Wed Aug 21 19:40:13 2013 UTC ()

Pullup ticket #4216 - requested by drochner
security/putty: security update

Revisions pulled up:
- security/putty/Makefile                                       1.34-1.35
- security/putty/distinfo                                       1.14-1.15
- security/putty/patches/patch-CVE-2013-4852-1                  deleted
- security/putty/patches/patch-CVE-2013-4852-2                  deleted
- security/putty/patches/patch-import.c                         1.2-1.3
- security/putty/patches/patch-terminal.c                       deleted
- security/putty/patches/patch-timing.c                         1.2
- security/putty/patches/patch-unix_gtkfont_c                   deleted
- security/putty/patches/patch-unix_gtkwin.c                    1.3
- security/putty/patches/patch-unix_uxnet.c                     1.2
- security/putty/patches/patch-unix_uxucs.c                     1.2
- security/putty/patches/patch-windows_window.c                 1.2

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Tue Aug  6 12:23:37 UTC 2013

   Modified Files:
           pkgsrc/security/putty: Makefile distinfo
           pkgsrc/security/putty/patches: patch-import.c
   Added Files:
           pkgsrc/security/putty/patches: patch-CVE-2013-4852-1
               patch-CVE-2013-4852-2

   Log Message:
   add patch from upstream to fix possible heap overflow in SSH handshake
   due to integer overflow (CVE-2013-4852)
   bump PKGREV

---
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Aug  7 11:06:39 UTC 2013

   Modified Files:
           pkgsrc/security/putty: Makefile distinfo
           pkgsrc/security/putty/patches: patch-import.c patch-timing.c
               patch-unix_gtkwin.c patch-unix_uxnet.c patch-unix_uxucs.c
               patch-windows_window.c
   Removed Files:
           pkgsrc/security/putty/patches: patch-CVE-2013-4852-1
               patch-CVE-2013-4852-2 patch-terminal.c patch-unix_gtkfont_c

   Log Message:
   update to 0.63
   This fixes a buffer overflow which was patched in pkgsrc
   (CVE-2013-4852), two other buffer overflows (CVE-2013-4206,
   CVE-2013-4207), and it clears private keys after use now
   (CVE-2013-4208). Other than that, there are mostly bug fixes from 0.62
   and a few small features.


(tron)

--- pkgsrc/security/putty/Makefile 2013/06/06 12:55:01 1.33
+++ pkgsrc/security/putty/Makefile 2013/08/21 19:40:13 1.33.2.1

@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.33 2013/06/06 12:55:01 wiz Exp $
+# $NetBSD: Makefile,v 1.33.2.1 2013/08/21 19:40:13 tron Exp $
 #
 
-DISTNAME=	putty-0.62
-PKGREVISION=	9
+DISTNAME=	putty-0.63
 CATEGORIES=	security
-MASTER_SITES=	http://the.earth.li/~sgtatham/putty/0.62/
+MASTER_SITES=	http://the.earth.li/~sgtatham/putty/0.63/
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.chiark.greenend.org.uk/~sgtatham/putty/

--- pkgsrc/security/putty/distinfo 2012/11/01 19:32:44 1.13
+++ pkgsrc/security/putty/distinfo 2013/08/21 19:40:13 1.13.6.1

@@ -1,15 +1,13 @@
-$NetBSD: distinfo,v 1.13 2012/11/01 19:32:44 joerg Exp $
+$NetBSD: distinfo,v 1.13.6.1 2013/08/21 19:40:13 tron Exp $
 
-SHA1 (putty-0.62.tar.gz) = 5898438614117ee7e3704fc3f30a3c4bf2041380
-RMD160 (putty-0.62.tar.gz) = 48324416005eb4b14654fc9e0e14d39f20971507
-Size (putty-0.62.tar.gz) = 1783106 bytes
-SHA1 (patch-import.c) = c2dc26aa851a326ea89e782ef93ae7bfdc916366
+SHA1 (putty-0.63.tar.gz) = 195c0603ef61082b91276faa8d4246ea472bba3b
+RMD160 (putty-0.63.tar.gz) = cf28d88a5f0e1db6c21bb0308bd59ed4d6399e5f
+Size (putty-0.63.tar.gz) = 1887913 bytes
+SHA1 (patch-import.c) = da6a34ec3412985858babb28821296c40e30d96b
 SHA1 (patch-ldisc.c) = e4dd89bfb2ddcb47aad46cc7c311f424aa6ab6be
-SHA1 (patch-terminal.c) = bed37a83bb7afc56ff34d48f8079b37d9db0f948
-SHA1 (patch-timing.c) = b836da7194aa72ac88d94951070dc65f11978703
+SHA1 (patch-timing.c) = 9dd79fde390878960e97c456628bbd5dcbcd07f9
 SHA1 (patch-unix_Makefile.gtk) = 0ad8226e2ad8e6e40d3eb9ddef4b22e7d07b7895
-SHA1 (patch-unix_gtkfont_c) = 0e57d4f49466ac73fb0d8cc8efb635e6f8a37f44
+SHA1 (patch-unix_gtkwin.c) = ccabdde03fda8bbc24d659a440fe48f96ab5d867
-SHA1 (patch-unix_gtkwin.c) = c62d1888b93476972180d14b1fd06d0ab8c8b04b
+SHA1 (patch-unix_uxnet.c) = 2d1c2939721993fe5616c2fe3f1935c03a31bb35
-SHA1 (patch-unix_uxnet.c) = 50e39093ece97b189da4a736713b59ed72c162d9
+SHA1 (patch-unix_uxucs.c) = a2a5021b515c3bade1126ed062bdc1eece1ca0f9
-SHA1 (patch-unix_uxucs.c) = c8a2c4a5f0f50a0c87ec643acd7a02f16dba576f
+SHA1 (patch-windows_window.c) = e851bad963967429131286c18e39d1ac4add4ae7
-SHA1 (patch-windows_window.c) = 0c9f4ad5870e63793278d6f04cae88154611e596

--- pkgsrc/security/putty/patches/Attic/patch-import.c 2012/02/22 15:27:16 1.1
+++ pkgsrc/security/putty/patches/Attic/patch-import.c 2013/08/21 19:40:13 1.1.14.1

@@ -1,8 +1,8 @@
-$NetBSD: patch-import.c,v 1.1 2012/02/22 15:27:16 wiz Exp $
+$NetBSD: patch-import.c,v 1.1.14.1 2013/08/21 19:40:13 tron Exp $
 
---- import.c.orig	2010-04-12 11:02:06.000000000 +0000
+--- import.c.orig	2013-07-20 13:15:20.000000000 +0000
 +++ import.c
-@@ -717,8 +717,8 @@ int openssh_write(const Filename *filena
+@@ -725,8 +725,8 @@ int openssh_write(const Filename *filena
      unsigned char *outblob;
      int outlen;
      struct mpint_pos numbers[9];
@@ -13,7 +13,7 @@
      char zero[1];
      unsigned char iv[8];
      int ret = 0;
-@@ -1513,8 +1513,8 @@ int sshcom_write(const Filename *filenam
+@@ -1547,8 +1547,8 @@ int sshcom_write(const Filename *filenam
      unsigned char *outblob;
      int outlen;
      struct mpint_pos numbers[6];

--- pkgsrc/security/putty/patches/Attic/patch-unix_uxnet.c 2012/02/22 15:27:17 1.1
+++ pkgsrc/security/putty/patches/Attic/patch-unix_uxnet.c 2013/08/21 19:40:13 1.1.14.1

@@ -1,8 +1,8 @@
-$NetBSD: patch-unix_uxnet.c,v 1.1 2012/02/22 15:27:17 wiz Exp $
+$NetBSD: patch-unix_uxnet.c,v 1.1.14.1 2013/08/21 19:40:13 tron Exp $
 
---- unix/uxnet.c.orig	2009-08-06 22:55:15.000000000 +0000
+--- unix/uxnet.c.orig	2013-07-27 18:35:48.000000000 +0000
 +++ unix/uxnet.c
-@@ -526,10 +526,10 @@ static int try_connect(Actual_Socket soc
+@@ -534,10 +534,10 @@ static int try_connect(Actual_Socket soc
  {
      int s;
      union sockaddr_union u;
@@ -10,8 +10,8 @@
 +    const union sockaddr_union *sa = NULL;
      int err = 0;
      short localport;
--    int fl, salen, family;
-+    int fl, salen = 0, family;
+-    int salen, family;
++    int salen = 0, family;
  
      /*
       * Remove the socket from the tree before we overwrite its

--- pkgsrc/security/putty/patches/Attic/patch-windows_window.c 2012/02/22 15:27:17 1.1
+++ pkgsrc/security/putty/patches/Attic/patch-windows_window.c 2013/08/21 19:40:13 1.1.14.1

@@ -1,14 +1,15 @@
-$NetBSD: patch-windows_window.c,v 1.1 2012/02/22 15:27:17 wiz Exp $
+$NetBSD: patch-windows_window.c,v 1.1.14.1 2013/08/21 19:40:13 tron Exp $
 
 Make the home/end keys work on BSD servers as well as Linux ones
 
---- windows/window.c.orig	2011-07-16 11:26:19.000000000 +0000
+--- windows/window.c.orig	2013-08-04 19:32:10.000000000 +0000
 +++ windows/window.c
-@@ -4302,8 +4302,17 @@ static int TranslateKey(UINT message, WP
+@@ -4520,9 +4520,17 @@ static int TranslateKey(UINT message, WP
  		p += sprintf((char *) p, "\x1BO%c", code + 'P' - 11);
  	    return p - output;
  	}
--	if (cfg.rxvt_homeend && (code == 1 || code == 4)) {
+-	if ((code == 1 || code == 4) &&
+-	    conf_get_int(conf, CONF_rxvt_homeend)) {
 -	    p += sprintf((char *) p, code == 1 ? "\x1B[H" : "\x1BOw");
 +	/* Home/End */
 +	if (code == 1 || code == 4) {
@@ -16,7 +17,7 @@
 +	     * We used to send ^[1~ and [4~ for Xterm,
 +             * but those are Linux console */
 +	    const char *he;
-+	    if (cfg.rxvt_homeend)
++	    if (conf_get_int(conf, CONF_rxvt_homeend))
 +		he = code == 1 ? "\x1B[7~" : "\x1B[8~";
 +	    else
 +		he = code == 1 ? "\x1BOH" : "\x1BOF";

--- pkgsrc/security/putty/patches/patch-timing.c 2012/11/01 19:32:44 1.1
+++ pkgsrc/security/putty/patches/patch-timing.c 2013/08/21 19:40:13 1.1.6.1

@@ -1,19 +1,17 @@
-$NetBSD: patch-timing.c,v 1.1 2012/11/01 19:32:44 joerg Exp $
+$NetBSD: patch-timing.c,v 1.1.6.1 2013/08/21 19:40:13 tron Exp $
 
---- timing.c.orig	2012-10-30 22:23:57.000000000 +0000
+--- timing.c.orig	2012-09-19 22:12:00.000000000 +0000
 +++ timing.c
-@@ -41,21 +41,10 @@ static int compare_timers(void *av, void
+@@ -60,19 +60,10 @@ static int compare_timers(void *av, void
       * Failing that, compare on the other two fields, just so that
       * we don't get unwanted equality.
       */
--#ifdef __LCC__
+-#if defined(__LCC__) || defined(__clang__)
 -    /* lcc won't let us compare function pointers. Legal, but annoying. */
 -    {
 -	int c = memcmp(&a->fn, &b->fn, sizeof(a->fn));
--	if (c < 0)
--	    return -1;
--	else if (c > 0)
--	    return +1;
+-	if (c)
+-	    return c;
 -    }
 -#else    
 -    if (a->fn < b->fn)

--- pkgsrc/security/putty/patches/Attic/patch-unix_uxucs.c 2012/11/01 19:32:44 1.1
+++ pkgsrc/security/putty/patches/Attic/patch-unix_uxucs.c 2013/08/21 19:40:13 1.1.6.1

@@ -1,9 +1,9 @@
-$NetBSD: patch-unix_uxucs.c,v 1.1 2012/11/01 19:32:44 joerg Exp $
+$NetBSD: patch-unix_uxucs.c,v 1.1.6.1 2013/08/21 19:40:13 tron Exp $
 
---- unix/uxucs.c.orig	2012-10-30 22:26:02.000000000 +0000
+--- unix/uxucs.c.orig	2013-07-22 07:12:05.000000000 +0000
 +++ unix/uxucs.c
-@@ -76,7 +76,7 @@ int wc_to_mb(int codepage, int flags, wc
- 	setlocale(LC_CTYPE, "");
+@@ -72,7 +72,7 @@ int wc_to_mb(int codepage, int flags, co
+ 	memset(&state, 0, sizeof state);
  
  	while (wclen > 0) {
 -	    int i = wcrtomb(output, wcstr[0], &state);

--- pkgsrc/security/putty/patches/Attic/patch-unix_gtkwin.c 2012/11/01 19:32:44 1.2
+++ pkgsrc/security/putty/patches/Attic/patch-unix_gtkwin.c 2013/08/21 19:40:13 1.2.6.1

@@ -1,14 +1,15 @@
-$NetBSD: patch-unix_gtkwin.c,v 1.2 2012/11/01 19:32:44 joerg Exp $
+$NetBSD: patch-unix_gtkwin.c,v 1.2.6.1 2013/08/21 19:40:13 tron Exp $
 
 Make the home/end keys work on BSD servers as well as Linux ones
 
---- unix/gtkwin.c.orig	2011-05-07 10:57:19.000000000 +0000
+--- unix/gtkwin.c.orig	2013-07-20 13:15:10.000000000 +0000
 +++ unix/gtkwin.c
-@@ -1033,9 +1033,17 @@ gint key_event(GtkWidget *widget, GdkEve
+@@ -1132,10 +1132,17 @@ gint key_event(GtkWidget *widget, GdkEve
  		use_ucsoutput = FALSE;
  		goto done;
  	    }
--	    if (inst->cfg.rxvt_homeend && (code == 1 || code == 4)) {
+-	    if ((code == 1 || code == 4) &&
+-		conf_get_int(inst->conf, CONF_rxvt_homeend)) {
 -		end = 1 + sprintf(output+1, code == 1 ? "\x1B[H" : "\x1BOw");
 -		use_ucsoutput = FALSE;
 +	    /* Home/End */
@@ -17,7 +18,7 @@
 +		 * We used to send ^[1~ and [4~ for Xterm,
 +		 * but those are Linux console */
 +		const char *he;
-+		if (inst->cfg.rxvt_homeend)
++		if (conf_get_int(inst->conf, CONF_rxvt_homeend))
 +		    he = code == 1 ? "\x1B[7~" : "\x1B[8~";
 +		else
 +		    he = code == 1 ? "\x1BOH" : "\x1BOF";