Fix for a CVE-2007-2165 security issue grabbed from upstream #2922.

5 files changed, 441 insertions, 3 deletions

diff --git a/net/proftpd/Makefile b/net/proftpd/Makefile
index 305e1a509d0..1ea9949c24d 100644
--- a/net/proftpd/Makefile
+++ b/net/proftpd/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.40 2007/01/24 05:22:01 martti Exp $
+# $NetBSD: Makefile,v 1.41 2007/06/26 23:25:56 lkundrak Exp $
 
 DISTNAME=		proftpd-1.3.1rc2
-#PKGREVISION=		1
+PKGREVISION=		1
 CATEGORIES=		net
 MASTER_SITES=		ftp://ftp.proftpd.org/distrib/source/ \
 			ftp://ftp.servus.at/ProFTPD/distrib/source/ \
diff --git a/net/proftpd/distinfo b/net/proftpd/distinfo
index 44a3bc69914..9d47478287d 100644
--- a/net/proftpd/distinfo
+++ b/net/proftpd/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.22 2007/01/13 09:47:38 martti Exp $
+$NetBSD: distinfo,v 1.23 2007/06/26 23:25:56 lkundrak Exp $
 
 SHA1 (proftpd-1.3.1rc2.tar.bz2) = 7db6435707983fe8e865064661cedb159ebc1cf6
 RMD160 (proftpd-1.3.1rc2.tar.bz2) = aa928315880cf1e9d1980850ce2bb07193d2ac46
@@ -6,3 +6,6 @@ Size (proftpd-1.3.1rc2.tar.bz2) = 1516464 bytes
 SHA1 (patch-aa) = d7ad034e763a2bf729c9af669c3094402bdd03b7
 SHA1 (patch-ab) = 2b6921efa11884286c022a1da7691fc971d65cca
 SHA1 (patch-ac) = a73ceb99485ea16a4b008971cba58204b8d3f90d
+SHA1 (patch-ad) = 17390cac03e1a3fb8d2ce5f854ad9d239eae40fd
+SHA1 (patch-ae) = b7a8ba05a4399438f04d976aa36535e1f02f0c41
+SHA1 (patch-af) = 5f6642a36efe9fdacefed698aba2a86b737dd953
diff --git a/net/proftpd/patches/patch-ad b/net/proftpd/patches/patch-ad
new file mode 100644
index 00000000000..3037a0dd23d
--- /dev/null
+++ b/net/proftpd/patches/patch-ad
@@ -0,0 +1,22 @@
+$NetBSD: patch-ad,v 1.3 2007/06/26 23:25:56 lkundrak Exp $
+
+Part of fix for CVE-2007-2165 grabbed from upstream #2922.
+
+--- include/auth.h.orig	2007-06-27 01:13:43.000000000 +0200
++++ include/auth.h
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - FTP server daemon
+- * Copyright (c) 2004-2005 The ProFTPD Project team
++ * Copyright (c) 2004-2007 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -86,6 +86,7 @@ int pr_auth_requires_pass(pool *, const 
+ config_rec *pr_auth_get_anon_config(pool *p, char **, char **, char **);
+ 
+ /* For internal use only. */
++int init_auth(void);
+ int set_groups(pool *, gid_t, array_header *);
+ 
+ #endif /* PR_MODULES_H */
diff --git a/net/proftpd/patches/patch-ae b/net/proftpd/patches/patch-ae
new file mode 100644
index 00000000000..8cc112c326f
--- /dev/null
+++ b/net/proftpd/patches/patch-ae
@@ -0,0 +1,15 @@
+$NetBSD: patch-ae,v 1.3 2007/06/26 23:25:56 lkundrak Exp $
+
+Part of fix for CVE-2007-2165 grabbed from upstream #2922.
+
+--- modules/mod_core.c.orig	2007-06-27 01:13:50.000000000 +0200
++++ modules/mod_core.c
+@@ -4444,6 +4444,8 @@ static int core_sess_init(void) {
+   config_rec *c = NULL;
+   unsigned int *debug_level = NULL;
+ 
++  init_auth();
++
+   /* Check for a server-specific TimeoutIdle. */
+   c = find_config(main_server->conf, CONF_PARAM, "TimeoutIdle", FALSE);
+   if (c != NULL)
diff --git a/net/proftpd/patches/patch-af b/net/proftpd/patches/patch-af
new file mode 100644
index 00000000000..c4e35306d45
--- /dev/null
+++ b/net/proftpd/patches/patch-af
@@ -0,0 +1,398 @@
+$NetBSD: patch-af,v 1.1 2007/06/26 23:25:56 lkundrak Exp $
+
+Part of fix for CVE-2007-2165 grabbed from upstream #2922.
+
+--- src/auth.c.orig	2007-06-27 01:13:58.000000000 +0200
++++ src/auth.c
+@@ -2,7 +2,7 @@
+  * ProFTPD - FTP server daemon
+  * Copyright (c) 1997, 1998 Public Flood Software
+  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
+- * Copyright (c) 2001-2006 The ProFTPD Project team
++ * Copyright (c) 2001-2007 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -30,6 +30,10 @@
+ 
+ #include "conf.h"
+ 
++static pool *auth_pool = NULL;
++static pr_table_t *auth_tab = NULL;
++static const char *trace_channel = "auth";
++
+ /* The difference between this function, and pr_cmd_alloc(), is that this
+  * allocates the cmd_rec directly from the given pool, whereas pr_cmd_alloc()
+  * will allocate a subpool from the given pool, and allocate its cmd_rec
+@@ -63,7 +67,7 @@ static cmd_rec *make_cmd(pool *cp, int a
+   return c;
+ }
+ 
+-static modret_t *dispatch_auth(cmd_rec *cmd, char *match) {
++static modret_t *dispatch_auth(cmd_rec *cmd, char *match, module **m) {
+   authtable *start_tab = NULL, *iter_tab = NULL;
+   modret_t *mr = NULL;
+ 
+@@ -74,7 +78,12 @@ static modret_t *dispatch_auth(cmd_rec *
+   while (iter_tab) {
+     pr_signals_handle();
+ 
+-    pr_trace_msg("auth", 6, "dispatching auth request \"%s\" to module mod_%s",
++    if (m && *m && *m != iter_tab->m) {
++      goto next;
++    }
++
++    pr_trace_msg(trace_channel, 6,
++      "dispatching auth request \"%s\" to module mod_%s",
+       match, iter_tab->m->name);
+ 
+     mr = call_module(iter_tab->m, iter_tab->handler, cmd);
+@@ -83,9 +92,19 @@ static modret_t *dispatch_auth(cmd_rec *
+       break;
+ 
+     if (MODRET_ISHANDLED(mr) ||
+-        MODRET_ISERROR(mr))
++        MODRET_ISERROR(mr)) {
++
++      /* Return a pointer, if requested, to the module which answered the
++       * auth request.  This is used, for example, by auth_getpwnam() for
++       * associating the answering auth module with the data looked up.
++       */
++      if (m)
++        *m = iter_tab->m;
++
+       break;
++    }
+ 
++  next:
+     iter_tab = pr_stash_get_symbol(PR_SYM_AUTH, match, iter_tab,
+       &cmd->stash_index);
+ 
+@@ -106,7 +125,7 @@ void pr_auth_setpwent(pool *p) {
+   modret_t *mr = NULL;
+ 
+   cmd = make_cmd(p, 0);
+-  mr = dispatch_auth(cmd, "setpwent");
++  mr = dispatch_auth(cmd, "setpwent", NULL);
+ 
+   if (cmd->tmp_pool) {
+     destroy_pool(cmd->tmp_pool);
+@@ -121,13 +140,20 @@ void pr_auth_endpwent(pool *p) {
+   modret_t *mr = NULL;
+ 
+   cmd = make_cmd(p, 0);
+-  mr = dispatch_auth(cmd, "endpwent");
++  mr = dispatch_auth(cmd, "endpwent", NULL);
+ 
+   if (cmd->tmp_pool) {
+     destroy_pool(cmd->tmp_pool);
+     cmd->tmp_pool = NULL;
+   }
+ 
++  if (auth_tab) {
++    pr_trace_msg(trace_channel, 5, "emptying authcache");
++    (void) pr_table_empty(auth_tab);
++    (void) pr_table_free(auth_tab);
++    auth_tab = NULL;
++  }
++
+   return;
+ }
+ 
+@@ -136,7 +162,7 @@ void pr_auth_setgrent(pool *p) {
+   modret_t *mr = NULL;
+ 
+   cmd = make_cmd(p, 0);
+-  mr = dispatch_auth(cmd, "setgrent");
++  mr = dispatch_auth(cmd, "setgrent", NULL);
+ 
+   if (cmd->tmp_pool) {
+     destroy_pool(cmd->tmp_pool);
+@@ -151,7 +177,7 @@ void pr_auth_endgrent(pool *p) {
+   modret_t *mr = NULL;
+ 
+   cmd = make_cmd(p, 0);
+-  mr = dispatch_auth(cmd, "endgrent");
++  mr = dispatch_auth(cmd, "endgrent", NULL);
+ 
+   if (cmd->tmp_pool) {
+     destroy_pool(cmd->tmp_pool);
+@@ -167,7 +193,7 @@ struct passwd *pr_auth_getpwent(pool *p)
+   struct passwd *res = NULL;
+ 
+   cmd = make_cmd(p, 0);
+-  mr = dispatch_auth(cmd, "getpwent");
++  mr = dispatch_auth(cmd, "getpwent", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+     res = mr->data;
+@@ -201,7 +227,7 @@ struct group *pr_auth_getgrent(pool *p) 
+   struct group *res = NULL;
+ 
+   cmd = make_cmd(p, 0);
+-  mr = dispatch_auth(cmd, "getgrent");
++  mr = dispatch_auth(cmd, "getgrent", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+     res = mr->data;
+@@ -228,11 +254,13 @@ struct passwd *pr_auth_getpwnam(pool *p,
+   cmd_rec *cmd = NULL;
+   modret_t *mr = NULL;
+   struct passwd *res = NULL;
++  module *m = NULL;
+ 
+   cmd = make_cmd(p, 1, name);
+-  mr = dispatch_auth(cmd, "getpwnam");
++  mr = dispatch_auth(cmd, "getpwnam", &m);
+ 
+-  if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
++  if (MODRET_ISHANDLED(mr) &&
++      MODRET_HASDATA(mr))
+     res = mr->data;
+ 
+   if (cmd->tmp_pool) {
+@@ -257,6 +285,46 @@ struct passwd *pr_auth_getpwnam(pool *p,
+     return NULL;
+   }
+ 
++  if (!auth_tab && auth_pool) {
++    auth_tab = pr_table_alloc(auth_pool, 0);
++  }
++
++  if (m && auth_tab) {
++    int count = 0;
++    void *value = NULL;
++
++    value = palloc(auth_pool, sizeof(module *));
++    *((module **) value) = m;
++
++    count = pr_table_exists(auth_tab, name);
++    if (count <= 0) {
++      if (pr_table_add(auth_tab, pstrdup(auth_pool, name), value,
++          sizeof(module *)) < 0) {
++        pr_trace_msg(trace_channel, 3,
++          "error adding module 'mod_%s.c' for user '%s' to the authcache: %s",
++          m->name, name, strerror(errno));
++
++      } else {
++        pr_trace_msg(trace_channel, 5,
++          "stashed module 'mod_%s.c' for user '%s' in the authcache",
++          m->name, name);
++      }
++
++    } else {
++      if (pr_table_set(auth_tab, pstrdup(auth_pool, name), value,
++          sizeof(module *)) < 0) {
++        pr_trace_msg(trace_channel, 3,
++          "error setting module 'mod_%s.c' for user '%s' in the authcache: %s",
++          m->name, name, strerror(errno));
++
++      } else {
++        pr_trace_msg(trace_channel, 5,
++          "stashed module 'mod_%s.c' for user '%s' in the authcache",
++          m->name, name);
++      }
++    }
++  }
++
+   pr_log_debug(DEBUG10, "retrieved UID %lu for user '%s'",
+     (unsigned long) res->pw_uid, name);
+   return res;
+@@ -268,7 +336,7 @@ struct passwd *pr_auth_getpwuid(pool *p,
+   struct passwd *res = NULL;
+ 
+   cmd = make_cmd(p, 1, (void *) &uid);
+-  mr = dispatch_auth(cmd, "getpwuid");
++  mr = dispatch_auth(cmd, "getpwuid", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+     res = mr->data;
+@@ -306,7 +374,7 @@ struct group *pr_auth_getgrnam(pool *p, 
+   struct group *res = NULL;
+ 
+   cmd = make_cmd(p, 1, name);
+-  mr = dispatch_auth(cmd, "getgrnam");
++  mr = dispatch_auth(cmd, "getgrnam", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+     res = mr->data;
+@@ -339,7 +407,7 @@ struct group *pr_auth_getgrgid(pool *p, 
+   struct group *res = NULL;
+ 
+   cmd = make_cmd(p, 1, (void *) &gid);
+-  mr = dispatch_auth(cmd, "getgrgid");
++  mr = dispatch_auth(cmd, "getgrgid", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr))
+     res = mr->data;
+@@ -369,10 +437,51 @@ struct group *pr_auth_getgrgid(pool *p, 
+ int pr_auth_authenticate(pool *p, const char *name, const char *pw) {
+   cmd_rec *cmd = NULL;
+   modret_t *mr = NULL;
++  module *m = NULL;
+   int res = PR_AUTH_NOPWD;
+ 
+   cmd = make_cmd(p, 2, name, pw);
+-  mr = dispatch_auth(cmd, "auth");
++
++  /* First, check for the mod_auth_pam.c module.
++   *
++   * PAM is a bit of hack in this Auth API, because PAM only provides
++   * yes/no checks, and is not a source of user information.
++   */
++  m = pr_module_get("mod_auth_pam.c");
++  if (m) {
++    mr = dispatch_auth(cmd, "auth", &m);
++
++    if (MODRET_ISHANDLED(mr)) {
++      pr_trace_msg(trace_channel, 4,
++        "module 'mod_auth_pam.c' used for authenticating user '%s'", name);
++
++      res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
++
++      if (cmd->tmp_pool) {
++        destroy_pool(cmd->tmp_pool);
++        cmd->tmp_pool = NULL;
++      }
++
++      return res;
++    }
++
++    m = NULL;
++  }
++
++  if (auth_tab) {
++
++    /* Fetch the specific module to be used for authenticating this user. */
++    void *v = pr_table_get(auth_tab, name, NULL);
++    if (v) {
++      m = *((module **) v);
++
++      pr_trace_msg(trace_channel, 4,
++        "using module 'mod_%s.c' from authcache to authenticate user '%s'",
++        m->name, name);
++    }
++  }
++
++  mr = dispatch_auth(cmd, "auth", m ? &m : NULL);
+ 
+   if (MODRET_ISHANDLED(mr))
+     res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
+@@ -391,10 +500,51 @@ int pr_auth_authenticate(pool *p, const 
+ int pr_auth_check(pool *p, const char *cpw, const char *name, const char *pw) {
+   cmd_rec *cmd = NULL;
+   modret_t *mr = NULL;
++  module *m = NULL;
+   int res = PR_AUTH_BADPWD;
+ 
+   cmd = make_cmd(p, 3, cpw, name, pw);
+-  mr = dispatch_auth(cmd, "check");
++
++  /* First, check for the mod_auth_pam.c module.  
++   *
++   * PAM is a bit of hack in this Auth API, because PAM only provides
++   * yes/no checks, and is not a source of user information.
++   */
++  m = pr_module_get("mod_auth_pam.c");
++  if (m) {
++    mr = dispatch_auth(cmd, "check", &m);
++
++    if (MODRET_ISHANDLED(mr)) {
++      pr_trace_msg(trace_channel, 4,
++        "module 'mod_auth_pam.c' used for authenticating user '%s'", name);
++
++      res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
++
++      if (cmd->tmp_pool) {
++        destroy_pool(cmd->tmp_pool);
++        cmd->tmp_pool = NULL;
++      }
++
++      return res;
++    }
++
++    m = NULL;
++  }
++
++  if (auth_tab) {
++
++    /* Fetch the specific module to be used for authenticating this user. */
++    void *v = pr_table_get(auth_tab, name, NULL);
++    if (v) {
++      m = *((module **) v);
++
++      pr_trace_msg(trace_channel, 4,
++        "using module 'mod_%s.c' from authcache to authenticate user '%s'",
++        m->name, name);
++    }
++  }
++
++  mr = dispatch_auth(cmd, "check", m ? &m : NULL);
+ 
+   if (MODRET_ISHANDLED(mr))
+     res = MODRET_HASDATA(mr) ? PR_AUTH_RFC2228_OK : PR_AUTH_OK;
+@@ -413,7 +563,7 @@ int pr_auth_requires_pass(pool *p, const
+   int res = TRUE;
+ 
+   cmd = make_cmd(p, 1, name);
+-  mr = dispatch_auth(cmd, "requires_pass");
++  mr = dispatch_auth(cmd, "requires_pass", NULL);
+ 
+   if (MODRET_ISHANDLED(mr))
+     res = FALSE;
+@@ -438,7 +588,7 @@ const char *pr_auth_uid2name(pool *p, ui
+   memset(namebuf, '\0', sizeof(namebuf));
+ 
+   cmd = make_cmd(p, 1, (void *) &uid);
+-  mr = dispatch_auth(cmd, "uid2name");
++  mr = dispatch_auth(cmd, "uid2name", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) {
+     res = mr->data;
+@@ -463,7 +613,7 @@ const char *pr_auth_gid2name(pool *p, gi
+   memset(namebuf, '\0', sizeof(namebuf));
+ 
+   cmd = make_cmd(p, 1, (void *) &gid);
+-  mr = dispatch_auth(cmd, "gid2name");
++  mr = dispatch_auth(cmd, "gid2name", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) {
+     res = mr->data;
+@@ -485,7 +635,7 @@ uid_t pr_auth_name2uid(pool *p, const ch
+   uid_t res = (uid_t) -1;
+ 
+   cmd = make_cmd(p, 1, name);
+-  mr = dispatch_auth(cmd, "name2uid");
++  mr = dispatch_auth(cmd, "name2uid", NULL);
+ 
+   if (MODRET_ISHANDLED(mr))
+     res = *((uid_t *) mr->data);
+@@ -506,7 +656,7 @@ gid_t pr_auth_name2gid(pool *p, const ch
+   gid_t res = (gid_t) -1;
+ 
+   cmd = make_cmd(p, 1, name);
+-  mr = dispatch_auth(cmd, "name2gid");
++  mr = dispatch_auth(cmd, "name2gid", NULL);
+ 
+   if (MODRET_ISHANDLED(mr))
+     res = *((gid_t *) mr->data);
+@@ -538,7 +688,7 @@ int pr_auth_getgroups(pool *p, const cha
+   cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL,
+     group_names ? *group_names : NULL);
+ 
+-  mr = dispatch_auth(cmd, "getgroups");
++  mr = dispatch_auth(cmd, "getgroups", NULL);
+ 
+   if (MODRET_ISHANDLED(mr) && MODRET_HASDATA(mr)) {
+     res = *((int *) mr->data);
+@@ -832,3 +982,10 @@ int set_groups(pool *p, gid_t primary_gi
+   return res;
+ }
+ 
++/* Internal use only.  To be called in the session process. */
++int init_auth(void) {
++  auth_pool = make_sub_pool(permanent_pool);
++  pr_pool_tag(auth_pool, "Auth API");
++
++  return 0;
++}