security/kdbxviewer: Update to 0.1.11

- patch two instances of undefined behaviour - patch a potential buffer overflow Changelog: https://github.com/pepa65/kdbxviewer/releases/tag/v0.1.11 PR: 266258 MFH: 2022Q3
freebsd · Sep 6, 2022 · cc0b41d · cc0b41d
1 parent 27697b6
commit cc0b41d
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 4 deletions.
diff --git a/security/kdbxviewer/Makefile b/security/kdbxviewer/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	kdbxviewer
-PORTVERSION=	0.1.10
+PORTVERSION=	0.1.11
 DISTVERSIONPREFIX=v
 CATEGORIES=	security
 

diff --git a/security/kdbxviewer/distinfo b/security/kdbxviewer/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1635952892
-SHA256 (pepa65-kdbxviewer-v0.1.10_GH0.tar.gz) = 0ef77f637b34cb603634b7c2f8247fb5f38e12951961c8e2ae6b7dbf7858fc6d
-SIZE (pepa65-kdbxviewer-v0.1.10_GH0.tar.gz) = 140203
+TIMESTAMP = 1662483072
+SHA256 (pepa65-kdbxviewer-v0.1.11_GH0.tar.gz) = de714ca964d637bcb83f591729fc2e9e6a1100d549278f4315129ec4ceb743d0
+SIZE (pepa65-kdbxviewer-v0.1.11_GH0.tar.gz) = 140203
diff --git a/security/kdbxviewer/files/patch-libcx9r_kdbx.c b/security/kdbxviewer/files/patch-libcx9r_kdbx.c
@@ -0,0 +1,32 @@
+--- libcx9r/kdbx.c.orig	2022-09-06 17:07:27 UTC
++++ libcx9r/kdbx.c
+@@ -112,22 +112,25 @@ static cx9r_err kdbx_read_magic(cx9r_stream_t *stream)
+ 	uint8_t const kdbx_magic[KDBX_MAGIC_LENGTH] = { 0x03, 0xd9, 0xa2, 0x9a,
+ 			0x67, 0xfb, 0x4b, 0xb5 };
+ DEBUG("Reading magic...\n");
+-	uint8_t magic[KDBX_MAGIC_LENGTH];
++	union {
++		uint8_t magic[KDBX_MAGIC_LENGTH];
++		uint64_t joined;
++	} m;
+
+ 	// default return value
+ 	cx9r_err err = CX9R_OK;
+ 	// read magic bytes
+-	CHECK((cx9r_sread(magic, 1, KDBX_MAGIC_LENGTH, stream) == KDBX_MAGIC_LENGTH),
++	CHECK((cx9r_sread(m.magic, 1, KDBX_MAGIC_LENGTH, stream) == KDBX_MAGIC_LENGTH),
+ 			err, CX9R_FILE_READ_ERR, kdbx_magic_bail);
+ DEBUG("Proper magic length\n");
+
+ 	// compare magic bytes to expected
+-	CHECK((memcmp(magic, kdbx_magic, KDBX_MAGIC_LENGTH) == 0), err,
++	CHECK((memcmp(m.magic, kdbx_magic, KDBX_MAGIC_LENGTH) == 0), err,
+ 			CX9R_BAD_MAGIC, kdbx_magic_bail);
+ DEBUG("Proper magic content\n");
+
+ 	kdbx_magic_bail:
+-DEBUG("%016lX  (%d)\n", *(uint64_t*)&magic, err);
++DEBUG("%016llX  (%d)\n", (unsigned long long)m.joined, err);
+ 	return err;
+ }
+
diff --git a/security/kdbxviewer/files/patch-src_main.c b/security/kdbxviewer/files/patch-src_main.c
@@ -0,0 +1,29 @@
+--- src/main.c.orig	2022-09-06 17:00:52 UTC
++++ src/main.c
+@@ -159,7 +159,7 @@ void print_key_table(cx9r_kt_group *g, int level) {
+
+ // Process commandline
+ int main(int argc, char **argv) {
+-	long unsigned int len = PATHLEN, opt, flags = 0;
++	size_t len = PATHLEN, opt, flags = 0;
+ 	char *kdbxfilename = malloc(len), *filename = malloc(len), command = 0,
+ 		*password = NULL, *self = argv[0] + strlen(argv[0]),
+ 		*configfilename = strcat(getenv("HOME"), CONFIGFILENAME);
+@@ -246,14 +246,14 @@ int main(int argc, char **argv) {
+ 		*filename = 0;
+ 		if ((configfile = fopen(configfilename, "r")) != NULL)
+ 			while (getline(&filename, &len, configfile) != -1) {
+-				*(filename+strlen(filename)-1) = 0;
++				filename[strcspn(filename, "\n")] = '\0';
+ 				// Check the latest found file
+-				if ((kdbxfile = fopen(filename, "r")) != NULL) strcpy(kdbxfilename, filename);
++				if ((kdbxfile = fopen(filename, "r")) != NULL) kdbxfilename = strdup(filename);
+ 				*filename = 0;
+ 			}
+ 		if (*kdbxfilename == 0)
+ 			abort(-7, "No database specified on commandline or in configfile\n");
+-		else strcpy(filename, kdbxfilename);
++		else filename = strdup(kdbxfilename);
+ 	}
+
+ 	// Set default mode depending on search