttp/silchttpserver.c +++ silc-toolkit-1.1.7/lib/silchttp/silchttpserver.c @@ -194,7 +194,7 @@ /* Check we have received all data */ cl = silc_mime_get_field(conn->curheaders, "Content-Length"); - if (cl && sscanf(cl, "%lu", (unsigned long *)&cll) == 1) { + if (cl && sscanf(cl, "%u", &cll) == 1) { if (data_len < cll) { /* More data to come */ silc_mime_free(conn->curheaders);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor