Date: Mon, 11 Dec 2006 15:28:25 -0900 From: "Beech Rintoul" <beech@alaskaparadise.com> To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org> Cc: beech@alaskaparadise.com Subject: ports/106623: [PATCH] ftp/proftpd Added security patches Message-ID: <1165883305.44186@stargate.alaskaparadise.com> Resent-Message-ID: <200612120050.kBC0oGQW067943@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 106623 >Category: ports >Synopsis: [PATCH] ftp/proftpd Added security patches >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Dec 12 00:50:11 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Beech Rintoul >Release: FreeBSD 7.0-CURRENT i386 >Organization: Alaska Paradise >Environment: System: FreeBSD 7.0-CURRENT #89: Mon Dec 11 01:37:41 AKST 2006 root@stargate.alaskaparadise.com:/usr/obj/usr/src/sys/STARGATE >Description: Added two security patches Bumped PORTREVISION >How-To-Repeat: >Fix: diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/Makefile /usr/ports/ftp/proftpd/Makefile --- /usr/ports/ftp/proftpd.orig/Makefile Wed Nov 15 15:59:43 2006 +++ /usr/ports/ftp/proftpd/Makefile Mon Dec 11 15:18:53 2006 @@ -7,7 +7,7 @@ PORTNAME= proftpd DISTVERSION= 1.3.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= ftp MASTER_SITES= ftp://ftp.proftpd.org/distrib/source/ \ ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \ diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/files/patch-mod_tls.c /usr/ports/ftp/proftpd/files/patch-mod_tls.c --- /usr/ports/ftp/proftpd.orig/files/patch-mod_tls.c Wed Dec 31 14:00:00 1969 +++ /usr/ports/ftp/proftpd/files/patch-mod_tls.c Mon Dec 11 15:13:16 2006 @@ -0,0 +1,38 @@ +diff -u -r1.100 mod_tls.c +--- contrib/mod_tls.c 29 Nov 2006 03:47:56 -0000 1.100 ++++ contrib/mod_tls.c 29 Nov 2006 04:09:06 -0000 +@@ -3103,17 +3103,25 @@ + long datalen = 0; + int ok; + +- if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE))) +- datalen = BIO_get_mem_data(mem, &data); ++ ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE); ++ if (ok) { ++ datalen = BIO_get_mem_data(mem, &data); + +- if (data) { +- memset(&buf, '\0', sizeof(buf)); +- memcpy(buf, data, datalen); +- buf[datalen] = '\0'; +- buf[sizeof(buf)-1] = '\0'; ++ if (data) { ++ memset(&buf, '\0', sizeof(buf)); + +- BIO_free(mem); +- return buf; ++ if (datalen >= sizeof(buf)) { ++ datalen = sizeof(buf)-1; ++ } ++ ++ memcpy(buf, data, datalen); ++ ++ buf[datalen] = '\0'; ++ buf[sizeof(buf)-1] = '\0'; ++ ++ BIO_free(mem); ++ return buf; ++ } + } + + BIO_free(mem); diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/files/patch-support.c /usr/ports/ftp/proftpd/files/patch-support.c --- /usr/ports/ftp/proftpd.orig/files/patch-support.c Wed Dec 31 14:00:00 1969 +++ /usr/ports/ftp/proftpd/files/patch-support.c Mon Dec 11 15:05:40 2006 @@ -0,0 +1,79 @@ +--- src/support.c 2005/09/28 02:06:26 1.78 ++++ src/support.c 2006/11/27 14:49:47 1.80 +@@ -27,7 +27,7 @@ + /* Various basic support routines for ProFTPD, used by all modules + * and not specific to one or another. + * +- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $ ++ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $ + */ + + #include "conf.h" +@@ -632,7 +632,8 @@ + char **mptr,**rptr; + char *marr[33],*rarr[33]; + char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL; +- size_t mlen = 0, rlen = 0, blen; ++ size_t mlen = 0, rlen = 0; ++ int blen; + int dyn = TRUE; + + cp = buf; +@@ -646,7 +647,7 @@ + + while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) { + char *tmp = NULL; +- size_t count = 0; ++ int count = 0; + + if ((r = va_arg(args, char *)) == NULL) + break; +@@ -659,6 +660,12 @@ + while (tmp) { + pr_signals_handle(); + count++; ++ if (count < 0) { ++ /* Integer overflow. In order to overflow integer range with a count ++ * of escapes, somebody must be doing something very strange. ++ */ ++ return s; ++ } + + /* Be sure to increment the pointer returned by strstr(3), to + * advance past the beginning of the substring for which we are +@@ -674,6 +681,12 @@ + */ + if (count) { + blen += count * (strlen(r) - strlen(m)); ++ if (blen < 0) { ++ /* Integer overflow. In order to overflow this, somebody must be ++ * doing something very strange. ++ */ ++ return s; ++ } + marr[mlen] = m; + rarr[mlen++] = r; + } +@@ -722,10 +735,11 @@ + } + + if (!*mptr) { +- if ((cp - pbuf + 1) > blen) { ++ if ((cp - pbuf + 1) >= blen) { + pr_log_pri(PR_LOG_ERR, + "WARNING: attempt to overflow internal ProFTPD buffers"); + cp = pbuf + blen - 1; ++ goto done; + } + *cp++ = *src++; + } +@@ -768,6 +782,9 @@ + char *sstrcat(char *dest, const char *src, size_t n) { + register char *d; + ++ if (n == 0) ++ return NULL; ++ + for (d = dest; *d && n > 1; d++, n--) ; + + while (n-- > 1 && *src) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1165883305.44186>