From rea@codelabs.ru  Fri Aug 24 20:36:08 2012
Return-Path: <rea@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3128F106564A;
	Fri, 24 Aug 2012 20:36:08 +0000 (UTC)
	(envelope-from rea@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.6.71])
	by mx1.freebsd.org (Postfix) with ESMTP id D2F638FC0C;
	Fri, 24 Aug 2012 20:36:07 +0000 (UTC)
Received: from void.codelabs.ru (void.codelabs.ru [144.206.6.66])
	by 0.mx.codelabs.ru with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	id 1T50bt-0001SS-3R; Sat, 25 Aug 2012 00:36:06 +0400
Message-Id: <20120824203604.8E390DA81F@void.codelabs.ru>
Date: Sat, 25 Aug 2012 00:36:04 +0400 (MSK)
From: Eygene Ryabinkin <rea@freebsd.org>
Reply-To: Eygene Ryabinkin <rea@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: fluffy@FreeBSD.org
Subject: [vuxml][patch] news/inn: fix plaintext command injection
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         171013
>Category:       ports
>Synopsis:       [vuxml][patch] news/inn: fix plaintext command injection
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    fluffy
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 24 20:40:00 UTC 2012
>Closed-Date:    Sun Aug 26 17:57:50 UTC 2012
>Last-Modified:  Sun Aug 26 17:57:50 UTC 2012
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 10.0-CURRENT amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 10.0-CURRENT amd64

>Description:

INN developers report that version 2.5.3 fixes the plaintext command
injection after the channel was TLSized,
  http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html

>How-To-Repeat:

Look at
 - http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html
 - https://www.isc.org/software/inn/2.5.3article

>Fix:

I had extracted the minimal patch from the full one that does upgrade
from 2.5.2 to 2.5.3:
  http://codelabs.ru/fbsd/ports/inn/inn-2.5.2-fix-cve-2012-3523.diff

I had checked only buildability of the patched port: see no problems.
Have no INN setup at hand to test the functionality, sorry.

If you'll take the route of adding this minimal patch, VuXML version
specification in a7975581-ee26-11e1-8bd8-0022156e8794 must be changed
from "2.5.3" to "2.5.2_2".
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->fluffy 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Fri Aug 24 20:40:15 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171013 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/171013: commit references a PR
Date: Sun, 26 Aug 2012 17:33:27 +0000 (UTC)

 Author: rea
 Date: Sun Aug 26 17:33:12 2012
 New Revision: 303194
 URL: http://svn.freebsd.org/changeset/ports/303194
 
 Log:
   news/inn: fix plaintext command injection, CVE-2012-3523
   
   Relevant only for INN installations that are using encryption.
   
   PR:		171013
   Approved by:	fluffy@FreeBSD.org (maintainer)
   Security:	http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html
 
 Added:
   head/news/inn/files/patch-cve-2012-3523-minimal   (contents, props changed)
 Modified:
   head/news/inn/Makefile
   head/security/vuxml/vuln.xml
 
 Modified: head/news/inn/Makefile
 ==============================================================================
 --- head/news/inn/Makefile	Sun Aug 26 17:09:37 2012	(r303193)
 +++ head/news/inn/Makefile	Sun Aug 26 17:33:12 2012	(r303194)
 @@ -7,7 +7,7 @@
  
  PORTNAME?=	inn
  PORTVERSION?=	2.5.2
 -PORTREVISION?=	1
 +PORTREVISION?=	2
  CATEGORIES=	news ipv6
  # Master distribution broken
  #MASTER_SITES?=	${MASTER_SITE_ISC}
 
 Added: head/news/inn/files/patch-cve-2012-3523-minimal
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/news/inn/files/patch-cve-2012-3523-minimal	Sun Aug 26 17:33:12 2012	(r303194)
 @@ -0,0 +1,61 @@
 +Fixes CVE-2012-3523.  This is a stripped down version of 2.5.2 -> 2.5.3
 +patch that adds line_reset() to the relevant places.
 +
 +Obtained-from: ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
 +diff -Nurp inn-2.5.2/nnrpd/line.c inn-2.5.3/nnrpd/line.c
 +--- nnrpd/line.c	2010-03-24 13:10:36.000000000 -0700
 ++++ nnrpd/line.c	2012-06-15 11:25:36.000000000 -0700
 +@@ -66,6 +66,17 @@ line_init(struct line *line)
 +     line->remaining = 0;
 + }
 + 
 ++/*
 ++**  Reset a line structure.
 ++*/
 ++void
 ++line_reset(struct line *line)
 ++{
 ++    assert(line);
 ++    line->where = line->start;
 ++    line->remaining = 0;
 ++}
 ++
 + /*
 + **  Timeout is used only if HAVE_SSL is defined.
 + */
 +diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c
 +--- nnrpd/misc.c	2010-03-24 13:10:36.000000000 -0700
 ++++ nnrpd/misc.c	2012-06-15 11:25:36.000000000 -0700
 +@@ -518,5 +518,8 @@ CMDstarttls(int ac UNUSED, char *av[] UN
 +         GRPcount = 0;
 +         PERMgroupmadeinvalid = false;
 +     }
 ++
 ++    /* Reset our read buffer so as to prevent plaintext command injection. */
 ++    line_reset(&NNTPline);
 + }
 + #endif /* HAVE_SSL */
 +diff -Nurp inn-2.5.2/nnrpd/nnrpd.h inn-2.5.3/nnrpd/nnrpd.h
 +--- nnrpd/nnrpd.h	2010-03-24 13:10:36.000000000 -0700
 ++++ nnrpd/nnrpd.h	2012-06-15 11:25:36.000000000 -0700
 +@@ -292,6 +292,7 @@ void PY_dynamic_init (char* file);
 + 
 + void line_free(struct line *);
 + void line_init(struct line *);
 ++void line_reset(struct line *);
 + READTYPE line_read(struct line *, int, const char **, size_t *, size_t *);
 + 
 + #ifdef HAVE_SASL
 +diff -Nurp inn-2.5.2/nnrpd/sasl.c inn-2.5.3/nnrpd/sasl.c
 +--- nnrpd/sasl.c	2010-03-24 13:10:36.000000000 -0700
 ++++ nnrpd/sasl.c	2012-06-15 11:25:36.000000000 -0700
 +@@ -326,6 +326,9 @@ SASLauth(int ac, char *av[])
 +                 GRPcount = 0;
 +                 PERMgroupmadeinvalid = false;
 +             }
 ++
 ++            /* Reset our read buffer so as to prevent plaintext command injection. */
 ++            line_reset(&NNTPline);
 +         }
 +     } else {
 + 	/* Failure. */
 
 Modified: head/security/vuxml/vuln.xml
 ==============================================================================
 --- head/security/vuxml/vuln.xml	Sun Aug 26 17:09:37 2012	(r303193)
 +++ head/security/vuxml/vuln.xml	Sun Aug 26 17:33:12 2012	(r303194)
 @@ -163,7 +163,7 @@ Note:  Please add new entries to the beg
      <affects>
        <package>
          <name>inn</name>
 -        <range><lt>2.5.3</lt></range>
 +        <range><lt>2.5.2_2</lt></range>
        </package>
      </affects>
      <description>
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: rea 
State-Changed-When: Sun Aug 26 17:57:01 UTC 2012 
State-Changed-Why:  
Fixed after private approval from Dima Panov, maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171013 
>Unformatted:
