Security update. When pavuk connects to a web server and the server sends back the HTTP status code 305 (Use Proxy), pavuk copies data from the HTTP Location header in an unsafe manner. This leads to a stack-based buffer overflow with control over EIP.

2 files changed, 14 insertions, 0 deletions

diff --git a/net-misc/pavuk/files/digest-pavuk-0.9.28-r2 b/net-misc/pavuk/files/digest-pavuk-0.9.28-r2
new file mode 100644
index 000000000000..cdc14b2bba09
--- /dev/null
+++ b/net-misc/pavuk/files/digest-pavuk-0.9.28-r2
@@ -0,0 +1 @@
+MD5 d0f7b77bd11322add1f7d52d62afbf78 pavuk-0.9pl28.tgz 968336
diff --git a/net-misc/pavuk/files/pavuk-0.9.28-http.patch b/net-misc/pavuk/files/pavuk-0.9.28-http.patch
new file mode 100644
index 000000000000..88acf6f5e49f
--- /dev/null
+++ b/net-misc/pavuk/files/pavuk-0.9.28-http.patch
@@ -0,0 +1,13 @@
+--- http.c.old	2001-07-30 00:06:40.000000000 +0200
++++ http.c	2004-06-14 01:33:27.000000000 +0200
+@@ -1111,8 +1111,8 @@
+ 	if (!loc)
+ 		return -1;
+ 
+-	if (sscanf(loc, "http://%[.0-9A-Za-z_-]:%d", proxy, &port) < 1)
+-		if (sscanf(loc, "%[.0-9A-Za-z_-]:%d", proxy, &port) !=2)
++	if (sscanf(loc, "http://%255[.0-9A-Za-z_-]:%d", proxy, &port) < 1)
++		if (sscanf(loc, "%255[.0-9A-Za-z_-]:%d", proxy, &port) !=2)
+ 			return -1;
+ 
+ 	_free(docp->http_proxy);