rpms/proftpd/FC-5 proftpd-1.3.0a-ctrls-bug2867.patch, NONE, 1.1 proftpd.spec, 1.18, 1.19

Tue Feb 6 11:02:39 UTC 2007

Author: thias

Update of /cvs/extras/rpms/proftpd/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12926/FC-5

Modified Files:
	proftpd.spec 
Added Files:
	proftpd-1.3.0a-ctrls-bug2867.patch 
Log Message:
Patch to fix local user buffer overflow in controls request handling (#219938).


proftpd-1.3.0a-ctrls-bug2867.patch:

--- NEW FILE proftpd-1.3.0a-ctrls-bug2867.patch ---
--- src/ctrls.c	2006/10/24 16:13:31	1.14
+++ src/ctrls.c	2006/12/12 16:34:43	1.15
@@ -534,11 +534,20 @@
     return -1;
   }
 
+  if (reqarglen >= sizeof(reqaction)) {
+    pr_signals_unblock();
+    errno = ENOMEM;
+    return -1;
+  }
+
+  memset(reqaction, '\0', sizeof(reqaction));
+
   if (read(cl->cl_fd, reqaction, reqarglen) < 0) {
     pr_signals_unblock();
     return -1;
   }
 
+  reqaction[sizeof(reqaction)-1] = '\0';
   nreqargs--;
 
   /* Find a matching action object, and use it to populate a ctrl object,
@@ -657,17 +666,16 @@
       return -1;
     }
 
-    memset(response, '\0', sizeof(response));
-
     /* Make sure resparglen is not too big */
-    if (resparglen > sizeof(response)) {
+    if (resparglen >= sizeof(response)) {
       pr_signals_unblock();
       errno = ENOMEM;
       return -1;
     }
 
-    bread = read(ctrls_sockfd, response, resparglen);
+    memset(response, '\0', sizeof(response));
 
+    bread = read(ctrls_sockfd, response, resparglen);
     while (bread != resparglen) {
       if (bread < 0) {
         pr_signals_unblock(); 


Index: proftpd.spec
===================================================================
RCS file: /cvs/extras/rpms/proftpd/FC-5/proftpd.spec,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- proftpd.spec	29 Nov 2006 12:44:48 -0000	1.18
+++ proftpd.spec	6 Feb 2007 11:02:07 -0000	1.19
@@ -1,7 +1,7 @@
 Summary: Flexible, stable and highly-configurable FTP server
 Name: proftpd
 Version: 1.3.0a
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: GPL
 Group: System Environment/Daemons
 URL: http://www.proftpd.org/
@@ -16,6 +16,7 @@
 Patch1: proftpd-1.3.0-ctrls-restart.patch
 Patch2: proftpd-1.3.0-cmdbufsize.patch
 Patch3: proftpd-1.3.0-mod_tls.patch
+Patch4: proftpd-1.3.0a-ctrls-bug2867.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 Requires: pam >= 0.59
 Requires(post): /sbin/chkconfig
@@ -70,6 +71,7 @@
 %patch1 -p0 -b .ctrls-restart
 %patch2 -p1 -b .cmdbufsize
 %patch3 -p0 -b .mod_tls
+%patch4 -p0 -b .ctrls-bug2867
 
 
 %build
@@ -190,6 +192,13 @@
 
 
 %changelog
+* Tue Feb  6 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-3
+- Patch to fix local user buffer overflow in controls request handling, rhbz
+  bug #219938, proftpd bug #2867.
+
+* Mon Dec 11 2006 Matthias Saou <http://freshrpms.net/> 1.3.0a-2
+- Rebuild against new PostgreSQL.
+
 * Mon Nov 27 2006 Matthias Saou <http://freshrpms.net/> 1.3.0a-1
 - Update to 1.3.0a, which actually fixes CVE-2006-5815... yes, #214820!).
 


