head 1.2; access; symbols pkgsrc-2013Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2013.08.23.10.56.46; author drochner; state dead; branches; next 1.1; commitid SWK0l4MhrXC6gz2x; 1.1 date 2013.08.07.16.48.49; author drochner; state Exp; branches 1.1.2.1; next ; commitid QRMOPc6vAWrEIx0x; 1.1.2.1 date 2013.08.07.16.48.49; author tron; state dead; branches; next 1.1.2.2; commitid IpneHqy4bDPYZm2x; 1.1.2.2 date 2013.08.21.21.59.57; author tron; state Exp; branches; next ; commitid IpneHqy4bDPYZm2x; desc @@ 1.2 log @update to 3.7.3 change: putty security fixes were integrated (was patched in pkgsrc) @ text @$NetBSD: patch-CVE-2013-4208,v 1.1 2013/08/07 16:48:49 drochner Exp $ http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988 --- src/putty/sshdss.c.orig 2013-08-06 09:08:32.000000000 +0000 +++ src/putty/sshdss.c @@@@ -251,8 +251,13 @@@@ static int dss_verifysig(void *key, char } r = get160(&sig, &siglen); s = get160(&sig, &siglen); - if (!r || !s) + if (!r || !s) { + if (r) + freebn(r); + if (s) + freebn(s); return 0; + } /* * Step 1. w <- s^-1 mod q. @@@@ -601,6 +606,7 @@@@ static unsigned char *dss_sign(void *key s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */ freebn(hxr); freebn(kinv); + freebn(k); freebn(hash); /* @ 1.1 log @update to 3.7.2 This is a major update, many fixes and improvements. Main reason for the update was to sync the embedded sftp client with putty after fixes for vulnerabilities. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2013-4208 was added on branch pkgsrc-2013Q2 on 2013-08-21 21:59:57 +0000 @ text @d1 29 @ 1.1.2.2 log @Pullup ticket #4217 - requested by drochner net/filezilla: security update Revisions pulled up: - net/filezilla/Makefile 1.44-1.45 - net/filezilla/PLIST 1.10 - net/filezilla/distinfo 1.17-1.18 - net/filezilla/patches/patch-CVE-2013-4206 1.1 - net/filezilla/patches/patch-CVE-2013-4208 1.1 - net/filezilla/patches/patch-CVE-2013-4852-1 deleted - net/filezilla/patches/patch-CVE-2013-4852-2 deleted - net/filezilla/patches/patch-CVE-2013-4852-3 deleted - net/filezilla/patches/patch-aa deleted --- Module Name: pkgsrc Committed By: drochner Date: Tue Aug 6 12:55:10 UTC 2013 Modified Files: pkgsrc/net/filezilla: Makefile distinfo Added Files: pkgsrc/net/filezilla/patches: patch-CVE-2013-4852-1 patch-CVE-2013-4852-2 patch-CVE-2013-4852-3 Log Message: apply patches from pkgsrc/security/putty to fix embedded sftp client bump PKGREV --- Module Name: pkgsrc Committed By: drochner Date: Wed Aug 7 16:48:49 UTC 2013 Modified Files: pkgsrc/net/filezilla: Makefile PLIST distinfo Added Files: pkgsrc/net/filezilla/patches: patch-CVE-2013-4206 patch-CVE-2013-4208 Removed Files: pkgsrc/net/filezilla/patches: patch-CVE-2013-4852-1 patch-CVE-2013-4852-2 patch-CVE-2013-4852-3 patch-aa Log Message: update to 3.7.2 This is a major update, many fixes and improvements. Main reason for the update was to sync the embedded sftp client with putty after fixes for vulnerabilities. @ text @a0 29 $NetBSD$ http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9988 --- src/putty/sshdss.c.orig 2013-08-06 09:08:32.000000000 +0000 +++ src/putty/sshdss.c @@@@ -251,8 +251,13 @@@@ static int dss_verifysig(void *key, char } r = get160(&sig, &siglen); s = get160(&sig, &siglen); - if (!r || !s) + if (!r || !s) { + if (r) + freebn(r); + if (s) + freebn(s); return 0; + } /* * Step 1. w <- s^-1 mod q. @@@@ -601,6 +606,7 @@@@ static unsigned char *dss_sign(void *key s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */ freebn(hxr); freebn(kinv); + freebn(k); freebn(hash); /* @