diff options
| author | drochner <drochner> | 2011-11-28 15:26:25 +0000 |
|---|---|---|
| committer | drochner <drochner> | 2011-11-28 15:26:25 +0000 |
| commit | 9e3195ef331593682cd48c50447beb2b021bcb73 (patch) | |
| tree | 28638a9596ff1c5796beb1868938a5dd852eb137 /www/squid27 | |
| parent | 6331093dc44ee8979ca30fd661bed79dceb8493f (diff) | |
| download | pkgsrc-9e3195ef331593682cd48c50447beb2b021bcb73.tar.gz | |
Don't allow '/' characters to be passed to pam_start() by the
PAM helper program. OpenPAM didn't check this, so it could be
tricked into reading arbitrary config files, allowing privilege
escalation.
Standard squid installations don't install the PAM helper SUID, but
depending on local needs, an administrator might choose to do so.
approved by pkg maintainer
bump PKGREV
Diffstat (limited to 'www/squid27')
| -rw-r--r-- | www/squid27/Makefile | 4 | ||||
| -rw-r--r-- | www/squid27/distinfo | 3 | ||||
| -rw-r--r-- | www/squid27/patches/patch-am | 18 |
3 files changed, 22 insertions, 3 deletions
diff --git a/www/squid27/Makefile b/www/squid27/Makefile index 46c29191d73..810be551472 100644 --- a/www/squid27/Makefile +++ b/www/squid27/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.15 2010/12/16 13:47:19 sborrill Exp $ +# $NetBSD: Makefile,v 1.16 2011/11/28 15:26:26 drochner Exp $ DISTNAME= squid-2.7.STABLE9 -PKGREVISION= 1 +PKGREVISION= 2 PKGNAME= ${DISTNAME:S/STABLE//} CATEGORIES= www diff --git a/www/squid27/distinfo b/www/squid27/distinfo index 720ae13f7e3..9feb8aeff3e 100644 --- a/www/squid27/distinfo +++ b/www/squid27/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.9 2010/07/29 03:00:46 taca Exp $ +$NetBSD: distinfo,v 1.10 2011/11/28 15:26:26 drochner Exp $ SHA1 (squid-2.7.STABLE9.tar.bz2) = bd389da9b74fd338e358f6b3f83bd3a1ed4d4f6f RMD160 (squid-2.7.STABLE9.tar.bz2) = bfa7c3dc3ede68646603f3379de35f44d7d8e97d @@ -15,3 +15,4 @@ SHA1 (patch-ai) = a227e6fc622f1bda3fa49406b4d588c1f1f78430 SHA1 (patch-aj) = c5c7cd10a63a5066eee63988775f71758ed5463e SHA1 (patch-ak) = 6863cac0fe9100f4b8c3c05cb321324a4abf0a4c SHA1 (patch-al) = a9e957a90dc6956e59668c297dd8566642baecff +SHA1 (patch-am) = c31f27816578a05a909c4e64a646919d35e04c42 diff --git a/www/squid27/patches/patch-am b/www/squid27/patches/patch-am new file mode 100644 index 00000000000..0d530ca2aed --- /dev/null +++ b/www/squid27/patches/patch-am @@ -0,0 +1,18 @@ +$NetBSD: patch-am,v 1.3 2011/11/28 15:26:26 drochner Exp $ + +protect against CVE-2011-4122 + +--- helpers/basic_auth/PAM/pam_auth.c.orig 2005-05-17 16:56:25.000000000 +0000 ++++ helpers/basic_auth/PAM/pam_auth.c +@@ -188,6 +188,11 @@ start: + exit(1); + } + ++ if (strchr(service, '/')) { ++ fprintf(stderr, "Illegal service '%s'\n", service); ++ exit(1); ++ } ++ + while (fgets(buf, BUFSIZE, stdin)) { + user = buf; + password = strchr(buf, '\n'); |