Version bump for security #87019.

(Portage version: 2.0.51.19)

5 files changed, 150 insertions, 1 deletions

diff --git a/net-misc/telnet-bsd/ChangeLog b/net-misc/telnet-bsd/ChangeLog
index 2d54096c26e2..e99334b32055 100644
--- a/net-misc/telnet-bsd/ChangeLog
+++ b/net-misc/telnet-bsd/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-misc/telnet-bsd
 # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/telnet-bsd/ChangeLog,v 1.12 2005/03/07 16:50:11 corsair Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/telnet-bsd/ChangeLog,v 1.13 2005/03/30 23:47:04 vapier Exp $
+
+*telnet-bsd-1.0-r1 (30 Mar 2005)
+
+  30 Mar 2005; Mike Frysinger <vapier@gentoo.org>
+  +files/telnet-bsd-1.0-overflow.patch, +files/telnetd.xinetd,
+  +telnet-bsd-1.0-r1.ebuild:
+  Version bump for security #87019.
 
   07 Mar 2005; Markus Rothe <corsair@gentoo.org> telnet-bsd-1.0.ebuild:
   Stable on ppc64
diff --git a/net-misc/telnet-bsd/files/digest-telnet-bsd-1.0-r1 b/net-misc/telnet-bsd/files/digest-telnet-bsd-1.0-r1
new file mode 100644
index 000000000000..5a17800e0e94
--- /dev/null
+++ b/net-misc/telnet-bsd/files/digest-telnet-bsd-1.0-r1
@@ -0,0 +1 @@
+MD5 bf0cecc0c72a0e919cd02915d02d02bb telnet-bsd-1.0.tar.bz2 173813
diff --git a/net-misc/telnet-bsd/files/telnet-bsd-1.0-overflow.patch b/net-misc/telnet-bsd/files/telnet-bsd-1.0-overflow.patch
new file mode 100644
index 000000000000..8f2042e11f6f
--- /dev/null
+++ b/net-misc/telnet-bsd/files/telnet-bsd-1.0-overflow.patch
@@ -0,0 +1,92 @@
+Patch adopted from upstream FreeBSD changes to fix client buffer overflows.
+
+http://bugs.gentoo.org/show_bug.cgi?id=87019
+
+--- telnet/telnet.c
++++ telnet/telnet.c
+@@ -1131,6 +1131,7 @@
+ 
+ 
+ unsigned char slc_reply[128];
++unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
+ unsigned char *slc_replyp;
+ 
+ 	void
+@@ -1146,6 +1147,14 @@
+ 	void
+ slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
+ {
++       /* A sequence of up to 6 bytes my be written for this member of the SLC
++        * suboption list by this function.  The end of negotiation command,
++        * which is written by slc_end_reply(), will require 2 additional
++        * bytes.  Do not proceed unless there is sufficient space for these
++        * items.
++        */
++	if (&slc_replyp[6+2] > slc_reply_eom)
++		return;
+ 	if ((*slc_replyp++ = func) == IAC)
+ 		*slc_replyp++ = IAC;
+ 	if ((*slc_replyp++ = flags) == IAC)
+@@ -1159,6 +1168,10 @@
+ {
+     int len;
+ 
++	/* The end of negotiation command requires 2 bytes. */
++	if (&slc_replyp[2] > slc_reply_eom)
++		return;
++
+     *slc_replyp++ = IAC;
+     *slc_replyp++ = SE;
+     len = slc_replyp - slc_reply;
+@@ -1236,8 +1249,8 @@
+ 	}
+ }
+ 
+-#define	OPT_REPLY_SIZE	256
+-unsigned char *opt_reply;
++#define	OPT_REPLY_SIZE	(2 * SUBBUFSIZE)
++unsigned char *opt_reply = NULL;
+ unsigned char *opt_replyp;
+ unsigned char *opt_replyend;
+ 
+@@ -1298,8 +1311,8 @@
+ 		return;
+ 	}
+ 	vp = env_getvalue(ep);
+-	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+-				strlen((char *)ep) + 6 > opt_replyend)
++        if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) +
++                                2 * strlen((char *)ep) + 6 > opt_replyend)
+ 	{
+ 		int len;
+ 		unsigned char *p;
+@@ -1323,6 +1336,8 @@
+ 		*opt_replyp++ = ENV_USERVAR;
+ 	for (;;) {
+ 		while ((c = *ep++)) {
++			if (opt_replyp + (2 + 2) > opt_replyend)
++				return;
+ 			switch(c&0xff) {
+ 			case IAC:
+ 				*opt_replyp++ = IAC;
+@@ -1337,6 +1352,8 @@
+ 			*opt_replyp++ = c;
+ 		}
+ 		if ((ep = vp)) {
++	                if (opt_replyp + (1 + 2 + 2) > opt_replyend)
++				return;
+ 		  *opt_replyp++ = ENV_VALUE;
+ 		  vp = NULL;
+ 		} else
+@@ -1361,7 +1378,10 @@
+ {
+ 	int len;
+ 
+-	len = opt_replyp - opt_reply + 2;
++	if (opt_replyp + 2 > opt_replyend)
++		return;
++	len = opt_replyp + 2 - opt_reply;
++
+ 	if (emptyok || len > 6) {
+ 		*opt_replyp++ = IAC;
+ 		*opt_replyp++ = SE;
diff --git a/net-misc/telnet-bsd/files/telnetd.xinetd b/net-misc/telnet-bsd/files/telnetd.xinetd
new file mode 100644
index 000000000000..63dd6dac9e7f
--- /dev/null
+++ b/net-misc/telnet-bsd/files/telnetd.xinetd
@@ -0,0 +1,10 @@
+service telnet
+{
+	flags           = REUSE
+	socket_type     = stream
+	wait            = no
+	user            = root
+	server          = /usr/sbin/in.telnetd
+	log_on_failure += USERID
+	disable         = yes
+}
diff --git a/net-misc/telnet-bsd/telnet-bsd-1.0-r1.ebuild b/net-misc/telnet-bsd/telnet-bsd-1.0-r1.ebuild
new file mode 100644
index 000000000000..452b376f948d
--- /dev/null
+++ b/net-misc/telnet-bsd/telnet-bsd-1.0-r1.ebuild
@@ -0,0 +1,39 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/telnet-bsd/telnet-bsd-1.0-r1.ebuild,v 1.1 2005/03/30 23:47:04 vapier Exp $
+
+inherit eutils
+
+DESCRIPTION="Telnet and telnetd ported from OpenBSD with IPv6 support"
+HOMEPAGE="ftp://ftp.suse.com/pub/people/kukuk/ipv6/"
+SRC_URI="ftp://ftp.suse.com/pub/people/kukuk/ipv6/${P}.tar.bz2"
+
+LICENSE="BSD"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ppc sparc x86 ppc64"
+IUSE="nls"
+
+DEPEND="!net-misc/netkit-telnetd"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+	epatch "${FILESDIR}"/telnet-bsd_gentoo.diff.gz
+	epatch "${FILESDIR}"/${P}-overflow.patch #87019
+	sed -i \
+		-e 's:destdir=:destdir=$(DESTDIR):' \
+		po/Makefile.in.in \
+		|| die "sed failed"
+}
+
+src_compile() {
+	econf $(use_enable nls) || die
+	emake || die "emake failed"
+}
+
+src_install() {
+	make DESTDIR="${D}" install || die "make install failed"
+	insinto /etc/xinetd.d
+	newins "${FILESDIR}"/telnetd.xinetd telnetd
+	dodoc README THANKS NEWS AUTHORS ChangeLog INSTALL
+}