Add security fix for CAN-2004-0028 based on the patches provided

by the Debian project.

6 files changed, 397 insertions, 2 deletions

diff --git a/misc/jitterbug/Makefile b/misc/jitterbug/Makefile
index 35af56e35a2..27b879585be 100644
--- a/misc/jitterbug/Makefile
+++ b/misc/jitterbug/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.23 2004/01/20 12:21:02 agc Exp $
+# $NetBSD: Makefile,v 1.24 2004/02/09 09:17:50 wennmach Exp $
 
 DISTNAME=	jitterbug-1.6.2
+PKGREVISION=	1
 CATEGORIES=	misc
 MASTER_SITES=	ftp://jitterbug.samba.org/pub/jitterbug/
 
diff --git a/misc/jitterbug/distinfo b/misc/jitterbug/distinfo
index 7156bf9e834..28dd916f44d 100644
--- a/misc/jitterbug/distinfo
+++ b/misc/jitterbug/distinfo
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.2 2001/04/20 13:52:13 agc Exp $
+$NetBSD: distinfo,v 1.3 2004/02/09 09:17:50 wennmach Exp $
 
 SHA1 (jitterbug-1.6.2.tar.gz) = c9c25ee892883560a829f832efbd028b8531651f
 Size (jitterbug-1.6.2.tar.gz) = 98728 bytes
 SHA1 (patch-aa) = 9573d1a2f78aef1bd381082080902c50b40bb067
+SHA1 (patch-ab) = 68cb6975b9a330e8889c2812c03e279679ffa754
+SHA1 (patch-ac) = 019e3e86768cd9d680467747676bd8f034553718
+SHA1 (patch-ad) = 87e86b56734deb0210c453ec77ba1f7b1973a79e
+SHA1 (patch-ae) = d9d4013efa79a860f08ec34dd1dadceeb23ac408
diff --git a/misc/jitterbug/patches/patch-ab b/misc/jitterbug/patches/patch-ab
new file mode 100644
index 00000000000..256160bb194
--- /dev/null
+++ b/misc/jitterbug/patches/patch-ab
@@ -0,0 +1,143 @@
+$NetBSD: patch-ab,v 1.1 2004/02/09 09:17:50 wennmach Exp $
+
+Security patches for jitterbug (taken from Debian GNU/Linux).
+See http://www.debian.org/security/2004/dsa-420
+
+--- jitterbug.c.orig	Wed Nov 11 13:30:17 1998
++++ jitterbug.c	Wed Jan 14 17:34:04 2004
+@@ -57,7 +57,7 @@
+ static int case_sensitive;
+ static int messagetype = MTYPE_ALL;
+ static int numquotelines;
+-static int addsignature;
++static int addsignature = 1;
+ static int fullheaders;
+ 
+ /* these are the user preferences -- reflect changes in dump_globals() */
+@@ -118,7 +118,7 @@
+ 	}
+ 	
+ 
+-	if (getuid() == 0) return 0;
++	if (strchr(fname, '/') && geteuid() == 0) return 0;
+ 
+ 	data = load_file(fname, NULL, 0);
+ 	if (!data) {
+@@ -727,6 +727,11 @@
+ 	}
+ }
+ 
++/* return true when the text doesn't have a trailing newline */
++static unsigned nolastnl(char *txt)
++{	return *txt && '\n'!=strchr(txt,'\0')[-1];
++}
++
+ 
+ /* free up an info structure loaded by get_info */
+ static void free_info(struct message_info *info)
+@@ -971,6 +976,7 @@
+ 	FILE *f;
+ 	char *name = cgi_variable("auditid");
+ 	char *source = cgi_variable("sources");
++	char *p;
+ 	char buf[1000];
+ 	int len;
+ 	struct message_info info = zero_info;
+@@ -989,6 +995,14 @@
+ 
+ 	sprintf(buf,"%s %s %s", lp_autopatch(), source, name);
+ 
++	p = buf;
++
++	while (*p) {
++		if (!isalnum(*p) && !strchr(";_|=+ &^#@!(){}[].",*p))
++			fatal("invalid character in expression");
++		p++;
++	}
++
+ 	printf("<hr>\n");
+ 
+ 	f = popen(buf,"r");
+@@ -1012,6 +1026,7 @@
+ {
+ 	FILE *f;
+ 	char *name = cgi_variable("decodeview");
++	char *p;
+ 	char buf[1000];
+ 	int len;
+ 	struct message_info info = zero_info;
+@@ -1028,6 +1043,13 @@
+ 
+ 	sprintf(buf,"%s %s", lp_decoder(), name);
+ 
++	p = buf;
++	while (*p) {
++		if (!isalnum(*p) && !strchr(";_|=+ &^#@!(){}[].",*p))
++			fatal("invalid character in expression");
++		p++;
++	}
++
+ 	printf("<hr>\n");
+ 
+ 	f = popen(buf,"r");
+@@ -1271,8 +1293,13 @@
+ 	}
+ 	
+ 	smtp_write_data(fd, body);
+-	if (sig)
++	if(nolastnl(body))
++		smtp_write(fd, "\n");
++	if (sig) {
+ 		smtp_write_data(fd, sig);
++		if(nolastnl(sig))
++			smtp_write(fd, "\n");
++	}
+ 	if (smtp_end_mail(fd) == -1)
+ 		fatal(smtp_error());
+ }
+@@ -1392,8 +1419,13 @@
+ 		if (cc && *cc)
+ 			fprintf(f,"CC: %s\n", cc);
+ 		fprintf(f,"\n%s", body);
+-		if (addsignature && signature)
++ 		if(nolastnl(body))
++ 			fprintf(f, "\n");
++		if (addsignature && signature) {
+ 			fprintf(f,"%s", signature);
++			if(nolastnl(signature))
++				fprintf(f, "\n");
++		}
+ 		fclose(f);
+ 		close(fd);
+ 
+@@ -2179,6 +2211,7 @@
+ 	int len;
+ 	char buf[1000];
+ 	char *decode = cgi_variable("decode");
++	char *p;
+ 
+ 	if (guest && !lp_guest_download()) {
+ 		fatal("guest download has been disabled\n");
+@@ -2199,6 +2232,13 @@
+ 	if (decode) {
+ 		sprintf(buf,"%s %s", lp_decoder(), fname);
+ 		
++		p = buf;
++		while (*p) {
++		  if (!isalnum(*p) && !strchr(";_|=+ &^#@!(){}[].",*p))
++		    fatal("invalid character in expression");
++		  p++;
++		}
++
+ 		f = popen(buf,"r");
+ 	} else {
+ 		f = fopen(fname,"r");
+@@ -2208,7 +2248,7 @@
+ 		fatal("unable to open file");
+ 	}
+ 
+-	printf("Content-Type: application/octet-stream\n");
++	printf("Content-Type: message/rfc822\n");
+ 	if (gzip_encoding || lp_gzip_download()) {
+ 		printf("\n");
+ 		cgi_start_gzip();
diff --git a/misc/jitterbug/patches/patch-ac b/misc/jitterbug/patches/patch-ac
new file mode 100644
index 00000000000..ce51d099fc9
--- /dev/null
+++ b/misc/jitterbug/patches/patch-ac
@@ -0,0 +1,173 @@
+$NetBSD: patch-ac,v 1.1 2004/02/09 09:17:50 wennmach Exp $
+
+Security patches for jitterbug (taken from Debian GNU/Linux).
+See http://www.debian.org/security/2004/dsa-420
+
+--- new_message.c.orig	Wed Nov 11 13:30:17 1998
++++ new_message.c	Wed Jan 14 17:34:04 2004
+@@ -206,6 +206,133 @@
+ 	smtp_end_mail(fd);
+ }
+ 	
++/* This function should always return success */
++static int mail_failure(char* from, char* to, char* content)
++{
++	int fd;
++	fd = smtp_start_mail(from, to, NULL, NULL, "Request failed", strlen(content));
++	if ( fd == -1 ) {
++		fprintf(stderr, "Failed to send failure\n");
++		return 0;
++	}
++	smtp_write(fd, "\n");
++	smtp_write_data(fd, content);
++	smtp_end_mail(fd);
++	return 0; 
++}
++
++static int is_a_bug(char* name) 
++{
++	if (*name >= '1' && *name <= '9')
++		return !is_directory(name);
++	return 0;
++}
++
++static int get_bug(char *mbuf, char* to, char *query)
++{
++	int fd;
++	char *from, *p;
++	char *subject="Jitterbug results";
++	char buf[1024];
++	unsigned int size=0;
++	char boundary[128];
++	struct stat st;
++	char *bug;
++	char* msg_id;
++	char *msg_list;
++
++	snprintf(boundary, sizeof(boundary), "jitterbug-burp-%d-%d", getpid(), time(NULL));
++
++	/* maybe check for lp_download? */
++	/* maybe add info to audit? */
++	from = lp_from_address();
++	
++	while (*query && *query == ' ') query++;
++	if (!strncmp(query, "list", 4)) {
++		char** dir_l, **file_l;
++		int i, j;
++		query += 4;
++		fd = smtp_start_mail(from, to, NULL, NULL, subject, 0);
++		if ( fd == -1 )
++			return 1;
++
++		msg_id = getmailheader(mbuf, "Message-ID:", 0);
++		if ( msg_id )
++			smtp_write(fd, "References: %s\n", msg_id);
++		smtp_write(fd, "\nList for query: %s\n\n", query);
++		trim_string(query, " ", " ");
++		/* use strtok to allow multiple queries */
++		if (!*query || *query == '/' || *query == '.') {
++			query = ".";
++			dir_l = load_dir_list(query, is_directory);
++		} else {
++			dir_l = new_list();
++			add_list_item(dir_l, query);
++		}
++		for (i=0; dir_l && dir_l[i]; ++i) {
++			file_l = load_dir_list(dir_l[i], is_a_bug);
++			/* maybe add subject, from, ... */
++			for (j=0; file_l && file_l[j]; ++j)
++				smtp_write(fd, "%s/%s\n", dir_l[i], file_l[j]);
++			free_list(file_l);
++		}
++		free_list(dir_l);
++		smtp_end_mail(fd);
++		return 0;
++	} else if (!strncmp(query, "get", 3)) {
++		query += 3;
++	} else if (!strncmp(query, "search", 6)) {
++		query += 6;
++		snprintf(buf, sizeof(buf), "Not implemeted (%s)\n", query);
++		return mail_failure(from, to, buf);
++	} else {
++		snprintf(buf, sizeof(buf), "Not implemeted (%s)\n", query);
++		return mail_failure(from, to, buf);
++	}
++
++	fd = smtp_start_mail(from, to, NULL, NULL, subject, 0);
++	if ( fd == -1 )
++		return 1;
++
++	msg_id = getmailheader(mbuf, "Message-ID:", 0);
++	if ( msg_id )
++		smtp_write(fd, "References: %s\n", msg_id);
++	smtp_write(fd, "Mime-Version: 1.0\n");
++	smtp_write(fd, "Content-Type: multipart/mixed; boundary=%s\n\n", boundary);
++	msg_list = strdup(query);
++	for (query = strtok(msg_list, " \t,;"); query; query = strtok(NULL, " \t,;")) {
++		smtp_write(fd, "\n--%s\nContent-Type: text/plain; charset=us-ascii\n", boundary);
++		/* a few security checks */
++		if (*query == '/' || strchr(query, '.') || !(p=strchr(query, '/'))) {
++			smtp_write(fd, "\nNot allowed (%s)\n", query);
++			continue;
++		}
++		*p = 0;
++		if ( !is_directory(query) ) {
++			smtp_write(fd, "\nNot allowed (%s)\n", query);
++			continue;
++		}
++		*p = '/';
++		bug = load_file(query, &st, 0);
++		if ( !bug ) {
++			smtp_write(fd, "\nCannot load (%s)\n", query);
++			continue;
++		}
++		/* replace / with _ in filename */
++		p = query;
++		while(*p) {
++			if (*p == '/') *p = '_';
++			++p;
++		}
++		smtp_write(fd, "Content-Disposition: attachment; filename=\"%s\"\n\n", query);
++		smtp_write_data(fd, bug);
++		free(bug);
++	}
++	free(msg_list);
++
++	smtp_end_mail(fd);
++	return 0;
++}
+ 
+ int process_mail(char *def_dir)
+ {
+@@ -253,6 +380,10 @@
+ 		return 1;
+ 	}
+ 
++	if (strncasecmp(from, "MAILER-DAEMON", 13) == 0) {
++		fprintf(stderr,"Ignoring bounced mail\n");
++		return 1;
++	}
+ 
+ 	/* work out if it has an existing id */
+ 	id = getid(mbuf);
+@@ -273,6 +404,12 @@
+ 		}
+ 	}
+ 
++	subject = getmailheader(mbuf, "Subject:", 0);
++	if (subject && !strncmp(subject, "GETBUG:", 7)) {
++		unlink(".newnsg");
++		return get_bug(mbuf, from, subject + 7);
++	}
++
+ 	if (! *fname) {
+ 		char *idfile = load_file(".nextid", NULL, 0);
+ 		nextid=1;
+@@ -306,7 +443,6 @@
+ 	}
+ 
+ 	/* forward to "forward public" if message not marked private */
+-	subject = getmailheader(mbuf, "Subject:", 0);
+ 
+ 	if (subject &&
+ 	    lp_forward_public() && !strstr(subject,"PRIVATE")) {
diff --git a/misc/jitterbug/patches/patch-ad b/misc/jitterbug/patches/patch-ad
new file mode 100644
index 00000000000..c52cf718978
--- /dev/null
+++ b/misc/jitterbug/patches/patch-ad
@@ -0,0 +1,56 @@
+$NetBSD: patch-ad,v 1.1 2004/02/09 09:17:50 wennmach Exp $
+
+Deprecate varargs.
+Type fixes (from Debian GNU/Linux).
+
+--- snprintf.c.orig	Sat Oct 31 05:36:20 1998
++++ snprintf.c	Wed Jan 14 18:18:31 2004
+@@ -59,9 +59,10 @@
+ 
+ #if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
+ 
+-/* Define this as a fall through, HAVE_STDARG_H is probably already set */
++/* deprecate VARARGS */
+ 
+-#define HAVE_VARARGS_H
++#undef HAVE_VARARGS_H
++#define HAVE_STDARG_H
+ 
+ /* varargs declarations: */
+ 
+@@ -263,7 +264,7 @@
+       case 'd':
+       case 'i':
+ 	if (cflags == DP_C_SHORT) 
+-	  value = va_arg (args, short int);
++	  value = va_arg (args, int);
+ 	else if (cflags == DP_C_LONG)
+ 	  value = va_arg (args, long int);
+ 	else
+@@ -273,7 +274,7 @@
+       case 'o':
+ 	flags |= DP_F_UNSIGNED;
+ 	if (cflags == DP_C_SHORT)
+-	  value = va_arg (args, unsigned short int);
++	  value = va_arg (args, unsigned int);
+ 	else if (cflags == DP_C_LONG)
+ 	  value = (long)va_arg (args, unsigned long int);
+ 	else
+@@ -283,7 +284,7 @@
+       case 'u':
+ 	flags |= DP_F_UNSIGNED;
+ 	if (cflags == DP_C_SHORT)
+-	  value = va_arg (args, unsigned short int);
++	  value = va_arg (args, unsigned int);
+ 	else if (cflags == DP_C_LONG)
+ 	  value = (long)va_arg (args, unsigned long int);
+ 	else
+@@ -295,7 +296,7 @@
+       case 'x':
+ 	flags |= DP_F_UNSIGNED;
+ 	if (cflags == DP_C_SHORT)
+-	  value = va_arg (args, unsigned short int);
++	  value = va_arg (args, unsigned int);
+ 	else if (cflags == DP_C_LONG)
+ 	  value = (long)va_arg (args, unsigned long int);
+ 	else
diff --git a/misc/jitterbug/patches/patch-ae b/misc/jitterbug/patches/patch-ae
new file mode 100644
index 00000000000..b3554e7444b
--- /dev/null
+++ b/misc/jitterbug/patches/patch-ae
@@ -0,0 +1,18 @@
+$NetBSD: patch-ae,v 1.1 2004/02/09 09:17:50 wennmach Exp $
+
+Security patch (from Debian GNU/Linux).
+See http://www.debian.org/security/2004/dsa-420
+
+--- util.c.orig	Thu Aug 20 03:22:45 1998
++++ util.c	Wed Jan 14 17:34:04 2004
+@@ -371,6 +371,10 @@
+ 	extern int done_chroot;
+ 
+ 	p = lp_chroot_directory();
++	if (!lp_base_directory()) {
++		fprintf(stderr, "No base directory: cannot continue\n");
++		exit(1);
++	}
+ 
+ 	if (done_chroot || !p || !*p) {
+ 		check_overflow(strlen(lp_base_directory())+10, sizeof(buf));