[pacman-dev] small libdownload patch
Hi, I've found a small compatibility problem and static checking a minor buffer overflow in libdownload. Please excuse if this should already be fixed in git. Here's the patch, <stdint.h> is included for uintptr_t and fscanf writes a trailing \0, therefore requiring 1025 bytes in the worst case: diff -Naurd libdownload-1.3/common.c libdownload-1.3-mod/common.c --- libdownload-1.3/common.c Thu May 24 04:30:59 2007 +++ libdownload-1.3-mod/common.c Mon Nov 10 18:51:23 2008 @@ -42,6 +42,7 @@ #include <netdb.h> #include <pwd.h> #include <stdarg.h> +#include <stdint.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -634,7 +635,7 @@ { static char word[1024]; - if (fscanf(f, " %1024s ", word) != 1) + if (fscanf(f, " %1023s ", word) != 1) return (NULL); return (word); } kind regards Johannes
On Mon, Nov 10, 2008 at 12:24 PM, Johannes Krampf <Johannes.Krampf@htw-dresden.de> wrote:
Hi,
I've found a small compatibility problem and static checking a minor buffer overflow in libdownload. Please excuse if this should already be fixed in git.
Here's the patch, <stdint.h> is included for uintptr_t and fscanf writes a trailing \0, therefore requiring 1025 bytes in the worst case:
Just an FYI, NetBSD's libfetch code compiles on linux with a minor modification. So I think we're planning on switching to that. In fact, I will try to get a libfetch package in the wild tonight. I know Xavier did some work with the pacman code to see if it'd work. Any status on this?
On Mon, Nov 10, 2008 at 7:35 PM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Mon, Nov 10, 2008 at 12:24 PM, Johannes Krampf <Johannes.Krampf@htw-dresden.de> wrote:
Hi,
I've found a small compatibility problem and static checking a minor buffer overflow in libdownload. Please excuse if this should already be fixed in git.
Here's the patch, <stdint.h> is included for uintptr_t and fscanf writes a trailing \0, therefore requiring 1025 bytes in the worst case:
Just an FYI, NetBSD's libfetch code compiles on linux with a minor modification. So I think we're planning on switching to that.
In fact, I will try to get a libfetch package in the wild tonight. I know Xavier did some work with the pacman code to see if it'd work. Any status on this?
Unfortunately nothing at all since our last mail exchange, I am too busy with work :P
On Mon, Nov 10, 2008 at 20:35, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Mon, Nov 10, 2008 at 12:24 PM, Johannes Krampf <Johannes.Krampf@htw-dresden.de> wrote:
Hi,
I've found a small compatibility problem and static checking a minor buffer overflow in libdownload. Please excuse if this should already be fixed in git.
Here's the patch, <stdint.h> is included for uintptr_t and fscanf writes a trailing \0, therefore requiring 1025 bytes in the worst case:
Just an FYI, NetBSD's libfetch code compiles on linux with a minor modification. So I think we're planning on switching to that.
...and that bug is fixed there long before in FreeBSD's libfetch. Thanks for info, Aaron! I wasn't aware that NetBSD has their own libfetch. Looks like NetBSD's libfetch was heavily reworked in some places, including some new features added. The only thing it's missing from FreeBSD's lbfetch is support for HTTP 1.1 If-Modified-Since behavior (which was only added less than 2 weeks ago). There's one Linux-compatability fix after 2.20: http://cvsweb.se.netbsd.org/cgi-bin/bsdweb.cgi/pkgsrc/net/libfetch/files/ftp... Not sure if it's important enough for us though. -- Roman Kyrylych (Роман Кирилич)
On Sat, Dec 27, 2008 at 8:58 AM, Roman Kyrylych <roman.kyrylych@gmail.com> wrote:
...and that bug is fixed there long before in FreeBSD's libfetch. Thanks for info, Aaron! I wasn't aware that NetBSD has their own libfetch. Looks like NetBSD's libfetch was heavily reworked in some places, including some new features added.
Indeed NetBSD's libfetch looked pretty good last time I checked.
The only thing it's missing from FreeBSD's lbfetch is support for HTTP 1.1 If-Modified-Since behavior (which was only added less than 2 weeks ago).
I believe they merge the changes from times to times, so it should be included eventually, we just need to be patient :)
There's one Linux-compatability fix after 2.20: http://cvsweb.se.netbsd.org/cgi-bin/bsdweb.cgi/pkgsrc/net/libfetch/files/ftp... Not sure if it's important enough for us though.
That is very cool, it is actually the only patch we needed : http://code.phraktured.net/?p=libfetch.git;a=shortlog;h=refs/heads/linux The only thing left is to provide a linux Makefile, which Aaron already did.
On Sat, Dec 27, 2008 at 5:15 AM, Xavier <shiningxc@gmail.com> wrote:
On Sat, Dec 27, 2008 at 8:58 AM, Roman Kyrylych <roman.kyrylych@gmail.com> wrote:
...and that bug is fixed there long before in FreeBSD's libfetch. Thanks for info, Aaron! I wasn't aware that NetBSD has their own libfetch. Looks like NetBSD's libfetch was heavily reworked in some places, including some new features added.
Indeed NetBSD's libfetch looked pretty good last time I checked.
The only thing it's missing from FreeBSD's lbfetch is support for HTTP 1.1 If-Modified-Since behavior (which was only added less than 2 weeks ago).
I believe they merge the changes from times to times, so it should be included eventually, we just need to be patient :)
There's one Linux-compatability fix after 2.20: http://cvsweb.se.netbsd.org/cgi-bin/bsdweb.cgi/pkgsrc/net/libfetch/files/ftp... Not sure if it's important enough for us though.
That is very cool, it is actually the only patch we needed : http://code.phraktured.net/?p=libfetch.git;a=shortlog;h=refs/heads/linux The only thing left is to provide a linux Makefile, which Aaron already did.
Actually, that patch isn't even needed if we build with CFLAGS="-D_GNU_SOURCE". It still should be merged upstream though, I'll poke the maintainer at some point.
On Mon, Dec 29, 2008 at 8:45 PM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Sat, Dec 27, 2008 at 5:15 AM, Xavier <shiningxc@gmail.com> wrote:
On Sat, Dec 27, 2008 at 8:58 AM, Roman Kyrylych <roman.kyrylych@gmail.com> wrote:
...and that bug is fixed there long before in FreeBSD's libfetch. Thanks for info, Aaron! I wasn't aware that NetBSD has their own libfetch. Looks like NetBSD's libfetch was heavily reworked in some places, including some new features added.
Indeed NetBSD's libfetch looked pretty good last time I checked.
The only thing it's missing from FreeBSD's lbfetch is support for HTTP 1.1 If-Modified-Since behavior (which was only added less than 2 weeks ago).
I believe they merge the changes from times to times, so it should be included eventually, we just need to be patient :)
There's one Linux-compatability fix after 2.20: http://cvsweb.se.netbsd.org/cgi-bin/bsdweb.cgi/pkgsrc/net/libfetch/files/ftp... Not sure if it's important enough for us though.
That is very cool, it is actually the only patch we needed : http://code.phraktured.net/?p=libfetch.git;a=shortlog;h=refs/heads/linux The only thing left is to provide a linux Makefile, which Aaron already did.
Actually, that patch isn't even needed if we build with CFLAGS="-D_GNU_SOURCE". It still should be merged upstream though, I'll poke the maintainer at some point.
Maybe my sentence was a bit confusing. What Roman just showed is that this patch was just merged in netbsd upstream.
On Mon, Dec 29, 2008 at 4:40 PM, Xavier <shiningxc@gmail.com> wrote:
On Mon, Dec 29, 2008 at 8:45 PM, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
On Sat, Dec 27, 2008 at 5:15 AM, Xavier <shiningxc@gmail.com> wrote:
On Sat, Dec 27, 2008 at 8:58 AM, Roman Kyrylych <roman.kyrylych@gmail.com> wrote:
...and that bug is fixed there long before in FreeBSD's libfetch. Thanks for info, Aaron! I wasn't aware that NetBSD has their own libfetch. Looks like NetBSD's libfetch was heavily reworked in some places, including some new features added.
Indeed NetBSD's libfetch looked pretty good last time I checked.
The only thing it's missing from FreeBSD's lbfetch is support for HTTP 1.1 If-Modified-Since behavior (which was only added less than 2 weeks ago).
I believe they merge the changes from times to times, so it should be included eventually, we just need to be patient :)
There's one Linux-compatability fix after 2.20: http://cvsweb.se.netbsd.org/cgi-bin/bsdweb.cgi/pkgsrc/net/libfetch/files/ftp... Not sure if it's important enough for us though.
That is very cool, it is actually the only patch we needed : http://code.phraktured.net/?p=libfetch.git;a=shortlog;h=refs/heads/linux The only thing left is to provide a linux Makefile, which Aaron already did.
Actually, that patch isn't even needed if we build with CFLAGS="-D_GNU_SOURCE". It still should be merged upstream though, I'll poke the maintainer at some point.
Maybe my sentence was a bit confusing. What Roman just showed is that this patch was just merged in netbsd upstream.
Ah my fault. I misread. I looked at the link and thought that was the _existing_ patch. At the time I sent the patch upstream, the define was in one file (http.c) but not the other (ftp.c). I just confused the two files 8) So now all we need is a makefile, which I have already. Yay
participants (4)
-
Aaron Griffin
-
Johannes Krampf
-
Roman Kyrylych
-
Xavier