diff options
| -rw-r--r-- | data.h | 11 | ||||
| -rw-r--r-- | debian/changelog | 14 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | whois-4.6.6-gentoo-security.patch | 90 | ||||
| -rw-r--r-- | whois.1 | 4 | ||||
| -rw-r--r-- | whois.c | 16 | ||||
| -rw-r--r-- | whois.spec | 18 |
7 files changed, 138 insertions, 17 deletions
@@ -52,12 +52,15 @@ const char *hide_strings[] = { "Access to ASNIC", "by this policy.", /* as */ "**************", "**************", /* sg */ "The Data in Gabia", "you agree to abide", - "The data contained in Go Daddy", "is not the owner", /* NEUSTAR */ + "The data contained in Go Daddy", "is not the registrant", /* Go Daddy */ "Disclaimer: The Global Name Registry", "for any commercial", "Access to America Online", "time. By accessing", /* AOL */ "% Access and use restricted", "% http://www.icann", /* GANDI */ "NeuStar, Inc., the Registry", "rules. For details", /* us */ - "The data in this whois", "Version 6.", /* enom */ +#if 0 + // This must be disabled because whois.bizcn.com uses a similar text + "The data in this whois", "using our Whois information", /* enom */ +#endif "By submitting a WHOIS query,", "LACK OF A DOMAIN", /* directNIC */ "The Data in OnlineNIC", "\tBy starting this query", /* OnlineNIC */ "The data in Bulkregister.com", "you agree to abide", /* bulkregister */ @@ -101,6 +104,7 @@ struct ip6_del { const char *serv; }; +/* http://www.iana.org./assignments/ipv6-tla-assignments */ struct ip6_del ip6_assign[] = { { 0x0200, "whois.apnic.net" }, { 0x0400, "whois.arin.net" }, @@ -109,8 +113,11 @@ struct ip6_del ip6_assign[] = { { 0x0A00, "whois.ripe.net" }, { 0x0C00, "whois.apnic.net" }, { 0x0E00, "whois.apnic.net" }, +/* { 0x1000, "" }, */ { 0x1200, "whois.lacnic.net" }, { 0x1400, "whois.ripe.net" }, + { 0x1600, "whois.ripe.net" }, + { 0x1800, "whois.arin.net" }, { 0, NULL } }; diff --git a/debian/changelog b/debian/changelog index eccca76..912c511 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +whois (4.6.7) unstable; urgency=medium + + * Updated .hk, .sg TLDs. + * Updated Go Daddy disclaimer strings. + * Removed special processing for corenic queries, it's not needed anymore + and breaks some queries. (Closes: #208854) + * Always print the whois.crsnic.net output, or queries for host records + will have no output. Also, the Status line is important information + which should not be suppressed. + * Add a note to the man page to explain that this code sucks, has buffer + overflows and needs to be rewritten. + + -- Marco d'Itri <md@linux.it> Wed, 10 Sep 2003 00:40:15 +0200 + whois (4.6.6) unstable; urgency=medium * Updated polish translation, from Jakub Bogusz of PLD. diff --git a/debian/control b/debian/control index 4673c4d..aa2f376 100644 --- a/debian/control +++ b/debian/control @@ -2,7 +2,7 @@ Source: whois Section: net Priority: standard Maintainer: Marco d'Itri <md@linux.it> -Standards-Version: 3.5.7 +Standards-Version: 3.6.1 Build-Depends: debhelper, gettext Package: whois diff --git a/whois-4.6.6-gentoo-security.patch b/whois-4.6.6-gentoo-security.patch new file mode 100644 index 0000000..d933b91 --- /dev/null +++ b/whois-4.6.6-gentoo-security.patch @@ -0,0 +1,90 @@ +The gentoo people submitted this patch. I'm not applying it as it makes +the code harder to understand with no major gain and without being a +fully correct fix. + +diff -Nru whois-4.6.6.orig/whois.c whois-4.6.6/whois.c +--- whois-4.6.6.orig/whois.c 2003-06-15 12:36:52.000000000 -0400 ++++ whois-4.6.6/whois.c 2003-08-11 02:15:30.000000000 -0400 +@@ -73,12 +73,12 @@ + /* RIPE flags */ + if (strchr(ripeflags, ch)) { + for (p = fstring; *p; p++); +- sprintf(p--, "-%c ", ch); ++ snprintf(p--, sizeof(fstring), "-%c ", ch); + continue; + } + if (strchr(ripeflagsp, ch)) { + for (p = fstring; *p; p++); +- sprintf(p--, "-%c %s ", ch, optarg); ++ snprintf(p--, sizeof(fstring), "-%c %s ", ch, optarg); + if (ch == 't' || ch == 'v' || ch == 'q') + nopar = 1; + continue; +@@ -132,10 +132,10 @@ + while (1) { + qslen += strlen(*argv) + 1 + 1; + qstring = realloc(qstring, qslen); +- strcat(qstring, *argv++); ++ strncat(qstring, *argv++, qslen-1); + if (argc == 1) + break; +- strcat(qstring, " "); ++ strncat(qstring, " ", qslen); + argc--; + } + } +@@ -401,10 +401,13 @@ + { + char *buf; + int i, isripe = 0; ++ int buflen = 0; + + /* +10 for CORE; +2 for \r\n; +1 for NULL */ +- buf = malloc(strlen(flags) + strlen(query) + strlen(client_tag) + 4 +- + 10 + 2 + 1); ++ buflen = (strlen(flags) + strlen(query) + strlen(client_tag) + 4 + 10 + 2 + 1); ++ ++ buf = malloc(buflen); ++ + *buf = '\0'; + for (i = 0; ripe_servers[i]; i++) + if (strcmp(server, ripe_servers[i]) == 0) { +@@ -426,23 +429,23 @@ + if (*flags) { + if (!isripe && strcmp(server, "whois.corenic.net") != 0) + puts(_("Warning: RIPE flags used with a traditional server.")); +- strcat(buf, flags); ++ strncat(buf, flags, buflen); + } + /* FIXME: /e is not applied to .JP ASN */ + if (!isripe && (strcmp(server, "whois.nic.mil") == 0 || + strcmp(server, "whois.nic.ad.jp") == 0) && + strncasecmp(query, "AS", 2) == 0 && isasciidigit(query[2])) +- sprintf(buf, "AS %s", query + 2); /* fix query for DDN */ ++ snprintf(buf, buflen, "AS %s", query + 2); /* fix query for DDN */ + else if (!isripe && strcmp(server, "whois.corenic.net") == 0) +- sprintf(buf, "--machine %s", query); /* machine readable output */ ++ snprintf(buf, buflen, "--machine %s", query); /* machine readable output */ + else if (!isripe && strcmp(server, "whois.nic.ad.jp") == 0) { + char *lang = getenv("LANG"); /* not a perfect check, but... */ + if (!lang || (strncmp(lang, "ja", 2) != 0)) +- sprintf(buf, "%s/e", query); /* ask for english text */ ++ snprintf(buf, buflen, "%s/e", query); /* ask for english text */ + else +- strcat(buf, query); ++ strncat(buf, query, buflen); + } else +- strcat(buf, query); ++ strncat(buf, query, buflen); + return buf; + } + +@@ -485,7 +488,7 @@ + + if (verb) + printf(_("Detected referral to %s on %s.\n"), nq, nh); +- strcat(nq, "\r\n"); ++ strncat(nq, "\r\n", sizeof(nq)); + fd = openconn(nh, np); + do_query(fd, nq); + continue; @@ -86,6 +86,10 @@ Detailed help on available flags can be found in \fIRIPE\-223\fP or in the help file which can be obtained with the command: .IP .B whois \-h whois.ripe.net HELP +.SH "BUGS" +The program has many buffer overflows when parsing the command line +parameters: be sure to not pass untrusted data to it. +It will be rewritten to use a dynamic strings library. .SH "HISTORY" This program closely tracks the user interface of the whois client developed at RIPE by Ambrose Magee and others on the base of the @@ -78,7 +78,7 @@ int main(int argc, char *argv[]) } if (strchr(ripeflagsp, ch)) { for (p = fstring; *p; p++); - sprintf(p--, "-%c %s ", ch, optarg); + snprintf(p--, sizeof(fstring), "-%c %s ", ch, optarg); if (ch == 't' || ch == 'v' || ch == 'q') nopar = 1; continue; @@ -402,9 +402,9 @@ char *queryformat(const char *server, const char *flags, const char *query) char *buf; int i, isripe = 0; - /* +10 for CORE; +2 for \r\n; +1 for NULL */ + /* +2 for \r\n; +1 for NULL */ buf = malloc(strlen(flags) + strlen(query) + strlen(client_tag) + 4 - + 10 + 2 + 1); + + 2 + 1); *buf = '\0'; for (i = 0; ripe_servers[i]; i++) if (strcmp(server, ripe_servers[i]) == 0) { @@ -433,8 +433,6 @@ char *queryformat(const char *server, const char *flags, const char *query) strcmp(server, "whois.nic.ad.jp") == 0) && strncasecmp(query, "AS", 2) == 0 && isasciidigit(query[2])) sprintf(buf, "AS %s", query + 2); /* fix query for DDN */ - else if (!isripe && strcmp(server, "whois.corenic.net") == 0) - sprintf(buf, "--machine %s", query); /* machine readable output */ else if (!isripe && strcmp(server, "whois.nic.ad.jp") == 0) { char *lang = getenv("LANG"); /* not a perfect check, but... */ if (!lang || (strncmp(lang, "ja", 2) != 0)) @@ -520,8 +518,6 @@ const char *query_crsnic(const int sock, const char *query) if (write(sock, temp, strlen(temp)) < 0) err_sys("write"); while (fgets(buf, sizeof(buf), fi)) { - if (strncmp(buf, "No match for \"", 14) == 0) /* ugly */ - fputs(buf, stdout); /* If there are multiple matches only the server of the first record is queried */ if (state == 0 && strncmp(buf, " Domain Name:", 15) == 0) @@ -537,8 +533,10 @@ const char *query_crsnic(const int sock, const char *query) *q = '\0'; state = 2; } - if (verb) - fputs(buf, stdout); + /* the output must not be hidden or no data will be shown for + host records and not-existing domains */ + /* XXX feel free to send a patch to hide the long disclaimer */ + fputs(buf, stdout); } if (ferror(fi)) err_sys("fgets"); @@ -1,6 +1,6 @@ Summary: Enhanced WHOIS client Name: whois -Version: 4.6.3 +Version: 4.6.7 Release: 1 License: GPL Vendor: Marco d'Itri <md@linux.it> @@ -29,16 +29,24 @@ mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man1 make install BASEDIR=${RPM_BUILD_ROOT} prefix=%{prefix}/ gzip ${RPM_BUILD_ROOT}%{_mandir}/man?/* -find $RPM_BUILD_ROOT ! -type d | sed "s@^$RPM_BUILD_ROOT@@g" > %{name}-filelist - %clean rm -rf ${RPM_BUILD_ROOT} -%files -f %{name}-filelist +%files %defattr(-,root,root) -%doc [A-Z][A-Z]* +%{prefix}/bin/whois +%doc %{prefix}/share/man/man1/whois.1.gz +%lang(de) %{prefix}/share/locale/de/LC_MESSAGES/whois.mo +%lang(el) %{prefix}/share/locale/el/LC_MESSAGES/whois.mo +%lang(es) %{prefix}/share/locale/es/LC_MESSAGES/whois.mo +%lang(fr) %{prefix}/share/locale/fr/LC_MESSAGES/whois.mo +%lang(it) %{prefix}/share/locale/it/LC_MESSAGES/whois.mo +%lang(no) %{prefix}/share/locale/no/LC_MESSAGES/whois.mo +%lang(pl) %{prefix}/share/locale/pl/LC_MESSAGES/whois.mo %changelog +* Sun Jul 13 2003 Paul Mundt <lethal@linux-sh.org> +- Updated spec for 4.6.6, fixed up doc/lang references. * Fri Feb 23 2001 Oren Tirosh <oren@hishome.net> - Initial spec based on skelgnu.spec |