Upgrade from 2.04 to 2.05. The author closed the recently discovered

security flaw, which was already fixed in FreeBSD. But the older tarball
is no longer available, hence the upgrade.
This commit is contained in:
Mikhail Teterin 2004-07-09 15:57:33 +00:00
parent e9dffd30af
commit b7b95248da
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=113283
3 changed files with 3 additions and 43 deletions

View file

@ -6,8 +6,7 @@
#
PORTNAME= rlpr
PORTVERSION= 2.04
PORTREVISION= 1
PORTVERSION= 2.05
CATEGORIES= print net
MASTER_SITES= ftp://www.truffula.com/pub/

View file

@ -1,2 +1,2 @@
MD5 (rlpr-2.04.tar.gz) = d4560cad31b0f031796a260b6d6b7123
SIZE (rlpr-2.04.tar.gz) = 158637
MD5 (rlpr-2.05.tar.gz) = 64ee8ccd94aabc90b9f40d0b2ad79e79
SIZE (rlpr-2.05.tar.gz) = 222119

View file

@ -1,39 +0,0 @@
Don't allow the network obtained strings to be interpreted
as sprintf() format directives. See http://www.osvdb.org/7194
This fix is different from Debian's. It is better, because it
requires no extra work, when errno is zero, and saves syslog(3)
the hassle of handling %m, when it is.
-mi
--- src/msg.c Thu Sep 16 01:10:23 1999
+++ src/msg.c Thu Jun 24 17:14:13 2004
@@ -160,20 +160,14 @@
} else if (rlpr_msg->use_syslog) {
-
- /*
- * sigh. this really sucks, but what can we do: vsnprintf()
- * isn't yet standard enough to rely on. maybe if i can find
- * a portable implementation lying around somewhere i can make
- * a ../lib/vsnprintf.c
- */
-
char buf[BUFSIZ];
+ const char *_format;
- vsprintf(buf, _(format), ap);
-
- if (errno != 0)
- strcat(buf, ": %m");
+ if (errno != 0) {
+ snprintf(buf, sizeof buf, "%s: %s", _(format), strerror(errno));
+ _format = buf;
+ } else
+ _format = _(format);
- syslog(rlpr_msg->syslog_prio[level], buf);
+ vsyslog(rlpr_msg->syslog_prio[level], _format, ap);
} else {