* Florian Weimer [2006-01-24 21:51:00+0100] > * Stefan Ritt: > >> Is this list complete as far as fixes past r1202 are concerned? What > >> about r1487, is it a significant DoS condition? > > > > Yes. > > Okay, this patch shouldn't be too hard to extract. Recai, could you > backport that one and the fixes from r1635 to stable?
OK. I'm sending three separate patches attached for your review:
* 0007-r1635-Fix-CVE-2005-4439.txt
Backport r1635: targets to fix CVE-2005-4439
* 0008-r1487-Fix-DoS-condition.txt
Backport r1487: fixes infinite redirection
* 0009-r1636-Add-IP-address-to-logfile.txt [optional]
Backport r1636: adds IP address to log file
All three patches + your previous six patches were applied and compiled
successfully. I've also tested the fixed package in my system without any
glitches. Now, I'm going to build and test it in a Sarge chroot jail.
Hope I haven't missed anything.
Regards,
--
roktas
Subject: [PATCH] r1635: Fixes CVE-2005-4439: buffer overflow through long URL
parameters
--- a/debian/changelog 2006-01-25 08:24:44.000000000 +0200
+++ b/debian/changelog 2006-01-25 08:24:50.000000000 +0200
@@ -11,6 +11,10 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur
* Backport r1529 from upstream's Subversion repository:
"Fixed bug with fprintf and buffer containing "%""
(Our patch just eliminates the format string vulnerability.)
+ * Backport r1635 from upstream's Subversion repository:
+ "Fixed potential buffer overflows"
+ This backport addresses CVE-2005-4439: buffer overflow through long
+ URL parameters <http://marc.theaimsgroup.com/?m=113498708213563>
-- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100
--- a/src/elogd.c 2006-01-25 08:21:00.000000000 +0200
+++ b/src/elogd.c 2006-01-25 08:21:48.000000000 +0200
@@ -1839,13 +1839,15 @@ void base64_decode(char *s, char *d)
*d = 0;
}
-void base64_encode(char *s, char *d)
+void base64_encode(unsigned char *s, unsigned char *d, int size)
{
unsigned int t, pad;
+ unsigned char *p;
pad = 3 - strlen(s) % 3;
if (pad == 3)
pad = 0;
+ p = d;
while (*s) {
t = (*s++) << 16;
if (*s)
@@ -1862,6 +1864,8 @@ void base64_encode(char *s, char *d)
*(d + 0) = map[t & 63];
d += 4;
+ if (d-p >= size-3)
+ return;
}
*d = 0;
while (pad--)
@@ -1898,12 +1902,12 @@ void base64_bufenc(unsigned char *s, int
*(--d) = '=';
}
-void do_crypt(char *s, char *d)
+void do_crypt(char *s, char *d, int size)
{
#ifdef HAVE_CRYPT
- strcpy(d, crypt(s, "el"));
+ strlcpy(d, crypt(s, "el"), size);
#else
- base64_encode(s, d);
+ base64_encode((unsigned char *) s, (unsigned char *) d, size);
#endif
}
@@ -2652,7 +2656,7 @@ int retrieve_url(char *url, char **buffe
{
struct sockaddr_in bind_addr;
struct hostent *phe;
- char str[256], host[256], subdir[256], param[256], auth[256], pwd_enc[256];
+ char str[1000], unm[256], upwd[256], host[256], subdir[256], param[256],
auth[256], pwd_enc[256];
int port, bufsize;
INT i, n;
fd_set readfds;
@@ -2704,12 +2708,15 @@ int retrieve_url(char *url, char **buffe
sprintf(str, "GET %s%s HTTP/1.0\r\nConnection: Close\r\n", subdir, param);
/* add local username/password */
- if (isparam("unm"))
+ if (isparam("unm") && isparam("upwd")) {
+ strlcpy(unm, getparam("unm"), sizeof(unm));
+ strlcpy(upwd, getparam("upwd"), sizeof(upwd));
sprintf(str + strlen(str), "Cookie: unm=%s; upwd=%s\r\n",
getparam("unm"), getparam("upwd"));
+ }
if (rpwd && rpwd[0]) {
sprintf(auth, "anybody:%s", rpwd);
- base64_encode(auth, pwd_enc);
+ base64_encode((unsigned char *) auth, (unsigned char *) pwd_enc,
sizeof(pwd_enc));
sprintf(str + strlen(str), "Authorization: Basic %s\r\n", pwd_enc);
}
@@ -3523,13 +3530,13 @@ void check_config()
void retrieve_email_from(LOGBOOK * lbs, char *ret, char
attrib[MAX_N_ATTR][NAME_LENGTH])
{
- char str[256], *p, login_name[256];
+ char email_from[256], str[256], *p, login_name[256];
char slist[MAX_N_ATTR + 10][NAME_LENGTH], svalue[MAX_N_ATTR +
10][NAME_LENGTH];
int i;
if (!getcfg(lbs->name, "Use Email from", str, sizeof(str))) {
if (isparam("user_email") && *getparam("user_email"))
- strcpy(str, getparam("user_email"));
+ strlcpy(str, getparam("user_email"), sizeof(email_from));
else
sprintf(str, "[EMAIL PROTECTED]", host_name);
}
@@ -5254,7 +5261,7 @@ void write_logfile(LOGBOOK * lbs, const
{
char file_name[2000];
va_list argptr;
- char str[10000];
+ char str[10000], unm[256];
FILE *f;
time_t now;
char buf[10000];
@@ -5284,9 +5291,10 @@ void write_logfile(LOGBOOK * lbs, const
strftime(buf, sizeof(buf), "%d-%b-%Y %H:%M:%S", localtime(&now));
strcat(buf, " ");
- if (*getparam("unm") && rem_host[0])
- sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", getparam("unm"),
rem_host);
- else if (rem_host[0])
+ if (isparam("unm") && rem_host[0]) {
+ strlcpy(unm, getparam("unm"), sizeof(unm));
+ sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", unm, rem_host);
+ } else if (rem_host[0])
sprintf(buf + strlen(buf), "[%s] ", rem_host);
if (lbs)
@@ -5960,7 +5968,7 @@ void set_redir(LOGBOOK * lbs, char *redi
/* prepare relative path */
if (redir[0])
- strcpy(str, redir);
+ strlcpy(str, redir, sizeof(str));
else {
if (lbs)
sprintf(str, "../%s/", lbs->name_enc);
@@ -7149,7 +7157,7 @@ int build_subst_list(LOGBOOK * lbs, char
} else
strcpy(value[i], attrib[i]);
} else
- strcpy(value[i], getparam(attr_list[i]));
+ strlcpy(value[i], isparam(attr_list[i]) ? getparam(attr_list[i]) :
"", NAME_LENGTH);
}
/* add remote host */
@@ -7320,21 +7328,21 @@ BOOL change_pwd(LOGBOOK * lbs, char *use
void show_change_pwd_page(LOGBOOK * lbs)
{
- char str[256], old_pwd[32], new_pwd[32], new_pwd2[32], act_pwd[32],
user[80];
+ char str[256], config[80], old_pwd[32], new_pwd[32], new_pwd2[32],
act_pwd[32], user[80];
int wrong_pwd;
old_pwd[0] = new_pwd[0] = new_pwd2[0] = 0;
if (isparam("oldpwd"))
- do_crypt(getparam("oldpwd"), old_pwd);
+ do_crypt(getparam("oldpwd"), old_pwd, sizeof(old_pwd));
if (isparam("newpwd"))
- do_crypt(getparam("newpwd"), new_pwd);
+ do_crypt(getparam("newpwd"), new_pwd, sizeof(new_pwd));
if (isparam("newpwd2"))
- do_crypt(getparam("newpwd2"), new_pwd2);
+ do_crypt(getparam("newpwd2"), new_pwd2, sizeof(new_pwd2));
- strcpy(user, getparam("unm"));
+ strlcpy(user, isparam("unm") ? getparam("unm") : "", sizeof(user));
if (isparam("config"))
- strcpy(user, getparam("config"));
+ strlcpy(user, getparam("config"), sizeof(user));
wrong_pwd = FALSE;
@@ -7367,7 +7375,11 @@ void show_change_pwd_page(LOGBOOK * lbs)
if (!wrong_pwd) {
/* redirect back to configuration page */
- sprintf(str, "?cmd=%s&cfg_user=%s", loc("Config"),
getparam("config"));
+ if (isparam("config")) {
+ strlcpy(config, getparam("config"), sizeof(config));
+ sprintf(str, "?cmd=%s&cfg_user=%s", loc("Config"), config);
+ } else
+ sprintf(str, "?cmd=%s", loc("Config"));
redirect(lbs, str);
return;
}
@@ -7642,7 +7654,7 @@ void show_edit_form(LOGBOOK * lbs, int m
if (breedit || bupload) {
/* get date from parameter */
if (*getparam("entry_date"))
- strcpy(date, getparam("entry_date"));
+ strlcpy(date, getparam("entry_date"), sizeof(date));
/* get attributes from parameters */
attrib_from_param(lbs->n_attr, attrib);
@@ -7656,7 +7668,7 @@ void show_edit_form(LOGBOOK * lbs, int m
}
/* get encoding */
- strcpy(encoding, atoi(getparam("html")) == 1 ? "HTML" : "plain");
+ strlcpy(encoding, isparam("encoding") ? getparam("encoding") : "",
sizeof(encoding));
} else {
if (message_id) {
/* get message for reply/edit */
@@ -7668,9 +7680,9 @@ void show_edit_form(LOGBOOK * lbs, int m
if (bedit) {
if (getcfg(lbs->name, "Use Lock", str, sizeof(str)) && atoi(str)
== 1) {
if (*getparam("full_name"))
- strcpy(str, getparam("full_name"));
+ strlcpy(str, getparam("full_name"), sizeof(str));
else
- strcpy(str, loc("user"));
+ strlcpy(str, loc("user"), sizeof(str));
strcat(str, " ");
strcat(str, loc("on"));
@@ -9876,11 +9888,11 @@ int save_user_config(LOGBOOK * lbs, char
if (!activate) {
/* check for hidden password */
if (isparam("hpwd")) {
- strcpy(new_pwd, getparam("hpwd"));
+ strlcpy(new_pwd, getparam("hpwd"), sizeof(new_pwd));
} else {
/* check if passwords match */
- do_crypt(getparam("newpwd"), new_pwd);
- do_crypt(getparam("newpwd2"), new_pwd2);
+ do_crypt(getparam("newpwd"), new_pwd, sizeof(new_pwd));
+ do_crypt(getparam("newpwd2"), new_pwd2, sizeof(new_pwd2));
if (strcmp(new_pwd, new_pwd2) != 0) {
show_error(loc("New passwords do not match, please retype"));
@@ -10082,7 +10094,7 @@ int save_user_config(LOGBOOK * lbs, char
strcpy(str, getparam("new_full_name"));
url_encode(str, sizeof(str));
- do_crypt(getparam("newpwd"), enc_pwd);
+ do_crypt(getparam("newpwd"), enc_pwd, sizeof(enc_pwd));
url_encode(enc_pwd, sizeof(enc_pwd));
sprintf(mail_text + strlen(mail_text),
"?cmd=Activate&new_user_name=%s&new_full_name=%s&new_user_email=%s&email_notify=%s&encpwd=%s&unm=%s\r\n",
@@ -10370,8 +10382,8 @@ void show_forgot_pwd_page(LOGBOOK * lbs)
for (i = 0; i < 6; i++)
str[i] = rand() & 0x7F;
str[i] = 0;
- base64_encode(str, pwd);
- do_crypt(pwd, pwd_encrypted);
+ base64_encode((unsigned char *) str, (unsigned char *) pwd,
sizeof(pwd));
+ do_crypt(pwd, pwd_encrypted, sizeof(pwd_encrypted));
/* send email with new password */
if (!getcfg("global", "SMTP host", smtp_host, sizeof(smtp_host))) {
@@ -12353,7 +12365,7 @@ void receive_pwdfile(LOGBOOK * lbs, char
eprintf("\n");
while (str[strlen(str) - 1] == '\r' || str[strlen(str) - 1] == '\n')
str[strlen(str) - 1] = 0;
- do_crypt(str, pwd);
+ do_crypt(str, pwd, sizeof(pwd));
setparam("upwd", pwd);
status = 0;
}
@@ -12597,7 +12609,7 @@ void synchronize_logbook(LOGBOOK * lbs,
eprintf("\n");
while (str[strlen(str) - 1] == '\r' || str[strlen(str) - 1] ==
'\n')
str[strlen(str) - 1] = 0;
- do_crypt(str, pwd);
+ do_crypt(str, pwd, sizeof(pwd));
setparam("upwd", pwd);
} else {
@@ -14969,20 +14981,21 @@ void show_elog_list(LOGBOOK * lbs, INT p
}
/* default mode */
- strcpy(mode, "Summary");
+ strlcpy(mode, "Summary", sizeof(mode));
show_attachments = FALSE;
/* for page display, get mode from config file */
if (past_n || last_n || page_n) {
if (getcfg(lbs->name, "Display Mode", str, sizeof(str)))
- strcpy(mode, str);
+ strlcpy(mode, str, sizeof(mode));
if (*getparam("mode"))
- strcpy(mode, getparam("mode"));
+ strlcpy(mode, getparam("mode"), sizeof(mode));
} else {
/* for find result, get mode from find form */
- strcpy(mode, getparam("mode"));
+ strlcpy(mode, getparam("mode"), sizeof(mode));
if (mode[0] == 0)
strcpy(mode, "Full");
+ strlcpy(mode, "Full", sizeof(mode));
}
threaded = strieq(mode, "threaded");
@@ -15205,7 +15218,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
/* compile regex for subtext */
if (*getparam("subtext")) {
- strcpy(str, getparam("subtext"));
+ strlcpy(str, getparam("subtext"), sizeof(str));
flags = REG_EXTENDED;
if (!isparam("casesensitive"))
flags |= REG_ICASE;
@@ -15215,7 +15228,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
/* compile regex for attributes */
for (i = 0; i < lbs->n_attr; i++) {
if (*getparam(attr_list[i])) {
- strcpy(str, getparam(attr_list[i]));
+ strlcpy(str, getparam(attr_list[i]), sizeof(str));
/* if value starts with '$', substitute it */
if (str[0] == '$') {
@@ -15313,7 +15326,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
} else {
- strcpy(str, getparam(attr_list[i]));
+ strlcpy(str, isparam(attr_list[i]) ? getparam(attr_list[i]) :
"", sizeof(str));
/* if value starts with '$', substitute it */
if (str[0] == '$') {
@@ -15397,7 +15410,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
if (j < index) {
/* set date from current message, if later */
if (strcmp(msg_list[j].string, msg_list[index].string) < 0)
- strcpy(msg_list[j].string, msg_list[index].string);
+ strlcpy(msg_list[j].string, msg_list[index].string, 256);
msg_list[index].lbs = NULL; // delete current message
continue;
@@ -15558,7 +15571,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
/*---- title ----*/
- strcpy(str, ", ");
+ strlcpy(str, ", ", sizeof(str));
if (past_n == 1)
strcat(str, loc("Last day"));
else if (past_n > 1)
@@ -15583,7 +15596,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n");
/* current command line for select command */
- strcpy(str, getparam("cmdline"));
+ strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "",
sizeof(str));
/* remove select switch */
if (strstr(str, "select=1")) {
@@ -15603,18 +15616,18 @@ void show_elog_list(LOGBOOK * lbs, INT p
/* default menu commands */
if (menu_str[0] == 0) {
- strcpy(menu_str, "New, Find, Select, CSV Import, ");
+ strlcpy(menu_str, "New, Find, Select, CSV Import, ",
sizeof(menu_str));
if (getcfg(lbs->name, "Password file", str, sizeof(str)))
- strcat(menu_str, "Config, Logout, ");
+ strlcat(menu_str, "Config, Logout, ", sizeof(menu_str));
else
- strcat(menu_str, "Config, ");
+ strlcat(menu_str, "Config, ", sizeof(menu_str));
if (getcfg(lbs->name, "Mirror server", str, sizeof(str)))
- strcat(menu_str, "Synchronize, ");
+ strlcat(menu_str, "Synchronize, ", sizeof(menu_str));
- strcpy(str, loc("Last x"));
- strcat(menu_str, "Last x, Help");
+ strlcpy(str, loc("Last x"), sizeof(str));
+ strlcat(menu_str, "Last x, Help, ", sizeof(menu_str));
}
n = strbreak(menu_str, menu_item, MAX_N_LIST, ",");
@@ -15632,7 +15645,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
rsprintf(" <a
href=\"last%d?mode=%s\">%s</a> |\n", last_n * 2, mode, str);
}
} else if (strieq(menu_item[i], "Select")) {
- strcpy(str, getparam("cmdline"));
+ strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "",
sizeof(str));
if (atoi(getparam("select")) == 1) {
/* remove select switch */
if (strstr(str, "select=1")) {
@@ -15649,7 +15662,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
}
rsprintf(" <a href=\"%s\">%s</a> |\n", str,
loc("Select"));
} else {
- strcpy(str, loc(menu_item[i]));
+ strlcpy(str, loc(menu_item[i]), sizeof(str));
url_encode(str, sizeof(str));
if (i < n - 1)
@@ -15673,7 +15686,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
/* check if file starts with an absolute directory */
if (str[0] == DIR_SEPARATOR || str[1] == ':')
- strcpy(file_name, str);
+ strlcpy(file_name, str, sizeof(file_name));
else {
strlcpy(file_name, resource_dir, sizeof(file_name));
strlcat(file_name, str, sizeof(file_name));
@@ -19145,10 +19158,10 @@ void interprete(char *lbook, char *path)
\********************************************************************/
{
int status, i, j, n, index, lb_index, message_id;
- char exp[80], list[1000], section[256], str[NAME_LENGTH], str2[NAME_LENGTH],
- enc_pwd[80], file_name[256], command[80], ref[256], enc_path[256],
dec_path[256],
+ char exp[80], list[1000], section[256], str[NAME_LENGTH],
str2[NAME_LENGTH], edit_id[80],
+ enc_pwd[80], file_name[256], command[80], ref[256], enc_path[256],
dec_path[256], uname[80],
logbook[256], logbook_enc[256], *experiment, *value, *group, css[256],
*pfile,
- attachment[MAX_PATH_LENGTH];
+ attachment[MAX_PATH_LENGTH], full_name[256];
BOOL global;
LOGBOOK *lbs;
FILE *f;
@@ -19158,7 +19171,7 @@ void interprete(char *lbook, char *path)
url_decode(dec_path);
strcpy(enc_path, dec_path);
url_encode(enc_path, sizeof(enc_path));
- strcpy(command, getparam("cmd"));
+ strlcpy(command, isparam("cmd") ? getparam("cmd") : "", sizeof(command));
experiment = getparam("exp");
value = getparam("value");
group = getparam("group");
@@ -19171,7 +19184,7 @@ void interprete(char *lbook, char *path)
/* evaluate "jcmd" */
if (isparam("jcmd") && *getparam("jcmd"))
- strcpy(command, getparam("jcmd"));
+ strlcpy(command, getparam("jcmd"), sizeof(command));
/* if experiment given, use it as logbook (for elog!) */
if (experiment && experiment[0]) {
@@ -19267,20 +19280,23 @@ void interprete(char *lbook, char *path)
}
/* if data from login screen, evaluate it and set cookies */
- if (*getparam("uname") && getparam("upassword")) {
+ if (isparam("uname") && isparam("upassword")) {
/* check if password correct */
- do_crypt(getparam("upassword"), enc_pwd);
+ do_crypt(getparam("upassword"), enc_pwd, sizeof(enc_pwd));
/* log logins */
- write_logfile(NULL, "LOGIN user \"%s\" (attempt) for logbook
selection page", getparam("uname"));
+ strlcpy(uname, getparam("uname"), sizeof(uname));
+ sprintf(str, "LOGIN user \"%s\" (attempt) for logbook selection
page", uname);
+ write_logfile(NULL, str);
if (isparam("redir"))
- strcpy(str, getparam("redir"));
+ strlcpy(str, getparam("redir"), sizeof(str));
else
- strcpy(str, getparam("cmdline"));
+ strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "",
sizeof(str));
if (!check_user_password(NULL, getparam("uname"), enc_pwd, str))
return;
- write_logfile(NULL, "LOGIN user \"%s\" (success)", getparam("uname"));
+ sprintf(str, "LOGIN user \"%s\" (success)", uname);
+ write_logfile(NULL, str);
/* set cookies */
- set_login_cookies(NULL, getparam("uname"), enc_pwd);
+ set_login_cookies(NULL, uname, enc_pwd);
return;
}
@@ -19345,7 +19361,7 @@ void interprete(char *lbook, char *path)
lbs->n_attr = scan_attributes(lbs->name);
if (*getparam("wpassword")) {
/* check if password correct */
- do_crypt(getparam("wpassword"), enc_pwd);
+ do_crypt(getparam("wpassword"), enc_pwd, sizeof(enc_pwd));
if (!check_password(lbs, "Write password", enc_pwd, getparam("redir")))
return;
rsprintf("HTTP/1.1 302 Found\r\n");
@@ -19369,7 +19385,7 @@ void interprete(char *lbook, char *path)
if (*getparam("apassword")) {
/* check if password correct */
- do_crypt(getparam("apassword"), enc_pwd);
+ do_crypt(getparam("apassword"), enc_pwd, sizeof(enc_pwd));
if (!check_password(lbs, "Admin password", enc_pwd, getparam("redir")))
return;
rsprintf("HTTP/1.1 302 Found\r\n");
@@ -19393,18 +19409,21 @@ void interprete(char *lbook, char *path)
if (*getparam("uname") && getparam("upassword")) {
/* check if password correct */
- do_crypt(getparam("upassword"), enc_pwd);
+ do_crypt(getparam("upassword"), enc_pwd, sizeof(enc_pwd));
/* log logins */
- write_logfile(lbs, "LOGIN user \"%s\" (attempt)", getparam("uname"));
+ strlcpy(uname, getparam("uname"), sizeof(uname));
+ sprintf(str, "LOGIN user \"%s\" (attempt)", uname);
+ write_logfile(lbs, str);
if (isparam("redir"))
- strcpy(str, getparam("redir"));
+ strlcpy(str, getparam("redir"), sizeof(str));
else
- strcpy(str, getparam("cmdline"));
- if (!check_user_password(lbs, getparam("uname"), enc_pwd, str))
+ strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "",
sizeof(str));
+ if (!check_user_password(lbs, uname, enc_pwd, str))
return;
- write_logfile(lbs, "LOGIN user \"%s\" (success)", getparam("uname"));
+ sprintf(str, "LOGIN user \"%s\" (success)", uname);
+ write_logfile(lbs, str);
/* set cookies */
- set_login_cookies(lbs, getparam("uname"), enc_pwd);
+ set_login_cookies(lbs, uname, enc_pwd);
return;
}
@@ -19461,7 +19480,8 @@ void interprete(char *lbook, char *path)
/* unlock message */
el_lock_message(lbs, atoi(getparam("edit_id")), NULL);
/* redirect to message */
- sprintf(str, "../%s/%s", logbook_enc, getparam("edit_id"));
+ strlcpy(edit_id, getparam("edit_id"), sizeof(edit_id));
+ sprintf(str, "../%s/%s", logbook_enc, edit_id);
} else
sprintf(str, "../%s/", logbook_enc);
@@ -19488,17 +19508,20 @@ void interprete(char *lbook, char *path)
}
/* check for "Last n*2 Entries" */
- strcpy(str, getparam("last"));
+ strlcpy(str, isparam("last") ? getparam("last") : "", sizeof(str));
if (strchr(str, ' ')) {
i = atoi(strchr(str, ' '));
sprintf(str, "last%d", i);
- if (isparam("mode"))
- sprintf(str + strlen(str), "?mode=%s", getparam("mode"));
+ if (isparam("mode")) {
+ sprintf(str + strlen(str), "?mode=");
+ strlcat(str, getparam("mode"), sizeof(str));
+ }
redirect(lbs, str);
return;
}
strcpy(str, getparam("past"));
+ strlcpy(str, isparam("past") ? getparam("past") : "", sizeof(str));
if (strchr(str, ' ')) {
i = atoi(strchr(str, ' '));
sprintf(str, "past%d", i);
@@ -19618,10 +19641,14 @@ void interprete(char *lbook, char *path)
strcpy(command, loc("Last"));
/* check if command allowed for current user */
if (command[0] && !is_user_allowed(lbs, command)) {
+ if (isparam("full_name"))
+ strlcpy(full_name, getparam("full_name"), sizeof(full_name));
+ else
+ full_name[0] = 0;
sprintf(str,
loc
("Error: Command \"<b>%s</b>\" is not allowed for user
\"<b>%s</b>\""),
- command, getparam("full_name"));
+ command, full_name);
show_error(str);
return;
}
@@ -19859,8 +19886,10 @@ void interprete(char *lbook, char *path)
if (isparam("global")) {
if (strieq(getparam("global"), "global"))
strcpy(section, "global");
- else
- sprintf(section, "global %s", getparam("global"));
+ else {
+ sprintf(section, "global ");
+ strlcat(section, getparam("global"), sizeof(section));
+ }
} else
strlcpy(section, lbs->name, sizeof(section));
@@ -19873,11 +19902,13 @@ void interprete(char *lbook, char *path)
sprintf(str, "../%s/", lbs->name_enc);
else
sprintf(str, ".");
- if (isparam("new_user_name"))
- sprintf(str + strlen(str), "?cmd=%s&cfg_user=%s", loc("Config"),
getparam("new_user_name"));
- else if (isparam("cfg_user"))
- sprintf(str + strlen(str), "?cmd=%s&cfg_user=%s", loc("Config"),
getparam("cfg_user"));
- else if (getcfg(lbs->name, "password file", str2, sizeof(str2)))
+ if (isparam("new_user_name")) {
+ sprintf(str + strlen(str), "?cmd=%s&cfg_user=", loc("Config"));
+ strlcat(str, getparam("new_user_name"), sizeof(str));
+ } else if (isparam("cfg_user")) {
+ sprintf(str + strlen(str), "?cmd=%s&cfg_user=", loc("Config"));
+ strlcat(str, getparam("cfg_user"), sizeof(str));
+ } else if (getcfg(lbs->name, "password file", str2, sizeof(str2)))
sprintf(str + strlen(str), "?cmd=%s", loc("Config"));
redirect(lbs, str);
@@ -21119,7 +21150,7 @@ void server_loop(void)
base64_decode(str, cl_pwd);
if (strchr(cl_pwd, ':')) {
p = strchr(cl_pwd, ':') + 1;
- do_crypt(p, str);
+ do_crypt(p, str, sizeof(str));
strcpy(cl_pwd, str);
/* check authorization */
if (strcmp(str, pwd) == 0)
@@ -22182,19 +22213,19 @@ int main(int argc, char *argv[])
}
if (read_pwd[0]) {
- do_crypt(read_pwd, str);
+ do_crypt(read_pwd, str, sizeof(str));
create_password(logbook, "Read Password", str);
exit(EXIT_SUCCESS);
}
if (write_pwd[0]) {
- do_crypt(write_pwd, str);
+ do_crypt(write_pwd, str, sizeof(str));
create_password(logbook, "Write Password", str);
exit(EXIT_SUCCESS);
}
if (admin_pwd[0]) {
- do_crypt(admin_pwd, str);
+ do_crypt(admin_pwd, str, sizeof(str));
create_password(logbook, "Admin Password", str);
exit(EXIT_SUCCESS);
}
Subject: [PATCH] r1487: Fixed infinite redirection
--- a/debian/changelog 2006-01-25 08:21:48.000000000 +0200
+++ b/debian/changelog 2006-01-25 08:32:25.000000000 +0200
@@ -8,6 +8,8 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur
* Backport r1472 from upstream's Subversion repository:
"Do not distinguish between invalid user name and invalid password for
security reasons"
+ * Backport r1487 from upstream's Subversion repository:
+ "Fixed infinite redirection with ?fail=1"
* Backport r1529 from upstream's Subversion repository:
"Fixed bug with fprintf and buffer containing "%""
(Our patch just eliminates the format string vulnerability.)
--- a/src/elogd.c 2006-01-25 08:21:48.000000000 +0200
+++ b/src/elogd.c 2006-01-25 08:32:25.000000000 +0200
@@ -6932,6 +6932,30 @@ void set_login_cookies(LOGBOOK * lbs, ch
/*------------------------------------------------------------------*/
+void remove_all_login_cookies(LOGBOOK * lbs)
+{
+ int i;
+
+ rsprintf("HTTP/1.1 302 Found\r\n");
+ rsprintf("Server: ELOG HTTP %s-%d\r\n", VERSION, atoi(cvs_revision + 13));
+ if (use_keepalive) {
+ rsprintf("Connection: Keep-Alive\r\n");
+ rsprintf("Keep-Alive: timeout=60, max=10\r\n");
+ }
+
+ /* remove global cookies */
+ set_cookie(NULL, "unm", "", TRUE, "");
+ set_cookie(NULL, "upwd", "", TRUE, "");
+
+ for (i = 0; lb_list[i].name[0]; i++) {
+ set_cookie(&lb_list[i], "unm", "", 0, "");
+ set_cookie(&lb_list[i], "upwd", "", 0, "");
+ }
+
+ set_redir(lbs, isparam("redir") ? getparam("redir") : "");
+}
+
+/*------------------------------------------------------------------*/
int exist_file(char *file_name)
{
int fh;
@@ -18522,7 +18522,11 @@ BOOL check_user_password(LOGBOOK * lbs,
}
if (!check_login_user(lbs, user)) {
- sprintf(str, "?fail=%s", user);
+ if (isparam("fail")) {
+ /* remove remaining cookies */
+ remove_all_login_cookies(lbs);
+ return FALSE;
+ }
redirect(lbs, str);
return FALSE;
Subject: [PATCH] r1636: Add IP address to log file
--- a/debian/changelog 2006-01-25 08:53:07.000000000 +0200
+++ b/debian/changelog 2006-01-25 09:08:49.000000000 +0200
@@ -17,6 +17,8 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur
"Fixed potential buffer overflows"
This backport addresses CVE-2005-4439: buffer overflow through long
URL parameters <http://marc.theaimsgroup.com/?m=113498708213563>
+ * Backport r1636 from upstream's Subversion repository:
+ "Added IP address to log file"
-- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100
--- a/src/elogd.c 2006-01-25 09:00:51.000000000 +0200
+++ b/src/elogd.c 2006-01-25 09:04:18.000000000 +0200
@@ -975,6 +975,7 @@ INT _attachment_size;
INT _max_content_length = MAX_CONTENT_LENGTH;
struct in_addr rem_addr;
char rem_host[256];
+char rem_host_ip[256];
INT _sock;
BOOL verbose, use_keepalive, enable_execute = FALSE;
INT _current_message_id;
@@ -5293,9 +5294,17 @@ void write_logfile(LOGBOOK * lbs, const
if (isparam("unm") && rem_host[0]) {
strlcpy(unm, getparam("unm"), sizeof(unm));
- sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", unm, rem_host);
- } else if (rem_host[0])
- sprintf(buf + strlen(buf), "[%s] ", rem_host);
+ if (rem_host_ip[0])
+ sprintf(buf + strlen(buf), "[EMAIL PROTECTED](%s)] ", unm, rem_host,
rem_host_ip);
+ else
+ sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", unm, rem_host);
+ } else if (rem_host[0]) {
+ if (rem_host_ip[0])
+ sprintf(buf + strlen(buf), "[%s(%s)] ", rem_host, rem_host_ip);
+ else
+ sprintf(buf + strlen(buf), "[%s] ", rem_host);
+ } else
+ sprintf(buf + strlen(buf), "[%s] ", rem_host_ip);
if (lbs)
sprintf(buf + strlen(buf), "{%s} ", lbs->name);
@@ -20403,7 +20412,7 @@ void server_loop(void)
struct sockaddr_in serv_addr, acc_addr;
char pwd[256], str[1000], url[256], cl_pwd[256], *p, *pd;
char cookie[256], boundary[256], list[1000], theme[256],
- host_list[MAX_N_LIST][NAME_LENGTH], rem_host_ip[256], logbook[256],
logbook_enc[256], global_cmd[256];
+ host_list[MAX_N_LIST][NAME_LENGTH], logbook[256], logbook_enc[256],
global_cmd[256];
int lsock, len, flag, content_length, header_length;
struct hostent *phe;
fd_set readfds;
signature.asc
Description: Digital signature
