Accepting request 52949 from network:utilities

Accepted submit request 52949 from user mrdocs

OBS-URL: https://build.opensuse.org/request/show/52949
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsmi?expand=0&rev=9

libsmi-CVE-2010-2891.patch

@@ -0,0 +1,21 @@
+Index: lib/smi.c
+===================================================================
+--- lib/smi.c	(revision 29144)
++++ lib/smi.c	(working copy)
+@@ -1793,10 +1793,15 @@
+     }
+ 
+     if (isdigit((int)node2[0])) {
+-	for (oidlen = 0, p = strtok(node2, ". "); p;
++	for (oidlen = 0, p = strtok(node2, ". ");
++	     p && oidlen < sizeof(oid)/sizeof(oid[0]);
+ 	     oidlen++, p = strtok(NULL, ". ")) {
+ 	    oid[oidlen] = strtoul(p, NULL, 0);
+ 	}
++	if (p) {
++	    /* the numeric OID is too long */
++	    return NULL;
++	}
+ 	nodePtr = getNode(oidlen, oid);
+ 	if (nodePtr) {
+ 	    if (modulePtr) {

libsmi.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Nov 11 10:38:11 UTC 2010 - nadvornik@novell.com
+
+- fixed buffer overflow CVE-2010-2891 (bnc#649867)
+
 -------------------------------------------------------------------
 Mon Mar 29 14:26:21 CEST 2010 - boris@steki.net
 

libsmi.spec

@@ -29,6 +29,7 @@ Summary:        A Library to Access SMI MIB Information
 Source:         %{name}-%{version}.tar.gz
 Patch0:         libsmi-0.4.8-parser.patch
 Patch1:         libsmi-0.4.8-gnu-source.patch
+Patch2:         libsmi-CVE-2010-2891.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 BuildRequires:  bison flex
@@ -95,6 +96,7 @@ Authors:
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2
 
 %build
 autoreconf --force --install