Date: Mon, 11 Dec 2006 15:28:25 -0900 From: "Beech Rintoul" <beech@alaskaparadise.com> To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org> Cc: beech@alaskaparadise.com Subject: ports/106623: [PATCH] ftp/proftpd Added security patches Message-ID: <1165883305.44186@stargate.alaskaparadise.com> Resent-Message-ID: <200612120050.kBC0oGQW067943@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 106623
>Category: ports
>Synopsis: [PATCH] ftp/proftpd Added security patches
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 12 00:50:11 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Beech Rintoul
>Release: FreeBSD 7.0-CURRENT i386
>Organization:
Alaska Paradise
>Environment:
System: FreeBSD 7.0-CURRENT #89: Mon Dec 11 01:37:41 AKST 2006
root@stargate.alaskaparadise.com:/usr/obj/usr/src/sys/STARGATE
>Description:
Added two security patches
Bumped PORTREVISION
>How-To-Repeat:
>Fix:
diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/Makefile /usr/ports/ftp/proftpd/Makefile
--- /usr/ports/ftp/proftpd.orig/Makefile Wed Nov 15 15:59:43 2006
+++ /usr/ports/ftp/proftpd/Makefile Mon Dec 11 15:18:53 2006
@@ -7,7 +7,7 @@
PORTNAME= proftpd
DISTVERSION= 1.3.0
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= ftp
MASTER_SITES= ftp://ftp.proftpd.org/distrib/source/ \
ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/files/patch-mod_tls.c /usr/ports/ftp/proftpd/files/patch-mod_tls.c
--- /usr/ports/ftp/proftpd.orig/files/patch-mod_tls.c Wed Dec 31 14:00:00 1969
+++ /usr/ports/ftp/proftpd/files/patch-mod_tls.c Mon Dec 11 15:13:16 2006
@@ -0,0 +1,38 @@
+diff -u -r1.100 mod_tls.c
+--- contrib/mod_tls.c 29 Nov 2006 03:47:56 -0000 1.100
++++ contrib/mod_tls.c 29 Nov 2006 04:09:06 -0000
+@@ -3103,17 +3103,25 @@
+ long datalen = 0;
+ int ok;
+
+- if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
+- datalen = BIO_get_mem_data(mem, &data);
++ ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE);
++ if (ok) {
++ datalen = BIO_get_mem_data(mem, &data);
+
+- if (data) {
+- memset(&buf, '\0', sizeof(buf));
+- memcpy(buf, data, datalen);
+- buf[datalen] = '\0';
+- buf[sizeof(buf)-1] = '\0';
++ if (data) {
++ memset(&buf, '\0', sizeof(buf));
+
+- BIO_free(mem);
+- return buf;
++ if (datalen >= sizeof(buf)) {
++ datalen = sizeof(buf)-1;
++ }
++
++ memcpy(buf, data, datalen);
++
++ buf[datalen] = '\0';
++ buf[sizeof(buf)-1] = '\0';
++
++ BIO_free(mem);
++ return buf;
++ }
+ }
+
+ BIO_free(mem);
diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/files/patch-support.c /usr/ports/ftp/proftpd/files/patch-support.c
--- /usr/ports/ftp/proftpd.orig/files/patch-support.c Wed Dec 31 14:00:00 1969
+++ /usr/ports/ftp/proftpd/files/patch-support.c Mon Dec 11 15:05:40 2006
@@ -0,0 +1,79 @@
+--- src/support.c 2005/09/28 02:06:26 1.78
++++ src/support.c 2006/11/27 14:49:47 1.80
+@@ -27,7 +27,7 @@
+ /* Various basic support routines for ProFTPD, used by all modules
+ * and not specific to one or another.
+ *
+- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $
++ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
+ */
+
+ #include "conf.h"
+@@ -632,7 +632,8 @@
+ char **mptr,**rptr;
+ char *marr[33],*rarr[33];
+ char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
+- size_t mlen = 0, rlen = 0, blen;
++ size_t mlen = 0, rlen = 0;
++ int blen;
+ int dyn = TRUE;
+
+ cp = buf;
+@@ -646,7 +647,7 @@
+
+ while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
+ char *tmp = NULL;
+- size_t count = 0;
++ int count = 0;
+
+ if ((r = va_arg(args, char *)) == NULL)
+ break;
+@@ -659,6 +660,12 @@
+ while (tmp) {
+ pr_signals_handle();
+ count++;
++ if (count < 0) {
++ /* Integer overflow. In order to overflow integer range with a count
++ * of escapes, somebody must be doing something very strange.
++ */
++ return s;
++ }
+
+ /* Be sure to increment the pointer returned by strstr(3), to
+ * advance past the beginning of the substring for which we are
+@@ -674,6 +681,12 @@
+ */
+ if (count) {
+ blen += count * (strlen(r) - strlen(m));
++ if (blen < 0) {
++ /* Integer overflow. In order to overflow this, somebody must be
++ * doing something very strange.
++ */
++ return s;
++ }
+ marr[mlen] = m;
+ rarr[mlen++] = r;
+ }
+@@ -722,10 +735,11 @@
+ }
+
+ if (!*mptr) {
+- if ((cp - pbuf + 1) > blen) {
++ if ((cp - pbuf + 1) >= blen) {
+ pr_log_pri(PR_LOG_ERR,
+ "WARNING: attempt to overflow internal ProFTPD buffers");
+ cp = pbuf + blen - 1;
++ goto done;
+ }
+ *cp++ = *src++;
+ }
+@@ -768,6 +782,9 @@
+ char *sstrcat(char *dest, const char *src, size_t n) {
+ register char *d;
+
++ if (n == 0)
++ return NULL;
++
+ for (d = dest; *d && n > 1; d++, n--) ;
+
+ while (n-- > 1 && *src)
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1165883305.44186>