rpms/proftpd/F-9 proftpd-1.3.1-csrf.patch, NONE, 1.1 proftpd.spec, 1.39, 1.40
Matthias Saou
thias at fedoraproject.org
Fri Jan 2 12:52:19 UTC 2009
Author: thias
Update of /cvs/extras/rpms/proftpd/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4000/F-9
Modified Files:
proftpd.spec
Added Files:
proftpd-1.3.1-csrf.patch
Log Message:
Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115) and backport recent minor changes on all current branches.
proftpd-1.3.1-csrf.patch:
--- NEW FILE proftpd-1.3.1-csrf.patch ---
#! /bin/sh /usr/share/dpatch/dpatch-run
## 3115.dpatch by Francesco Paolo Lovergine <frankie at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad trunk~/src/main.c trunk/src/main.c
--- trunk~/src/main.c 2008-09-21 23:50:55.000000000 +0200
+++ trunk/src/main.c 2008-09-21 23:50:55.000000000 +0200
@@ -674,12 +674,17 @@
while (TRUE) {
pr_signals_handle();
+ memset(buf,'\0',sizeof(buf));
+
if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm,
session.c->outstrm) == NULL) {
- if (PR_NETIO_ERRNO(session.c->instrm) == EINTR)
- /* Simple interrupted syscall */
+ if (errno == E2BIG) {
+ /* The client sent a too-long command which was ignored; give
+ * them another chance?
+ */
continue;
+ }
#ifndef PR_DEVEL_NO_DAEMON
/* Otherwise, EOF */
@@ -695,20 +700,31 @@
if (cmd_buf_size == -1) {
int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE);
+ size_t default_cmd_bufsz;
+
+ /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which
+ * is smaller than PR_DEFAULT_CMD_BUFSZ. We need to handle such cases
+ * properly.
+ */
+ default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ;
+ if (default_cmd_bufsz > sizeof(buf)) {
+ default_cmd_bufsz = sizeof(buf);
+ }
+
if (bufsz == NULL) {
- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+ cmd_buf_size = default_cmd_bufsz;
} else if (*bufsz <= 0) {
pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
"given, using default buffer size (%u) instead",
- *bufsz, PR_DEFAULT_CMD_BUFSZ);
- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+ *bufsz, default_cmd_bufsz);
+ cmd_buf_size = default_cmd_bufsz;
} else if (*bufsz + 1 > sizeof(buf)) {
pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
"given, using default buffer size (%u) instead",
- *bufsz, PR_DEFAULT_CMD_BUFSZ);
- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+ *bufsz, default_cmd_bufsz);
+ cmd_buf_size = default_cmd_bufsz;
} else {
pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz);
diff -urNad trunk~/src/netio.c trunk/src/netio.c
--- trunk~/src/netio.c 2008-09-21 23:39:34.000000000 +0200
+++ trunk/src/netio.c 2008-09-21 23:52:17.000000000 +0200
@@ -1,6 +1,6 @@
/*
* ProFTPD - FTP server daemon
- * Copyright (c) 2001-2007 The ProFTPD Project team
+ * Copyright (c) 2001-2008 The ProFTPD Project team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -30,19 +30,19 @@
#include <signal.h>
#ifndef IAC
-#define IAC 255
+# define IAC 255
#endif
#ifndef DONT
-#define DONT 254
+# define DONT 254
#endif
#ifndef DO
-#define DO 253
+# define DO 253
#endif
#ifndef WONT
-#define WONT 252
+# define WONT 252
#endif
#ifndef WILL
-#define WILL 251
+# define WILL 251
#endif
static const char *trace_channel = "netio";
@@ -51,6 +51,17 @@
static pr_netio_t *core_data_netio = NULL, *data_netio = NULL;
static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL;
+/* Used to track whether the previous text read from the client's control
+ * connection was a properly-terminated command. If so, then read in the
+ * next/current text as per normal. If NOT (e.g. the client sent a too-long
+ * command), then read in the next/current text, but ignore it. Only clear
+ * this flag if the next/current command can be read as per normal.
+ *
+ * The pr_netio_telnet_gets() uses this variable, in conjunction with its
+ * saw_newline flag, for handling too-long commands from clients.
+ */
+static int properly_terminated_prev_command = TRUE;
+
static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) {
pool *netio_pool = NULL;
pr_netio_stream_t *nstrm = NULL;
@@ -911,7 +922,7 @@
char *bp = buf;
unsigned char cp;
static unsigned char mode = 0;
- int toread;
+ int toread, saw_newline = FALSE;
pr_buffer_t *pbuf = NULL;
if (buflen == 0) {
@@ -940,8 +951,9 @@
*bp = '\0';
return buf;
- } else
+ } else {
return NULL;
+ }
}
pbuf->remaining = pbuf->buflen - toread;
@@ -1004,6 +1016,8 @@
toread--;
*bp++ = *pbuf->current++;
pbuf->remaining++;
+
+ saw_newline = TRUE;
break;
}
@@ -1011,6 +1025,25 @@
pbuf->current = NULL;
}
+ if (!saw_newline) {
+ /* If we haven't seen a newline, then assume the client is deliberately
+ * sending a too-long command, trying to exploit buffer sizes and make
+ * the server make some possibly bad assumptions.
+ */
+
+ properly_terminated_prev_command = FALSE;
+ errno = E2BIG;
+ return NULL;
+ }
+
+ if (!properly_terminated_prev_command) {
+ properly_terminated_prev_command = TRUE;
+ pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring");
+ errno = E2BIG;
+ return NULL;
+ }
+
+ properly_terminated_prev_command = TRUE;
*bp = '\0';
return buf;
}
Index: proftpd.spec
===================================================================
RCS file: /cvs/extras/rpms/proftpd/F-9/proftpd.spec,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- proftpd.spec 20 Feb 2008 04:34:40 -0000 1.39
+++ proftpd.spec 2 Jan 2009 12:51:49 -0000 1.40
@@ -1,7 +1,7 @@
Summary: Flexible, stable and highly-configurable FTP server
Name: proftpd
Version: 1.3.1
-Release: 5%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://www.proftpd.org/
@@ -15,6 +15,7 @@
Source7: proftpd-mod_quotatab_ldap.ldif
Source8: proftpd-mod_quotatab_ldap.schema
Patch0: proftpd-1.3.1-find-umode_t.patch
+Patch1: proftpd-1.3.1-csrf.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
Requires: pam >= 0.59
Requires(post): /sbin/chkconfig
@@ -66,6 +67,7 @@
%prep
%setup -q
%patch0 -p1 -b .find-umode_t
+%patch1 -p1 -b .csrf
%build
@@ -84,7 +86,7 @@
--with-libraries="%{_libdir}/mysql" \
--with-includes="%{_includedir}/mysql" \
--with-modules=mod_readme:mod_auth_pam:mod_tls \
- --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql:mod_ifsession
+ --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql:mod_ifsession:mod_ban
# It seems that with _smp_mflags -lsupp tries to get linked before being built
# (as of 1.3.0a-4 F7/devel with koji, happened on F8 x86_64 and F7 ppc64)
@@ -161,6 +163,7 @@
%{_bindir}/*
%exclude %{_includedir}/proftpd/
%dir %{_libexecdir}/proftpd/
+%{_libexecdir}/proftpd/mod_ban.so
%{_libexecdir}/proftpd/mod_ifsession.so
%{_libexecdir}/proftpd/mod_quotatab.so
%{_libexecdir}/proftpd/mod_quotatab_file.so
@@ -195,7 +198,13 @@
%changelog
-* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org> - 1.3.1-5
+* Fri Jan 2 2009 Matthias Saou <http://freshrpms.net/> 1.3.1-7
+- Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115).
+
+* Fri Aug 8 2008 Matthias Saou <http://freshrpms.net/> 1.3.1-6
+- Add mod_ban support (#457289, Philip Prindeville).
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org>
- Autorebuild for GCC 4.3
* Wed Feb 13 2008 Matthias Saou <http://freshrpms.net/> 1.3.1-4
More information about the fedora-extras-commits
mailing list