Add two security patches:

patch-support.c: fixes CVE-2006-5815 remote code execution patch-mod_tls.c: fixes Bug#2860 Failure to check for data length in mod_tls could lead to remote buffer overwriting. Submitted by: maintainer PR: ports/106623
svn path=/head/; revision=179576
2025-01-13 07:34:50 +00:00 · 2006-12-12 16:08:09 +00:00 · 2006-12-12 16:08:09 +00:00 · 211a2f9dfd · 2021-03-31 03:12:20 +00:00
commit 211a2f9dfd
parent 37a9257fe9
6 changed files with 236 additions and 2 deletions
--- a/ftp/proftpd-devel/Makefile
+++ b/ftp/proftpd-devel/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	proftpd
 DISTVERSION=	1.3.0
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	ftp
 MASTER_SITES=	ftp://ftp.proftpd.org/distrib/source/ \
 		ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
--- a/ftp/proftpd-devel/files/patch-mod_tls.c
+++ b/ftp/proftpd-devel/files/patch-mod_tls.c
@ -0,0 +1,38 @@
+diff -u -r1.100 mod_tls.c
+--- contrib/mod_tls.c	29 Nov 2006 03:47:56 -0000	1.100
+++ contrib/mod_tls.c	29 Nov 2006 04:09:06 -0000
+@@ -3103,17 +3103,25 @@
+   long datalen = 0;
+   int ok;
+    
+-  if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
+-     datalen = BIO_get_mem_data(mem, &data);
+  ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE);
+  if (ok) {
+    datalen = BIO_get_mem_data(mem, &data);
+ 
+-  if (data) {
+-    memset(&buf, '\0', sizeof(buf));
+-    memcpy(buf, data, datalen);
+-    buf[datalen] = '\0';
+-    buf[sizeof(buf)-1] = '\0';
+    if (data) {
+      memset(&buf, '\0', sizeof(buf));
+ 
+-    BIO_free(mem);
+-    return buf;
+      if (datalen >= sizeof(buf)) {
+        datalen = sizeof(buf)-1;
+      }
+
+      memcpy(buf, data, datalen);
+
+      buf[datalen] = '\0';
+      buf[sizeof(buf)-1] = '\0';
+
+      BIO_free(mem);
+      return buf;
+    }
+   }
+ 
+   BIO_free(mem);
--- a/ftp/proftpd-devel/files/patch-support.c
+++ b/ftp/proftpd-devel/files/patch-support.c
@ -0,0 +1,79 @@
+--- src/support.c	2005/09/28 02:06:26	1.78
+++ src/support.c	2006/11/27 14:49:47	1.80
+@@ -27,7 +27,7 @@
+ /* Various basic support routines for ProFTPD, used by all modules
+  * and not specific to one or another.
+  *
+- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $
+ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
+  */
+ 
+ #include "conf.h"
+@@ -632,7 +632,8 @@
+   char **mptr,**rptr;
+   char *marr[33],*rarr[33];
+   char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
+-  size_t mlen = 0, rlen = 0, blen;
+  size_t mlen = 0, rlen = 0;
+  int blen;
+   int dyn = TRUE;
+ 
+   cp = buf;
+@@ -646,7 +647,7 @@
+ 
+   while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
+     char *tmp = NULL;
+-    size_t count = 0;
+    int count = 0;
+ 
+     if ((r = va_arg(args, char *)) == NULL)
+       break;
+@@ -659,6 +660,12 @@
+     while (tmp) {
+       pr_signals_handle();
+       count++;
+      if (count < 0) {
+        /* Integer overflow. In order to overflow integer range with a count
+         * of escapes, somebody must be doing something very strange.
+         */
+        return s;
+      }
+ 
+       /* Be sure to increment the pointer returned by strstr(3), to
+        * advance past the beginning of the substring for which we are
+@@ -674,6 +681,12 @@
+      */
+     if (count) {
+       blen += count * (strlen(r) - strlen(m));
+      if (blen < 0) {
+        /* Integer overflow. In order to overflow this, somebody must be
+         * doing something very strange.
+         */
+        return s;
+      }
+       marr[mlen] = m;
+       rarr[mlen++] = r;
+     }
+@@ -722,10 +735,11 @@
+     }
+ 
+     if (!*mptr) {
+-      if ((cp - pbuf + 1) > blen) {
+      if ((cp - pbuf + 1) >= blen) {
+ 	pr_log_pri(PR_LOG_ERR,
+ 		"WARNING: attempt to overflow internal ProFTPD buffers");
+ 	cp = pbuf + blen - 1;
+	goto done;
+       }
+       *cp++ = *src++;
+     }
+@@ -768,6 +782,9 @@
+ char *sstrcat(char *dest, const char *src, size_t n) {
+   register char *d;
+ 
+  if (n == 0)
+    return NULL;
+
+   for (d = dest; *d && n > 1; d++, n--) ;
+ 
+   while (n-- > 1 && *src)
--- a/ftp/proftpd/Makefile
+++ b/ftp/proftpd/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	proftpd
 DISTVERSION=	1.3.0
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	ftp
 MASTER_SITES=	ftp://ftp.proftpd.org/distrib/source/ \
 		ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
--- a/ftp/proftpd/files/patch-mod_tls.c
+++ b/ftp/proftpd/files/patch-mod_tls.c
@ -0,0 +1,38 @@
+diff -u -r1.100 mod_tls.c
+--- contrib/mod_tls.c	29 Nov 2006 03:47:56 -0000	1.100
+++ contrib/mod_tls.c	29 Nov 2006 04:09:06 -0000
+@@ -3103,17 +3103,25 @@
+   long datalen = 0;
+   int ok;
+    
+-  if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
+-     datalen = BIO_get_mem_data(mem, &data);
+  ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE);
+  if (ok) {
+    datalen = BIO_get_mem_data(mem, &data);
+ 
+-  if (data) {
+-    memset(&buf, '\0', sizeof(buf));
+-    memcpy(buf, data, datalen);
+-    buf[datalen] = '\0';
+-    buf[sizeof(buf)-1] = '\0';
+    if (data) {
+      memset(&buf, '\0', sizeof(buf));
+ 
+-    BIO_free(mem);
+-    return buf;
+      if (datalen >= sizeof(buf)) {
+        datalen = sizeof(buf)-1;
+      }
+
+      memcpy(buf, data, datalen);
+
+      buf[datalen] = '\0';
+      buf[sizeof(buf)-1] = '\0';
+
+      BIO_free(mem);
+      return buf;
+    }
+   }
+ 
+   BIO_free(mem);
--- a/ftp/proftpd/files/patch-support.c
+++ b/ftp/proftpd/files/patch-support.c
@ -0,0 +1,79 @@
+--- src/support.c	2005/09/28 02:06:26	1.78
+++ src/support.c	2006/11/27 14:49:47	1.80
+@@ -27,7 +27,7 @@
+ /* Various basic support routines for ProFTPD, used by all modules
+  * and not specific to one or another.
+  *
+- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $
+ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
+  */
+ 
+ #include "conf.h"
+@@ -632,7 +632,8 @@
+   char **mptr,**rptr;
+   char *marr[33],*rarr[33];
+   char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
+-  size_t mlen = 0, rlen = 0, blen;
+  size_t mlen = 0, rlen = 0;
+  int blen;
+   int dyn = TRUE;
+ 
+   cp = buf;
+@@ -646,7 +647,7 @@
+ 
+   while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
+     char *tmp = NULL;
+-    size_t count = 0;
+    int count = 0;
+ 
+     if ((r = va_arg(args, char *)) == NULL)
+       break;
+@@ -659,6 +660,12 @@
+     while (tmp) {
+       pr_signals_handle();
+       count++;
+      if (count < 0) {
+        /* Integer overflow. In order to overflow integer range with a count
+         * of escapes, somebody must be doing something very strange.
+         */
+        return s;
+      }
+ 
+       /* Be sure to increment the pointer returned by strstr(3), to
+        * advance past the beginning of the substring for which we are
+@@ -674,6 +681,12 @@
+      */
+     if (count) {
+       blen += count * (strlen(r) - strlen(m));
+      if (blen < 0) {
+        /* Integer overflow. In order to overflow this, somebody must be
+         * doing something very strange.
+         */
+        return s;
+      }
+       marr[mlen] = m;
+       rarr[mlen++] = r;
+     }
+@@ -722,10 +735,11 @@
+     }
+ 
+     if (!*mptr) {
+-      if ((cp - pbuf + 1) > blen) {
+      if ((cp - pbuf + 1) >= blen) {
+ 	pr_log_pri(PR_LOG_ERR,
+ 		"WARNING: attempt to overflow internal ProFTPD buffers");
+ 	cp = pbuf + blen - 1;
+	goto done;
+       }
+       *cp++ = *src++;
+     }
+@@ -768,6 +782,9 @@
+ char *sstrcat(char *dest, const char *src, size_t n) {
+   register char *d;
+ 
+  if (n == 0)
+    return NULL;
+
+   for (d = dest; *d && n > 1; d++, n--) ;
+ 
+   while (n-- > 1 && *src)