1 files changed, 35 insertions, 0 deletions

diff --git a/app-misc/dtach/files/dtach-0.8-CVE-2012-3368.patch b/app-misc/dtach/files/dtach-0.8-CVE-2012-3368.patch
new file mode 100644
index 000000000000..82d5f0e1e159
--- /dev/null
+++ b/app-misc/dtach/files/dtach-0.8-CVE-2012-3368.patch
@@ -0,0 +1,35 @@
+Fix error handling for read from stdin in attach.c
+
+attach.c did not correctly handle a read from stdin when read returned
+an error. The code assigned the return value of read to pkt.len (an
+unsigned char) before checking the value. This prevented the error check
+from working correctly, since an unsigned integer can never be < 0.
+
+A packet with an invalid length was then sent to the master, which then
+sent 255 bytes of garbage to the program.
+
+Fix the bug in attach.c and the unchecked packet length bug in master.c.
+
+Report and initial patch by Enrico Scholz.
+
+--- attach.c	2012/07/01 21:26:10	1.12
++++ attach.c	2012/07/01 21:44:34	1.13
+@@ -237,12 +237,16 @@
+ 		/* stdin activity */
+ 		if (n > 0 && FD_ISSET(0, &readfds))
+ 		{
++			ssize_t len;
++
+ 			pkt.type = MSG_PUSH;
+ 			memset(pkt.u.buf, 0, sizeof(pkt.u.buf));
+-			pkt.len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
++			len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
+ 
+-			if (pkt.len <= 0)
++			if (len <= 0)
+ 				exit(1);
++
++			pkt.len = len;
+ 			process_kbd(s, &pkt);
+ 			n--;
+ 		}