Fix an Apple specific buffer overflow. To skip the first argument from
Finder, some copying to and from a local buffer in main is done, without argument checking. When a web browser or MUA is configured to start Blender automatically, this might be exploitable to gain priviledges of the current user. This is related to CVE-2005-3151.
This commit is contained in:
parent
d9fe9c312f
commit
a90eff9301
3 changed files with 18 additions and 2 deletions
|
@ -1,6 +1,7 @@
|
|||
# $NetBSD: Makefile,v 1.51 2006/02/12 21:32:38 jschauma Exp $
|
||||
# $NetBSD: Makefile,v 1.52 2006/02/12 21:52:18 joerg Exp $
|
||||
|
||||
DISTNAME= blender-2.41
|
||||
PKGREVISION= 1
|
||||
CATEGORIES= graphics
|
||||
MASTER_SITES= ftp://ftp.cs.umn.edu/pub/blender.org/source/ \
|
||||
http://download.blender.org/source/
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
$NetBSD: distinfo,v 1.19 2006/02/10 20:34:25 adam Exp $
|
||||
$NetBSD: distinfo,v 1.20 2006/02/12 21:52:18 joerg Exp $
|
||||
|
||||
SHA1 (blender-2.41.tar.gz) = 839dfece3b6efbf10694ac535d88e3745c3253ec
|
||||
RMD160 (blender-2.41.tar.gz) = 7857eac2acda18ee24db4bb147bcf780025e2c12
|
||||
Size (blender-2.41.tar.gz) = 9464385 bytes
|
||||
SHA1 (patch-aa) = 21dd95ff4ab51bb9b1084f28e4e080ca38421bce
|
||||
SHA1 (patch-ab) = 3c8b57b1aac2aba141d8392ce8e9c7759febd68f
|
||||
SHA1 (patch-ac) = dcfa14519404915a69bd626c8a5a6029d2535ca2
|
||||
SHA1 (patch-ae) = 4d9fdef4141445534e0fb476d9e14b42fcaf29d7
|
||||
|
|
14
graphics/blender/patches/patch-aa
Normal file
14
graphics/blender/patches/patch-aa
Normal file
|
@ -0,0 +1,14 @@
|
|||
$NetBSD: patch-aa,v 1.5 2006/02/12 21:52:19 joerg Exp $
|
||||
|
||||
--- intern/ghost/intern/GHOST_SystemCarbon.cpp.orig 2006-02-12 22:17:07.000000000 +0100
|
||||
+++ intern/ghost/intern/GHOST_SystemCarbon.cpp
|
||||
@@ -527,7 +527,8 @@ static char g_firstFileBuf[512];
|
||||
|
||||
extern "C" int GHOST_HACK_getFirstFile(char buf[512]) {
|
||||
if (g_hasFirstFile) {
|
||||
- strcpy(buf, g_firstFileBuf);
|
||||
+ strncpy(buf, g_firstFileBuf, sizeof(buf) - 1);
|
||||
+ buf[sizeof(buf) - 1] = '\0';
|
||||
return 1;
|
||||
} else {
|
||||
return 0;
|
Loading…
Reference in a new issue