sysutils/screen*: Fix off-by-one buffer overflow

FreeBSD ncurses, as of c8b9c85ee5bb, does a strncpy() of 1024 bytes into a 1023 byte buffer supplied by screen. This section of code in ncurses was removed in 61f66a1f4403, and is not a problem since 14.0-RELEASE. But it is still a problem in 13-STABLE. Thank you to dim@ for detailed analysis and initial patch to sysutils/screen. The same patch is also applied to sysutils/screen-devel this commit. PR: 280868 MFH: 2024Q3
2025-01-22 08:58:47 +00:00 · 2024-08-19 08:49:48 -07:00 · 2024-08-19 08:49:48 -07:00 · 1c7e0fd32c
commit 1c7e0fd32c
parent b53d4a4ceb
4 changed files with 22 additions and 14 deletions
--- a/sysutils/screen-devel/Makefile
+++ b/sysutils/screen-devel/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	screen
 DISTVERSION=	5.0.0.${SCREEN_COMMIT_DATE}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	sysutils
 PKGNAMESUFFIX=	-devel
 MASTER_SITES=	#
@ -51,11 +51,6 @@ CPE_VENDOR=	gnu

 .include <bsd.port.options.mk>

-.if ${ARCH} == aarch64 || ${ARCH} == armv6 || ${ARCH} == armv7 || \
-    ${ARCH} == i386 || ${ARCH:Mpowerpc*}
-SSP_CFLAGS?=	-fno-stack-protector
-.endif
-
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share
 CFLAGS+=	-I${NCURSESINC}
--- a/sysutils/screen-devel/files/patch-os.h
+++ b/sysutils/screen-devel/files/patch-os.h
@ -1,5 +1,14 @@
--- os.h.orig	2024-03-26 16:41:57.000000000 -0700
-+++ os.h	2024-04-03 07:39:11.395526000 -0700
+--- os.h.orig	2024-07-27 07:09:11.000000000 -0700
+++ os.h	2024-08-19 08:47:21.152670000 -0700
+@@ -148,7 +148,7 @@
+  */
+ 
+ #ifndef TERMCAP_BUFSIZE
+-# define TERMCAP_BUFSIZE 1023
+# define TERMCAP_BUFSIZE 1024
+ #endif
+ 
+ /*
@@ -161,6 +161,6 @@
 /* Changing those you won't be able to attach to your old sessions
  * when changing those values in official tree don't forget to bump
--- a/sysutils/screen/Makefile
+++ b/sysutils/screen/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	screen
 PORTVERSION=	4.9.1
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	sysutils
 MASTER_SITES=	GNU \
 		ftp://ftp.gnu.org/gnu/screen/ \
@ -52,11 +52,6 @@ CPE_VENDOR=	gnu

 .include <bsd.port.options.mk>

-.if ${ARCH} == aarch64 || ${ARCH} == armv6 || ${ARCH} == armv7 || \
-    ${ARCH} == i386 || ${ARCH:Mpowerpc*}
-SSP_CFLAGS?=	-fno-stack-protector
-.endif
-
 GNU_CONFIGURE=	yes
 GNU_CONFIGURE_MANPREFIX= ${PREFIX}/share
 CFLAGS+=	-I${NCURSESINC}
--- a/sysutils/screen/files/patch-os.h
+++ b/sysutils/screen/files/patch-os.h
@ -14,6 +14,15 @@
 #  define utmp		utmpx
 #  define getutent	getutxent
 #  define getutid	getutxid
+@@ -507,7 +509,7 @@ typedef struct fd_set { int fds_bits[1]; } fd_set;
+  */
+ 
+ #ifndef TERMCAP_BUFSIZE
+-# define TERMCAP_BUFSIZE 1023
+# define TERMCAP_BUFSIZE 1024
+ #endif
+ 
+ #ifndef MAXPATHLEN
@@ -524,6 +526,6 @@
 /* Changing those you won't be able to attach to your old sessions
  * when changing those values in official tree don't forget to bump