git: cc0b41d49276 - main - security/kdbxviewer: Update to 0.1.11
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 06 Sep 2022 22:45:25 UTC
The branch main has been updated by eduardo: URL: https://cgit.FreeBSD.org/ports/commit/?id=cc0b41d49276447c1bbd052df4181829d44fe653 commit cc0b41d49276447c1bbd052df4181829d44fe653 Author: Robert Clausecker <fuz@fuz.su> AuthorDate: 2022-09-06 22:42:46 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2022-09-06 22:42:46 +0000 security/kdbxviewer: Update to 0.1.11 - patch two instances of undefined behaviour - patch a potential buffer overflow Changelog: https://github.com/pepa65/kdbxviewer/releases/tag/v0.1.11 PR: 266258 MFH: 2022Q3 --- security/kdbxviewer/Makefile | 2 +- security/kdbxviewer/distinfo | 6 ++--- security/kdbxviewer/files/patch-libcx9r_kdbx.c | 32 ++++++++++++++++++++++++++ security/kdbxviewer/files/patch-src_main.c | 29 +++++++++++++++++++++++ 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/security/kdbxviewer/Makefile b/security/kdbxviewer/Makefile index eaa700656279..02a1f0e6e973 100644 --- a/security/kdbxviewer/Makefile +++ b/security/kdbxviewer/Makefile @@ -1,5 +1,5 @@ PORTNAME= kdbxviewer -PORTVERSION= 0.1.10 +PORTVERSION= 0.1.11 DISTVERSIONPREFIX=v CATEGORIES= security diff --git a/security/kdbxviewer/distinfo b/security/kdbxviewer/distinfo index 98e9295e771f..a2b1cac88dec 100644 --- a/security/kdbxviewer/distinfo +++ b/security/kdbxviewer/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1635952892 -SHA256 (pepa65-kdbxviewer-v0.1.10_GH0.tar.gz) = 0ef77f637b34cb603634b7c2f8247fb5f38e12951961c8e2ae6b7dbf7858fc6d -SIZE (pepa65-kdbxviewer-v0.1.10_GH0.tar.gz) = 140203 +TIMESTAMP = 1662483072 +SHA256 (pepa65-kdbxviewer-v0.1.11_GH0.tar.gz) = de714ca964d637bcb83f591729fc2e9e6a1100d549278f4315129ec4ceb743d0 +SIZE (pepa65-kdbxviewer-v0.1.11_GH0.tar.gz) = 140203 diff --git a/security/kdbxviewer/files/patch-libcx9r_kdbx.c b/security/kdbxviewer/files/patch-libcx9r_kdbx.c new file mode 100644 index 000000000000..a09c9cc7fbe4 --- /dev/null +++ b/security/kdbxviewer/files/patch-libcx9r_kdbx.c @@ -0,0 +1,32 @@ +--- libcx9r/kdbx.c.orig 2022-09-06 17:07:27 UTC ++++ libcx9r/kdbx.c +@@ -112,22 +112,25 @@ static cx9r_err kdbx_read_magic(cx9r_stream_t *stream) + uint8_t const kdbx_magic[KDBX_MAGIC_LENGTH] = { 0x03, 0xd9, 0xa2, 0x9a, + 0x67, 0xfb, 0x4b, 0xb5 }; + DEBUG("Reading magic...\n"); +- uint8_t magic[KDBX_MAGIC_LENGTH]; ++ union { ++ uint8_t magic[KDBX_MAGIC_LENGTH]; ++ uint64_t joined; ++ } m; + + // default return value + cx9r_err err = CX9R_OK; + // read magic bytes +- CHECK((cx9r_sread(magic, 1, KDBX_MAGIC_LENGTH, stream) == KDBX_MAGIC_LENGTH), ++ CHECK((cx9r_sread(m.magic, 1, KDBX_MAGIC_LENGTH, stream) == KDBX_MAGIC_LENGTH), + err, CX9R_FILE_READ_ERR, kdbx_magic_bail); + DEBUG("Proper magic length\n"); + + // compare magic bytes to expected +- CHECK((memcmp(magic, kdbx_magic, KDBX_MAGIC_LENGTH) == 0), err, ++ CHECK((memcmp(m.magic, kdbx_magic, KDBX_MAGIC_LENGTH) == 0), err, + CX9R_BAD_MAGIC, kdbx_magic_bail); + DEBUG("Proper magic content\n"); + + kdbx_magic_bail: +-DEBUG("%016lX (%d)\n", *(uint64_t*)&magic, err); ++DEBUG("%016llX (%d)\n", (unsigned long long)m.joined, err); + return err; + } + diff --git a/security/kdbxviewer/files/patch-src_main.c b/security/kdbxviewer/files/patch-src_main.c new file mode 100644 index 000000000000..8ab02829a5de --- /dev/null +++ b/security/kdbxviewer/files/patch-src_main.c @@ -0,0 +1,29 @@ +--- src/main.c.orig 2022-09-06 17:00:52 UTC ++++ src/main.c +@@ -159,7 +159,7 @@ void print_key_table(cx9r_kt_group *g, int level) { + + // Process commandline + int main(int argc, char **argv) { +- long unsigned int len = PATHLEN, opt, flags = 0; ++ size_t len = PATHLEN, opt, flags = 0; + char *kdbxfilename = malloc(len), *filename = malloc(len), command = 0, + *password = NULL, *self = argv[0] + strlen(argv[0]), + *configfilename = strcat(getenv("HOME"), CONFIGFILENAME); +@@ -246,14 +246,14 @@ int main(int argc, char **argv) { + *filename = 0; + if ((configfile = fopen(configfilename, "r")) != NULL) + while (getline(&filename, &len, configfile) != -1) { +- *(filename+strlen(filename)-1) = 0; ++ filename[strcspn(filename, "\n")] = '\0'; + // Check the latest found file +- if ((kdbxfile = fopen(filename, "r")) != NULL) strcpy(kdbxfilename, filename); ++ if ((kdbxfile = fopen(filename, "r")) != NULL) kdbxfilename = strdup(filename); + *filename = 0; + } + if (*kdbxfilename == 0) + abort(-7, "No database specified on commandline or in configfile\n"); +- else strcpy(filename, kdbxfilename); ++ else filename = strdup(kdbxfilename); + } + + // Set default mode depending on search