Subject: pkg/35272: patch for CVE-2006-5815 bug in proftpd package
To: None <pkg-manager@netbsd.org, gnats-admin@netbsd.org,>
From: None <cedric.devillers@script.univ-paris7.fr>
List: pkgsrc-bugs
Date: 12/18/2006 10:10:00
>Number: 35272
>Category: pkg
>Synopsis: patch for CVE-2006-5815 bug in proftpd package
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Dec 18 10:10:00 +0000 2006
>Originator: Cedric DEVILLERS
>Release: NetBSD 3.0.2
>Organization:
University Paris VII
>Environment:
NetBSD 3.0.2 (GENERIC.MPACPI) #0: Wed Nov 1 00:47:00 UTC 2006 builds@b1.netbsd.org:/home/builds/ab/netbsd-3-0-2-RELEASE/i386/200610311952Z-obj/home/builds/ab/netbsd-3-0-2-RELEASE/src/sys/arch/i386/compile/GENERIC.MPACPI i386
>Description:
It's just a patch for the proftpd bug reference by CVE-2006-5815 for the proftpd package version 1.3.0nb2 because version 1.3.1rc1 not in pkgsrc-2006Q3 branche.
>How-To-Repeat:
>Fix:
--------- Patch -- cut here ---------
--- src/support.c.orig 2005-09-28 02:06:26.000000000 +0000
+++ src/support.c
@@ -27,7 +27,7 @@
/* Various basic support routines for ProFTPD, used by all modules
* and not specific to one or another.
*
- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $
+ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
*/
#include "conf.h"
@@ -632,7 +632,8 @@
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
- size_t mlen = 0, rlen = 0, blen;
+ size_t mlen = 0, rlen = 0;
+ int blen;
int dyn = TRUE;
cp = buf;
@@ -646,7 +647,7 @@
while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
char *tmp = NULL;
- size_t count = 0;
+ int count = 0;
if ((r = va_arg(args, char *)) == NULL)
break;
@@ -659,6 +660,12 @@
while (tmp) {
pr_signals_handle();
count++;
+ if (count < 0) {
+ /* Integer overflow. In order to overflow integer range with a count
+ * of escapes, somebody must be doing something very strange.
+ */
+ return s;
+ }
/* Be sure to increment the pointer returned by strstr(3), to
* advance past the beginning of the substring for which we are
@@ -674,6 +681,12 @@
*/
if (count) {
blen += count * (strlen(r) - strlen(m));
+ if (blen < 0) {
+ /* Integer overflow. In order to overflow this, somebody must be
+ * doing something very strange.
+ */
+ return s;
+ }
marr[mlen] = m;
rarr[mlen++] = r;
}
@@ -722,10 +735,11 @@
}
if (!*mptr) {
- if ((cp - pbuf + 1) > blen) {
+ if ((cp - pbuf + 1) >= blen) {
pr_log_pri(PR_LOG_ERR,
"WARNING: attempt to overflow internal ProFTPD buffers");
cp = pbuf + blen - 1;
+ goto done;
}
*cp++ = *src++;
}
@@ -768,6 +782,9 @@
char *sstrcat(char *dest, const char *src, size_t n) {
register char *d;
+ if (n == 0)
+ return NULL;
+
for (d = dest; *d && n > 1; d++, n--) ;
while (n-- > 1 && *src)