On Fri, Feb 29, 2008 at 10:51 PM, Jasper Lievisse Adriaanse <[EMAIL PROTECTED]> wrote: > hi, > > here's the vendors patch to fix CVE-2008-0983 > http://secunia.com/cve_reference/CVE-2008-0983/ > > ok to commit? >
sorry, but is there something wrong with this patch? I don't see how all these extra lines should be there. This is 1.4.18, with only 1 patch in ports, 'patch-doc_lighttpd_conf' right? > > Index: patches/patch-src_fdevent_solaris_devpoll_c > =================================================================== > RCS file: patches/patch-src_fdevent_solaris_devpoll_c > diff -N patches/patch-src_fdevent_solaris_devpoll_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_fdevent_solaris_devpoll_c 29 Feb 2008 14:49:12 -0000 > @@ -0,0 +1,12 @@ > +$OpenBSD$ > +--- src/fdevent_solaris_devpoll.c.orig Fri Feb 29 15:46:03 2008 > ++++ src/fdevent_solaris_devpoll.c Fri Feb 29 15:46:25 2008 > +@@ -67,7 +67,7 @@ static int fdevent_solaris_devpoll_poll(fdevents *ev, > + int ret; > + > + dopoll.dp_timeout = timeout_ms; > +- dopoll.dp_nfds = ev->maxfds; > ++ dopoll.dp_nfds = ev->maxfds - 1; > + dopoll.dp_fds = ev->devpollfds; > + > + ret = ioctl(ev->devpoll_fd, DP_POLL, &dopoll); > <snip> As far as I know only 1 line changes in src/fdevent_solaris_devpoll.c (and 3 lines are removed from src/server.c). Contrast this with http://trac.lighttpd.net/trac/attachment/ticket/1562/Fix-372-and-1562.patch, and the 1.4.18 source. -jf -- In the meantime, here is your PSA: "It's so hard to write a graphics driver that open-sourcing it would not help." -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228