diff options
author | lkundrak <lkundrak@pkgsrc.org> | 2007-06-26 23:25:56 +0000 |
---|---|---|
committer | lkundrak <lkundrak@pkgsrc.org> | 2007-06-26 23:25:56 +0000 |
commit | 37d2bfffbe83f7352a5f807c65f3df15498a57cf (patch) | |
tree | 46c06cd2a1e789385044760a99d25c2761b67ea3 | |
parent | 3916af4b3db048110c34ef3dc7625b6a83472784 (diff) | |
download | pkgsrc-37d2bfffbe83f7352a5f807c65f3df15498a57cf.tar.gz |
Fix for a CVE-2007-2165 security issue grabbed from upstream #2922.
-rw-r--r-- | net/proftpd/Makefile | 4 | ||||
-rw-r--r-- | net/proftpd/distinfo | 5 | ||||
-rw-r--r-- | net/proftpd/patches/patch-ad | 22 | ||||
-rw-r--r-- | net/proftpd/patches/patch-ae | 15 | ||||
-rw-r--r-- | net/proftpd/patches/patch-af | 398 |
5 files changed, 441 insertions, 3 deletions
diff --git a/net/proftpd/Makefile b/net/proftpd/Makefile index 305e1a509d0..1ea9949c24d 100644 --- a/net/proftpd/Makefile +++ b/net/proftpd/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.40 2007/01/24 05:22:01 martti Exp $ +# $NetBSD: Makefile,v 1.41 2007/06/26 23:25:56 lkundrak Exp $ DISTNAME= proftpd-1.3.1rc2 -#PKGREVISION= 1 +PKGREVISION= 1 CATEGORIES= net MASTER_SITES= ftp://ftp.proftpd.org/distrib/source/ \ ftp://ftp.servus.at/ProFTPD/distrib/source/ \ diff --git a/net/proftpd/distinfo b/net/proftpd/distinfo index 44a3bc69914..9d47478287d 100644 --- a/net/proftpd/distinfo +++ b/net/proftpd/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.22 2007/01/13 09:47:38 martti Exp $ +$NetBSD: distinfo,v 1.23 2007/06/26 23:25:56 lkundrak Exp $ SHA1 (proftpd-1.3.1rc2.tar.bz2) = 7db6435707983fe8e865064661cedb159ebc1cf6 RMD160 (proftpd-1.3.1rc2.tar.bz2) = aa928315880cf1e9d1980850ce2bb07193d2ac46 @@ -6,3 +6,6 @@ Size (proftpd-1.3.1rc2.tar.bz2) = 1516464 bytes SHA1 (patch-aa) = d7ad034e763a2bf729c9af669c3094402bdd03b7 SHA1 (patch-ab) = 2b6921efa11884286c022a1da7691fc971d65cca SHA1 (patch-ac) = a73ceb99485ea16a4b008971cba58204b8d3f90d +SHA1 (patch-ad) = 17390cac03e1a3fb8d2ce5f854ad9d239eae40fd +SHA1 (patch-ae) = b7a8ba05a4399438f04d976aa36535e1f02f0c41 +SHA1 (patch-af) = 5f6642a36efe9fdacefed698aba2a86b737dd953 diff --git a/net/proftpd/patches/patch-ad b/net/proftpd/patches/patch-ad new file mode 100644 index 00000000000..3037a0dd23d --- /dev/null +++ b/net/proftpd/patches/patch-ad @@ -0,0 +1,22 @@ +$NetBSD: patch-ad,v 1.3 2007/06/26 23:25:56 lkundrak Exp $ + +Part of fix for CVE-2007-2165 grabbed from upstream #2922. + +--- include/auth.h.orig 2007-06-27 01:13:43.000000000 +0200 ++++ include/auth.h +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2004-2005 The ProFTPD Project team ++ * Copyright (c) 2004-2007 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -86,6 +86,7 @@ int pr_auth_requires_pass(pool *, const + config_rec *pr_auth_get_anon_config(pool *p, char **, char **, char **); + + /* For internal use only. */ ++int init_auth(void); + int set_groups(pool *, gid_t, array_header *); + + #endif /* PR_MODULES_H */ diff --git a/net/proftpd/patches/patch-ae b/net/proftpd/patches/patch-ae new file mode 100644 index 00000000000..8cc112c326f --- /dev/null +++ b/net/proftpd/patches/patch-ae @@ -0,0 +1,15 @@ +$NetBSD: patch-ae,v 1.3 2007/06/26 23:25:56 lkundrak Exp $ + +Part of fix for CVE-2007-2165 grabbed from upstream #2922. + +--- modules/mod_core.c.orig 2007-06-27 01:13:50.000000000 +0200 ++++ modules/mod_core.c +@@ -4444,6 +4444,8 @@ static int core_sess_init(void) { + config_rec *c = NULL; + unsigned int *debug_level = NULL; + ++ init_auth(); ++ + /* Check for a server-specific TimeoutIdle. */ + c = find_config(main_server->conf, CONF_PARAM, "TimeoutIdle", FALSE); + if (c != NULL) diff --git a/net/proftpd/patches/patch-af b/net/proftpd/patches/patch-af new file mode 100644 index 00000000000..c4e35306d45 --- /dev/null +++ b/net/proftpd/patches/patch-af @@ -0,0 +1,398 @@ +$NetBSD: patch-af,v 1.1 2007/06/26 23:25:56 lkundrak Exp $ + +Part of fix for CVE-2007-2165 grabbed from upstream #2922. + +--- src/auth.c.orig 2007-06-27 01:13:58.000000000 +0200 ++++ src/auth.c +@@ -2,7 +2,7 @@ + * ProFTPD - FTP server daemon + * Copyright (c) 1997, 1998 Public Flood Software + * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net> +- * Copyright (c) 2001-2006 The ProFTPD Project team ++ * Copyright (c) 2001-2007 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -30,6 +30,10 @@ + + #include "conf.h" + ++static pool *auth_pool = NULL; ++static pr_table_t *auth_tab = NULL; ++static const char *trace_channel = "auth"; ++ + /* The difference between this function, and pr_cmd_alloc(), is that this + * allocates the cmd_rec directly from the given pool, whereas pr_cmd_alloc() + * will allocate a subpool from the given pool, and allocate its cmd_rec +@@ -63,7 +67,7 @@ static cmd_rec *make_cmd(pool *cp, int a + return c; + } + +-static modret_t *dispatch_auth(cmd_rec *cmd, char *match) { ++static modret_t *dispatch_auth(cmd_rec *cmd, char *match, module **m) { + authtable *start_tab = NULL, *iter_tab = NULL; + modret_t *mr = NULL; + +@@ -74,7 +78,12 @@ static modret_t *dispatch_auth(cmd_rec * + while (iter_tab) { + pr_signals_handle(); + +- pr_trace_msg("auth", 6, "dispatching auth request \"%s\" to module mod_%s", ++ if (m && *m && *m != iter_tab->m) { ++ goto next; ++ } ++ ++ pr_trace_msg(trace_channel, 6, ++ "dispatching auth request \"%s\" to module mod_%s", + match, iter_tab->m->name); + + mr = call_module(iter_tab->m, iter_tab->handler, cmd); +@@ -83,9 +92,19 @@ static modret_t *dispatch_auth(cmd_rec * + break; + + if (MODRET_ISHANDLED(mr) || +- MODRET_ISERROR(mr)) ++ MODRET_ISERROR(mr)) { ++ ++ /* Return a pointer, if requested, to the module which answered the ++ * auth request. This is used, for example, by auth_getpwnam() for ++ * associating the answering auth module with the data looked up. ++ */ ++ if (m) ++ *m = iter_tab->m; ++ + break; ++ } + ++ next: + iter_tab = pr_stash_get_symbol(PR_SYM_AUTH, match, iter_tab, + &cmd->stash_index); + +@@ -106,7 +125,7 @@ void pr_auth_setpwent(pool *p) { + modret_t *mr = NULL; + + cmd = make_cmd(p, 0); +- mr = dispatch_auth(cmd, "setpwent"); ++ mr = dispatch_auth(cmd, "setpwent", NULL); + + if (cmd->tmp_pool) { + destroy_pool(cmd->tmp_pool); +@@ -121,13 +140,20 @@ void pr_auth_endpwent(pool *p) { + modret_t *mr = NULL; + + cmd = make_cmd(p, 0); +- mr = dispatch_auth(cmd, "endpwent"); ++ mr = dispatch_auth(cmd, "endpwent", NULL); + + if (cmd->tmp_pool) { + destroy_pool(cmd->tmp_pool); + cmd->tmp_pool = NULL; + } + ++ if (auth_tab) { ++ pr_trace_msg(trace_channel, 5, "emptying authcache"); ++ (void) pr_table_empty(auth_tab); ++ (void) pr_table_free(auth_tab); ++ auth_tab = NULL; ++ } ++ + return; + } + +@@ -136,7 +162,7 @@ void pr_auth_setgrent(pool *p) { + modret_t *mr = NULL; + + cmd = make_cmd(p, 0); +- mr = dispatch_auth(cmd, "setgrent"); ++ mr = dispatch_auth(cmd, "setgrent", NULL); + + if (cmd->tmp_pool) { + destroy_pool(cmd->tmp_pool); +@@ -151,7 +177,7 @@ void pr_auth_endgrent(pool *p) { + modret_t *mr = NULL; + + cmd = make_cmd(p, 0); +- mr = dispatch_auth(cmd, "endgrent"); ++ mr = dispatch_auth(cmd, "endgrent", NULL); + + if (cmd->tmp_pool) { + destroy_pool(cmd->tmp_pool); +@@ -167,7 +193,7 @@ struct passwd *pr_auth_getpwent(pool *p) + struct passwd *res = NULL; + + cmd = make_cmd(p, 0); +- mr = dispatch_auth(cmd, "getpwent"); ++ mr = dispatch_auth(cmd, "getpwent", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) + res = mr->data; +@@ -201,7 +227,7 @@ struct group *pr_auth_getgrent(pool *p) + struct group *res = NULL; + + cmd = make_cmd(p, 0); +- mr = dispatch_auth(cmd, "getgrent"); ++ mr = dispatch_auth(cmd, "getgrent", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) + res = mr->data; +@@ -228,11 +254,13 @@ struct passwd *pr_auth_getpwnam(pool *p, + cmd_rec *cmd = NULL; + modret_t *mr = NULL; + struct passwd *res = NULL; ++ module *m = NULL; + + cmd = make_cmd(p, 1, name); +- mr = dispatch_auth(cmd, "getpwnam"); ++ mr = dispatch_auth(cmd, "getpwnam", &m); + +- if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) ++ if (MODRET_ISHANDLED(mr) && ++ MODRET_HASDATA(mr)) + res = mr->data; + + if (cmd->tmp_pool) { +@@ -257,6 +285,46 @@ struct passwd *pr_auth_getpwnam(pool *p, + return NULL; + } + ++ if (!auth_tab && auth_pool) { ++ auth_tab = pr_table_alloc(auth_pool, 0); ++ } ++ ++ if (m && auth_tab) { ++ int count = 0; ++ void *value = NULL; ++ ++ value = palloc(auth_pool, sizeof(module *)); ++ *((module **) value) = m; ++ ++ count = pr_table_exists(auth_tab, name); ++ if (count <= 0) { ++ if (pr_table_add(auth_tab, pstrdup(auth_pool, name), value, ++ sizeof(module *)) < 0) { ++ pr_trace_msg(trace_channel, 3, ++ "error adding module 'mod_%s.c' for user '%s' to the authcache: %s", ++ m->name, name, strerror(errno)); ++ ++ } else { ++ pr_trace_msg(trace_channel, 5, ++ "stashed module 'mod_%s.c' for user '%s' in the authcache", ++ m->name, name); ++ } ++ ++ } else { ++ if (pr_table_set(auth_tab, pstrdup(auth_pool, name), value, ++ sizeof(module *)) < 0) { ++ pr_trace_msg(trace_channel, 3, ++ "error setting module 'mod_%s.c' for user '%s' in the authcache: %s", ++ m->name, name, strerror(errno)); ++ ++ } else { ++ pr_trace_msg(trace_channel, 5, ++ "stashed module 'mod_%s.c' for user '%s' in the authcache", ++ m->name, name); ++ } ++ } ++ } ++ + pr_log_debug(DEBUG10, "retrieved UID %lu for user '%s'", + (unsigned long) res->pw_uid, name); + return res; +@@ -268,7 +336,7 @@ struct passwd *pr_auth_getpwuid(pool *p, + struct passwd *res = NULL; + + cmd = make_cmd(p, 1, (void *) &uid); +- mr = dispatch_auth(cmd, "getpwuid"); ++ mr = dispatch_auth(cmd, "getpwuid", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) + res = mr->data; +@@ -306,7 +374,7 @@ struct group *pr_auth_getgrnam(pool *p, + struct group *res = NULL; + + cmd = make_cmd(p, 1, name); +- mr = dispatch_auth(cmd, "getgrnam"); ++ mr = dispatch_auth(cmd, "getgrnam", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) + res = mr->data; +@@ -339,7 +407,7 @@ struct group *pr_auth_getgrgid(pool *p, + struct group *res = NULL; + + cmd = make_cmd(p, 1, (void *) &gid); +- mr = dispatch_auth(cmd, "getgrgid"); ++ mr = dispatch_auth(cmd, "getgrgid", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) + res = mr->data; +@@ -369,10 +437,51 @@ struct group *pr_auth_getgrgid(pool *p, + int pr_auth_authenticate(pool *p, const char *name, const char *pw) { + cmd_rec *cmd = NULL; + modret_t *mr = NULL; ++ module *m = NULL; + int res = PR_AUTH_NOPWD; + + cmd = make_cmd(p, 2, name, pw); +- mr = dispatch_auth(cmd, "auth"); ++ ++ /* First, check for the mod_auth_pam.c module. ++ * ++ * PAM is a bit of hack in this Auth API, because PAM only provides ++ * yes/no checks, and is not a source of user information. ++ */ ++ m = pr_module_get("mod_auth_pam.c"); ++ if (m) { ++ mr = dispatch_auth(cmd, "auth", &m); ++ ++ if (MODRET_ISHANDLED(mr)) { ++ pr_trace_msg(trace_channel, 4, ++ "module 'mod_auth_pam.c' used for authenticating user '%s'", name); ++ ++ res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK; ++ ++ if (cmd->tmp_pool) { ++ destroy_pool(cmd->tmp_pool); ++ cmd->tmp_pool = NULL; ++ } ++ ++ return res; ++ } ++ ++ m = NULL; ++ } ++ ++ if (auth_tab) { ++ ++ /* Fetch the specific module to be used for authenticating this user. */ ++ void *v = pr_table_get(auth_tab, name, NULL); ++ if (v) { ++ m = *((module **) v); ++ ++ pr_trace_msg(trace_channel, 4, ++ "using module 'mod_%s.c' from authcache to authenticate user '%s'", ++ m->name, name); ++ } ++ } ++ ++ mr = dispatch_auth(cmd, "auth", m ? &m : NULL); + + if (MODRET_ISHANDLED(mr)) + res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK; +@@ -391,10 +500,51 @@ int pr_auth_authenticate(pool *p, const + int pr_auth_check(pool *p, const char *cpw, const char *name, const char *pw) { + cmd_rec *cmd = NULL; + modret_t *mr = NULL; ++ module *m = NULL; + int res = PR_AUTH_BADPWD; + + cmd = make_cmd(p, 3, cpw, name, pw); +- mr = dispatch_auth(cmd, "check"); ++ ++ /* First, check for the mod_auth_pam.c module. ++ * ++ * PAM is a bit of hack in this Auth API, because PAM only provides ++ * yes/no checks, and is not a source of user information. ++ */ ++ m = pr_module_get("mod_auth_pam.c"); ++ if (m) { ++ mr = dispatch_auth(cmd, "check", &m); ++ ++ if (MODRET_ISHANDLED(mr)) { ++ pr_trace_msg(trace_channel, 4, ++ "module 'mod_auth_pam.c' used for authenticating user '%s'", name); ++ ++ res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK; ++ ++ if (cmd->tmp_pool) { ++ destroy_pool(cmd->tmp_pool); ++ cmd->tmp_pool = NULL; ++ } ++ ++ return res; ++ } ++ ++ m = NULL; ++ } ++ ++ if (auth_tab) { ++ ++ /* Fetch the specific module to be used for authenticating this user. */ ++ void *v = pr_table_get(auth_tab, name, NULL); ++ if (v) { ++ m = *((module **) v); ++ ++ pr_trace_msg(trace_channel, 4, ++ "using module 'mod_%s.c' from authcache to authenticate user '%s'", ++ m->name, name); ++ } ++ } ++ ++ mr = dispatch_auth(cmd, "check", m ? &m : NULL); + + if (MODRET_ISHANDLED(mr)) + res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK; +@@ -413,7 +563,7 @@ int pr_auth_requires_pass(pool *p, const + int res = TRUE; + + cmd = make_cmd(p, 1, name); +- mr = dispatch_auth(cmd, "requires_pass"); ++ mr = dispatch_auth(cmd, "requires_pass", NULL); + + if (MODRET_ISHANDLED(mr)) + res = FALSE; +@@ -438,7 +588,7 @@ const char *pr_auth_uid2name(pool *p, ui + memset(namebuf, '\0', sizeof(namebuf)); + + cmd = make_cmd(p, 1, (void *) &uid); +- mr = dispatch_auth(cmd, "uid2name"); ++ mr = dispatch_auth(cmd, "uid2name", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) { + res = mr->data; +@@ -463,7 +613,7 @@ const char *pr_auth_gid2name(pool *p, gi + memset(namebuf, '\0', sizeof(namebuf)); + + cmd = make_cmd(p, 1, (void *) &gid); +- mr = dispatch_auth(cmd, "gid2name"); ++ mr = dispatch_auth(cmd, "gid2name", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) { + res = mr->data; +@@ -485,7 +635,7 @@ uid_t pr_auth_name2uid(pool *p, const ch + uid_t res = (uid_t) -1; + + cmd = make_cmd(p, 1, name); +- mr = dispatch_auth(cmd, "name2uid"); ++ mr = dispatch_auth(cmd, "name2uid", NULL); + + if (MODRET_ISHANDLED(mr)) + res = *((uid_t *) mr->data); +@@ -506,7 +656,7 @@ gid_t pr_auth_name2gid(pool *p, const ch + gid_t res = (gid_t) -1; + + cmd = make_cmd(p, 1, name); +- mr = dispatch_auth(cmd, "name2gid"); ++ mr = dispatch_auth(cmd, "name2gid", NULL); + + if (MODRET_ISHANDLED(mr)) + res = *((gid_t *) mr->data); +@@ -538,7 +688,7 @@ int pr_auth_getgroups(pool *p, const cha + cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL, + group_names ? *group_names : NULL); + +- mr = dispatch_auth(cmd, "getgroups"); ++ mr = dispatch_auth(cmd, "getgroups", NULL); + + if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) { + res = *((int *) mr->data); +@@ -832,3 +982,10 @@ int set_groups(pool *p, gid_t primary_gi + return res; + } + ++/* Internal use only. To be called in the session process. */ ++int init_auth(void) { ++ auth_pool = make_sub_pool(permanent_pool); ++ pr_pool_tag(auth_pool, "Auth API"); ++ ++ return 0; ++} |