From beech@alaskaparadise.com  Tue Dec 12 00:42:16 2006
Return-Path: <beech@alaskaparadise.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9385416A4AB
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Dec 2006 00:42:16 +0000 (UTC)
	(envelope-from beech@alaskaparadise.com)
Received: from stargate.alaskaparadise.com (114-103-74-65.gci.net [65.74.103.114])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7297943D76
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 12 Dec 2006 00:27:07 +0000 (GMT)
	(envelope-from beech@alaskaparadise.com)
Received: from stargate.alaskaparadise.com (stargate.alaskaparadise.com [65.74.103.114])
	by stargate.alaskaparadise.com (Postfix) with ESMTP id 68EE3458E;
	Mon, 11 Dec 2006 15:28:25 -0900 (AKST)
Message-Id: <1165883305.44186@stargate.alaskaparadise.com>
Date: Mon, 11 Dec 2006 15:28:25 -0900
From: "Beech Rintoul" <beech@alaskaparadise.com>
To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@freebsd.org>
Cc: beech@alaskaparadise.com
Subject: [PATCH] ftp/proftpd Added security patches
X-Send-Pr-Version: gtk-send-pr 0.4.8 
X-GNATS-Notify:

>Number:         106623
>Category:       ports
>Synopsis:       [PATCH] ftp/proftpd Added security patches
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 12 00:50:11 GMT 2006
>Closed-Date:    Tue Dec 12 16:08:27 GMT 2006
>Last-Modified:  Tue Dec 12 16:10:03 GMT 2006
>Originator:     Beech Rintoul
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
Alaska Paradise 
>Environment:


System: FreeBSD 7.0-CURRENT #89: Mon Dec 11 01:37:41 AKST 2006
    root@stargate.alaskaparadise.com:/usr/obj/usr/src/sys/STARGATE



>Description:


Added two security patches
Bumped PORTREVISION


>How-To-Repeat:





>Fix:


diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/Makefile /usr/ports/ftp/proftpd/Makefile
--- /usr/ports/ftp/proftpd.orig/Makefile	Wed Nov 15 15:59:43 2006
+++ /usr/ports/ftp/proftpd/Makefile	Mon Dec 11 15:18:53 2006
@@ -7,7 +7,7 @@
 
 PORTNAME=	proftpd
 DISTVERSION=	1.3.0
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	ftp
 MASTER_SITES=	ftp://ftp.proftpd.org/distrib/source/ \
 		ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/files/patch-mod_tls.c /usr/ports/ftp/proftpd/files/patch-mod_tls.c
--- /usr/ports/ftp/proftpd.orig/files/patch-mod_tls.c	Wed Dec 31 14:00:00 1969
+++ /usr/ports/ftp/proftpd/files/patch-mod_tls.c	Mon Dec 11 15:13:16 2006
@@ -0,0 +1,38 @@
+diff -u -r1.100 mod_tls.c
+--- contrib/mod_tls.c	29 Nov 2006 03:47:56 -0000	1.100
++++ contrib/mod_tls.c	29 Nov 2006 04:09:06 -0000
+@@ -3103,17 +3103,25 @@
+   long datalen = 0;
+   int ok;
+    
+-  if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
+-     datalen = BIO_get_mem_data(mem, &data);
++  ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE);
++  if (ok) {
++    datalen = BIO_get_mem_data(mem, &data);
+ 
+-  if (data) {
+-    memset(&buf, '\0', sizeof(buf));
+-    memcpy(buf, data, datalen);
+-    buf[datalen] = '\0';
+-    buf[sizeof(buf)-1] = '\0';
++    if (data) {
++      memset(&buf, '\0', sizeof(buf));
+ 
+-    BIO_free(mem);
+-    return buf;
++      if (datalen >= sizeof(buf)) {
++        datalen = sizeof(buf)-1;
++      }
++
++      memcpy(buf, data, datalen);
++
++      buf[datalen] = '\0';
++      buf[sizeof(buf)-1] = '\0';
++
++      BIO_free(mem);
++      return buf;
++    }
+   }
+ 
+   BIO_free(mem);
diff -ruN --exclude=CVS /usr/ports/ftp/proftpd.orig/files/patch-support.c /usr/ports/ftp/proftpd/files/patch-support.c
--- /usr/ports/ftp/proftpd.orig/files/patch-support.c	Wed Dec 31 14:00:00 1969
+++ /usr/ports/ftp/proftpd/files/patch-support.c	Mon Dec 11 15:05:40 2006
@@ -0,0 +1,79 @@
+--- src/support.c	2005/09/28 02:06:26	1.78
++++ src/support.c	2006/11/27 14:49:47	1.80
+@@ -27,7 +27,7 @@
+ /* Various basic support routines for ProFTPD, used by all modules
+  * and not specific to one or another.
+  *
+- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $
++ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
+  */
+ 
+ #include "conf.h"
+@@ -632,7 +632,8 @@
+   char **mptr,**rptr;
+   char *marr[33],*rarr[33];
+   char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
+-  size_t mlen = 0, rlen = 0, blen;
++  size_t mlen = 0, rlen = 0;
++  int blen;
+   int dyn = TRUE;
+ 
+   cp = buf;
+@@ -646,7 +647,7 @@
+ 
+   while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
+     char *tmp = NULL;
+-    size_t count = 0;
++    int count = 0;
+ 
+     if ((r = va_arg(args, char *)) == NULL)
+       break;
+@@ -659,6 +660,12 @@
+     while (tmp) {
+       pr_signals_handle();
+       count++;
++      if (count < 0) {
++        /* Integer overflow. In order to overflow integer range with a count
++         * of escapes, somebody must be doing something very strange.
++         */
++        return s;
++      }
+ 
+       /* Be sure to increment the pointer returned by strstr(3), to
+        * advance past the beginning of the substring for which we are
+@@ -674,6 +681,12 @@
+      */
+     if (count) {
+       blen += count * (strlen(r) - strlen(m));
++      if (blen < 0) {
++        /* Integer overflow. In order to overflow this, somebody must be
++         * doing something very strange.
++         */
++        return s;
++      }
+       marr[mlen] = m;
+       rarr[mlen++] = r;
+     }
+@@ -722,10 +735,11 @@
+     }
+ 
+     if (!*mptr) {
+-      if ((cp - pbuf + 1) > blen) {
++      if ((cp - pbuf + 1) >= blen) {
+ 	pr_log_pri(PR_LOG_ERR,
+ 		"WARNING: attempt to overflow internal ProFTPD buffers");
+ 	cp = pbuf + blen - 1;
++	goto done;
+       }
+       *cp++ = *src++;
+     }
+@@ -768,6 +782,9 @@
+ char *sstrcat(char *dest, const char *src, size_t n) {
+   register char *d;
+ 
++  if (n == 0)
++    return NULL;
++
+   for (d = dest; *d && n > 1; d++, n--) ;
+ 
+   while (n-- > 1 && *src)



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Tue Dec 12 15:56:09 UTC 2006 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106623 
State-Changed-From-To: open->closed 
State-Changed-By: delphij 
State-Changed-When: Tue Dec 12 16:08:16 UTC 2006 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=106623 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/106623: commit references a PR
Date: Tue, 12 Dec 2006 16:08:21 +0000 (UTC)

 delphij     2006-12-12 16:08:09 UTC
 
   FreeBSD ports repository
 
   Modified files:
     ftp/proftpd          Makefile 
   Added files:
     ftp/proftpd/files    patch-mod_tls.c patch-support.c 
   Log:
   Add two security patches:
           patch-support.c: fixes CVE-2006-5815 remote code execution
           patch-mod_tls.c: fixes Bug#2860 Failure to check for data
                            length in mod_tls could lead to remote
                            buffer overwriting.
   
   Submitted by:   maintainer
   PR:             ports/106623
   
   Revision  Changes    Path
   1.93      +1 -1      ports/ftp/proftpd/Makefile
   1.1       +38 -0     ports/ftp/proftpd/files/patch-mod_tls.c (new)
   1.1       +79 -0     ports/ftp/proftpd/files/patch-support.c (new)
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
