|
|
# --- ROCK-COPYRIGHT-NOTE-BEGIN ---# # This copyright note is auto-generated by ./scripts/Create-CopyPatch.# Please add additional copyright information _after_ the line containing# the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by# the ./scripts/Create-CopyPatch script. Do not edit this copyright text!# # ROCK Linux: rock-src/package/base/netkit-telnet/slc_add_reply.patch# ROCK Linux is Copyright (C) 1998 - 2006 Clifford Wolf# # This patch file is dual-licensed. It is available under the license the# patched project is licensed under, as long as it is an OpenSource license# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms# of the GNU General Public License as published by the Free Software# Foundation; either version 2 of the License, or (at your option) any later# version.# # --- ROCK-COPYRIGHT-NOTE-END ---
diff -Naur netkit-telnet-0.17.orig/telnet/telnet.cc netkit-telnet-0.17/telnet/telnet.cc
--- netkit-telnet-0.17.orig/telnet/telnet.cc 2000-07-23 04:24:53.000000000 +0100
+++ netkit-telnet-0.17/telnet/telnet.cc 2005-10-11 11:58:02.000000000 +0100
@@ -1050,6 +1050,7 @@
unsigned char slc_reply[128];+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp; void slc_start_reply(void) {@@ -1061,6 +1062,18 @@
} void slc_add_reply(int func, int flags, int value) {+ /* Fix security vulnerability
+ * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
+ *
+ * A sequence of up to 6 bytes my be written for this member of the
+ * SLC suboption list by this function. The end of negotiation
+ * command, which is written by slc_end_reply(), will require 2
+ * additional bytes. Do not proceed unless there is sufficient
+ * space for these items.
+ */
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
+
if ((*slc_replyp++ = func) == IAC) *slc_replyp++ = IAC; if ((*slc_replyp++ = flags) == IAC)
|
