r4896 - in trunk: BOOK/general/prog BOOK/introduction/welcome patches

randy at linuxfromscratch.org randy at linuxfromscratch.org
Mon Aug 8 15:44:13 PDT 2005


Author: randy
Date: 2005-08-08 16:44:12 -0600 (Mon, 08 Aug 2005)
New Revision: 4896

Added:
   trunk/patches/nasm-0.98.39-security_fix-1.patch
Modified:
   trunk/BOOK/general/prog/nasm.xml
   trunk/BOOK/introduction/welcome/changelog.xml
Log:
Added a patch to the NASM instructions to fix a buffer overrun vulnerability

Modified: trunk/BOOK/general/prog/nasm.xml
===================================================================
--- trunk/BOOK/general/prog/nasm.xml	2005-08-08 21:21:19 UTC (rev 4895)
+++ trunk/BOOK/general/prog/nasm.xml	2005-08-08 22:44:12 UTC (rev 4896)
@@ -9,7 +9,7 @@
   <!ENTITY NASM-md5sum "2032ad44c7359f7a9a166a40a633e772">
   <!ENTITY NASM-size "543 KB">
   <!ENTITY NASM-buildsize "17.3 MB (includes building and installing all docs)">
-  <!ENTITY NASM-time "0.20 SBU">
+  <!ENTITY NASM-time "0.2 SBU">
 ]>
 
 <sect1 id="NASM" xreflabel="NASM-&NASM-version;">
@@ -55,6 +55,14 @@
       </listitem>
     </itemizedlist>
 
+    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
+    <itemizedlist spacing="compact">
+      <listitem> 
+        <para>Required patch to fix a buffer overrun vulnerability: <ulink
+        url="&patch-root;/nasm-&NASM-version;-security_fix-1.patch"/></para>
+      </listitem>
+    </itemizedlist>
+
     <bridgehead renderas="sect3">NASM Dependencies</bridgehead>
 
     <bridgehead renderas="sect4">Optional (for Building Documentation)</bridgehead>
@@ -69,7 +77,8 @@
     <para>Install <application>NASM</application> by running
     the following commands:</para>
 
-<screen><userinput>./configure --prefix=/usr &&
+<screen><userinput>patch -Np1 -i ../nasm-&NASM-version;-security_fix-1.patch &&
+./configure --prefix=/usr &&
 make &&
 make -C rdoff/doc &&
 make -C rdoff/doc html</userinput></screen>

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2005-08-08 21:21:19 UTC (rev 4895)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2005-08-08 22:44:12 UTC (rev 4896)
@@ -25,9 +25,9 @@
   <itemizedlist>
 
     <listitem>
-      <para>August 8th, 2005 [randy]: Added instructions to install a patch
-      to the Ruby package which fixes a security vulnerability, thanks to
-      Ken Moffat for the suggestion.</para>
+      <para>August 8th, 2005 [randy]: Added instructions to install patches
+      to Ruby and NASM that fix security vulnerabilities discovered in both
+      packages, thanks to Ken Moffat for the suggestions.</para>
     </listitem>
 
     <listitem>

Added: trunk/patches/nasm-0.98.39-security_fix-1.patch
===================================================================
--- trunk/patches/nasm-0.98.39-security_fix-1.patch	2005-08-08 21:21:19 UTC (rev 4895)
+++ trunk/patches/nasm-0.98.39-security_fix-1.patch	2005-08-08 22:44:12 UTC (rev 4896)
@@ -0,0 +1,25 @@
+Submitted By: Ken Moffat <ken at kenmoffat.uklinux.net>
+Date: 2005-08-08
+Initial Package Version: 0.98.39
+Upstream Status: From upstream cvs
+Origin: Extracted by Ken Moffat
+Description:  This is Jindrich Novy's patch to fix another buffer overrun
+in nasm, CAN-2005-1194 (users who can be persuaded to assemble and run a
+malicious source file can have arbitrary code executed via a buffer
+overflow).
+
+
+$LastChangedBy$
+$Date$
+
+--- nasm-0.98.39/output/outieee.c.orig	2005-01-15 22:16:08.000000000 +0000
++++ nasm-0.98.39/output/outieee.c	2005-08-08 22:12:46.000000000 +0100
+@@ -1120,7 +1120,7 @@
+     va_list ap;
+ 
+     va_start(ap, format);
+-    vsprintf(buffer, format, ap);
++    vsnprintf(buffer, sizeof(buffer), format, ap);
+     l = strlen(buffer);
+     for (i = 0; i < l; i++)
+         if ((buffer[i] & 0xff) > 31)


Property changes on: trunk/patches/nasm-0.98.39-security_fix-1.patch
___________________________________________________________________
Name: svn:keywords
   + LastChangedBy Date




More information about the blfs-book mailing list