* Florian Weimer [2006-01-24 21:51:00+0100] > * Stefan Ritt: > >> Is this list complete as far as fixes past r1202 are concerned? What > >> about r1487, is it a significant DoS condition? > > > > Yes. > > Okay, this patch shouldn't be too hard to extract. Recai, could you > backport that one and the fixes from r1635 to stable?
OK. I'm sending three separate patches attached for your review: * 0007-r1635-Fix-CVE-2005-4439.txt Backport r1635: targets to fix CVE-2005-4439 * 0008-r1487-Fix-DoS-condition.txt Backport r1487: fixes infinite redirection * 0009-r1636-Add-IP-address-to-logfile.txt [optional] Backport r1636: adds IP address to log file All three patches + your previous six patches were applied and compiled successfully. I've also tested the fixed package in my system without any glitches. Now, I'm going to build and test it in a Sarge chroot jail. Hope I haven't missed anything. Regards, -- roktas
Subject: [PATCH] r1635: Fixes CVE-2005-4439: buffer overflow through long URL parameters --- a/debian/changelog 2006-01-25 08:24:44.000000000 +0200 +++ b/debian/changelog 2006-01-25 08:24:50.000000000 +0200 @@ -11,6 +11,10 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur * Backport r1529 from upstream's Subversion repository: "Fixed bug with fprintf and buffer containing "%"" (Our patch just eliminates the format string vulnerability.) + * Backport r1635 from upstream's Subversion repository: + "Fixed potential buffer overflows" + This backport addresses CVE-2005-4439: buffer overflow through long + URL parameters <http://marc.theaimsgroup.com/?m=113498708213563> -- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100 --- a/src/elogd.c 2006-01-25 08:21:00.000000000 +0200 +++ b/src/elogd.c 2006-01-25 08:21:48.000000000 +0200 @@ -1839,13 +1839,15 @@ void base64_decode(char *s, char *d) *d = 0; } -void base64_encode(char *s, char *d) +void base64_encode(unsigned char *s, unsigned char *d, int size) { unsigned int t, pad; + unsigned char *p; pad = 3 - strlen(s) % 3; if (pad == 3) pad = 0; + p = d; while (*s) { t = (*s++) << 16; if (*s) @@ -1862,6 +1864,8 @@ void base64_encode(char *s, char *d) *(d + 0) = map[t & 63]; d += 4; + if (d-p >= size-3) + return; } *d = 0; while (pad--) @@ -1898,12 +1902,12 @@ void base64_bufenc(unsigned char *s, int *(--d) = '='; } -void do_crypt(char *s, char *d) +void do_crypt(char *s, char *d, int size) { #ifdef HAVE_CRYPT - strcpy(d, crypt(s, "el")); + strlcpy(d, crypt(s, "el"), size); #else - base64_encode(s, d); + base64_encode((unsigned char *) s, (unsigned char *) d, size); #endif } @@ -2652,7 +2656,7 @@ int retrieve_url(char *url, char **buffe { struct sockaddr_in bind_addr; struct hostent *phe; - char str[256], host[256], subdir[256], param[256], auth[256], pwd_enc[256]; + char str[1000], unm[256], upwd[256], host[256], subdir[256], param[256], auth[256], pwd_enc[256]; int port, bufsize; INT i, n; fd_set readfds; @@ -2704,12 +2708,15 @@ int retrieve_url(char *url, char **buffe sprintf(str, "GET %s%s HTTP/1.0\r\nConnection: Close\r\n", subdir, param); /* add local username/password */ - if (isparam("unm")) + if (isparam("unm") && isparam("upwd")) { + strlcpy(unm, getparam("unm"), sizeof(unm)); + strlcpy(upwd, getparam("upwd"), sizeof(upwd)); sprintf(str + strlen(str), "Cookie: unm=%s; upwd=%s\r\n", getparam("unm"), getparam("upwd")); + } if (rpwd && rpwd[0]) { sprintf(auth, "anybody:%s", rpwd); - base64_encode(auth, pwd_enc); + base64_encode((unsigned char *) auth, (unsigned char *) pwd_enc, sizeof(pwd_enc)); sprintf(str + strlen(str), "Authorization: Basic %s\r\n", pwd_enc); } @@ -3523,13 +3530,13 @@ void check_config() void retrieve_email_from(LOGBOOK * lbs, char *ret, char attrib[MAX_N_ATTR][NAME_LENGTH]) { - char str[256], *p, login_name[256]; + char email_from[256], str[256], *p, login_name[256]; char slist[MAX_N_ATTR + 10][NAME_LENGTH], svalue[MAX_N_ATTR + 10][NAME_LENGTH]; int i; if (!getcfg(lbs->name, "Use Email from", str, sizeof(str))) { if (isparam("user_email") && *getparam("user_email")) - strcpy(str, getparam("user_email")); + strlcpy(str, getparam("user_email"), sizeof(email_from)); else sprintf(str, "[EMAIL PROTECTED]", host_name); } @@ -5254,7 +5261,7 @@ void write_logfile(LOGBOOK * lbs, const { char file_name[2000]; va_list argptr; - char str[10000]; + char str[10000], unm[256]; FILE *f; time_t now; char buf[10000]; @@ -5284,9 +5291,10 @@ void write_logfile(LOGBOOK * lbs, const strftime(buf, sizeof(buf), "%d-%b-%Y %H:%M:%S", localtime(&now)); strcat(buf, " "); - if (*getparam("unm") && rem_host[0]) - sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", getparam("unm"), rem_host); - else if (rem_host[0]) + if (isparam("unm") && rem_host[0]) { + strlcpy(unm, getparam("unm"), sizeof(unm)); + sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", unm, rem_host); + } else if (rem_host[0]) sprintf(buf + strlen(buf), "[%s] ", rem_host); if (lbs) @@ -5960,7 +5968,7 @@ void set_redir(LOGBOOK * lbs, char *redi /* prepare relative path */ if (redir[0]) - strcpy(str, redir); + strlcpy(str, redir, sizeof(str)); else { if (lbs) sprintf(str, "../%s/", lbs->name_enc); @@ -7149,7 +7157,7 @@ int build_subst_list(LOGBOOK * lbs, char } else strcpy(value[i], attrib[i]); } else - strcpy(value[i], getparam(attr_list[i])); + strlcpy(value[i], isparam(attr_list[i]) ? getparam(attr_list[i]) : "", NAME_LENGTH); } /* add remote host */ @@ -7320,21 +7328,21 @@ BOOL change_pwd(LOGBOOK * lbs, char *use void show_change_pwd_page(LOGBOOK * lbs) { - char str[256], old_pwd[32], new_pwd[32], new_pwd2[32], act_pwd[32], user[80]; + char str[256], config[80], old_pwd[32], new_pwd[32], new_pwd2[32], act_pwd[32], user[80]; int wrong_pwd; old_pwd[0] = new_pwd[0] = new_pwd2[0] = 0; if (isparam("oldpwd")) - do_crypt(getparam("oldpwd"), old_pwd); + do_crypt(getparam("oldpwd"), old_pwd, sizeof(old_pwd)); if (isparam("newpwd")) - do_crypt(getparam("newpwd"), new_pwd); + do_crypt(getparam("newpwd"), new_pwd, sizeof(new_pwd)); if (isparam("newpwd2")) - do_crypt(getparam("newpwd2"), new_pwd2); + do_crypt(getparam("newpwd2"), new_pwd2, sizeof(new_pwd2)); - strcpy(user, getparam("unm")); + strlcpy(user, isparam("unm") ? getparam("unm") : "", sizeof(user)); if (isparam("config")) - strcpy(user, getparam("config")); + strlcpy(user, getparam("config"), sizeof(user)); wrong_pwd = FALSE; @@ -7367,7 +7375,11 @@ void show_change_pwd_page(LOGBOOK * lbs) if (!wrong_pwd) { /* redirect back to configuration page */ - sprintf(str, "?cmd=%s&cfg_user=%s", loc("Config"), getparam("config")); + if (isparam("config")) { + strlcpy(config, getparam("config"), sizeof(config)); + sprintf(str, "?cmd=%s&cfg_user=%s", loc("Config"), config); + } else + sprintf(str, "?cmd=%s", loc("Config")); redirect(lbs, str); return; } @@ -7642,7 +7654,7 @@ void show_edit_form(LOGBOOK * lbs, int m if (breedit || bupload) { /* get date from parameter */ if (*getparam("entry_date")) - strcpy(date, getparam("entry_date")); + strlcpy(date, getparam("entry_date"), sizeof(date)); /* get attributes from parameters */ attrib_from_param(lbs->n_attr, attrib); @@ -7656,7 +7668,7 @@ void show_edit_form(LOGBOOK * lbs, int m } /* get encoding */ - strcpy(encoding, atoi(getparam("html")) == 1 ? "HTML" : "plain"); + strlcpy(encoding, isparam("encoding") ? getparam("encoding") : "", sizeof(encoding)); } else { if (message_id) { /* get message for reply/edit */ @@ -7668,9 +7680,9 @@ void show_edit_form(LOGBOOK * lbs, int m if (bedit) { if (getcfg(lbs->name, "Use Lock", str, sizeof(str)) && atoi(str) == 1) { if (*getparam("full_name")) - strcpy(str, getparam("full_name")); + strlcpy(str, getparam("full_name"), sizeof(str)); else - strcpy(str, loc("user")); + strlcpy(str, loc("user"), sizeof(str)); strcat(str, " "); strcat(str, loc("on")); @@ -9876,11 +9888,11 @@ int save_user_config(LOGBOOK * lbs, char if (!activate) { /* check for hidden password */ if (isparam("hpwd")) { - strcpy(new_pwd, getparam("hpwd")); + strlcpy(new_pwd, getparam("hpwd"), sizeof(new_pwd)); } else { /* check if passwords match */ - do_crypt(getparam("newpwd"), new_pwd); - do_crypt(getparam("newpwd2"), new_pwd2); + do_crypt(getparam("newpwd"), new_pwd, sizeof(new_pwd)); + do_crypt(getparam("newpwd2"), new_pwd2, sizeof(new_pwd2)); if (strcmp(new_pwd, new_pwd2) != 0) { show_error(loc("New passwords do not match, please retype")); @@ -10082,7 +10094,7 @@ int save_user_config(LOGBOOK * lbs, char strcpy(str, getparam("new_full_name")); url_encode(str, sizeof(str)); - do_crypt(getparam("newpwd"), enc_pwd); + do_crypt(getparam("newpwd"), enc_pwd, sizeof(enc_pwd)); url_encode(enc_pwd, sizeof(enc_pwd)); sprintf(mail_text + strlen(mail_text), "?cmd=Activate&new_user_name=%s&new_full_name=%s&new_user_email=%s&email_notify=%s&encpwd=%s&unm=%s\r\n", @@ -10370,8 +10382,8 @@ void show_forgot_pwd_page(LOGBOOK * lbs) for (i = 0; i < 6; i++) str[i] = rand() & 0x7F; str[i] = 0; - base64_encode(str, pwd); - do_crypt(pwd, pwd_encrypted); + base64_encode((unsigned char *) str, (unsigned char *) pwd, sizeof(pwd)); + do_crypt(pwd, pwd_encrypted, sizeof(pwd_encrypted)); /* send email with new password */ if (!getcfg("global", "SMTP host", smtp_host, sizeof(smtp_host))) { @@ -12353,7 +12365,7 @@ void receive_pwdfile(LOGBOOK * lbs, char eprintf("\n"); while (str[strlen(str) - 1] == '\r' || str[strlen(str) - 1] == '\n') str[strlen(str) - 1] = 0; - do_crypt(str, pwd); + do_crypt(str, pwd, sizeof(pwd)); setparam("upwd", pwd); status = 0; } @@ -12597,7 +12609,7 @@ void synchronize_logbook(LOGBOOK * lbs, eprintf("\n"); while (str[strlen(str) - 1] == '\r' || str[strlen(str) - 1] == '\n') str[strlen(str) - 1] = 0; - do_crypt(str, pwd); + do_crypt(str, pwd, sizeof(pwd)); setparam("upwd", pwd); } else { @@ -14969,20 +14981,21 @@ void show_elog_list(LOGBOOK * lbs, INT p } /* default mode */ - strcpy(mode, "Summary"); + strlcpy(mode, "Summary", sizeof(mode)); show_attachments = FALSE; /* for page display, get mode from config file */ if (past_n || last_n || page_n) { if (getcfg(lbs->name, "Display Mode", str, sizeof(str))) - strcpy(mode, str); + strlcpy(mode, str, sizeof(mode)); if (*getparam("mode")) - strcpy(mode, getparam("mode")); + strlcpy(mode, getparam("mode"), sizeof(mode)); } else { /* for find result, get mode from find form */ - strcpy(mode, getparam("mode")); + strlcpy(mode, getparam("mode"), sizeof(mode)); if (mode[0] == 0) strcpy(mode, "Full"); + strlcpy(mode, "Full", sizeof(mode)); } threaded = strieq(mode, "threaded"); @@ -15205,7 +15218,7 @@ void show_elog_list(LOGBOOK * lbs, INT p /* compile regex for subtext */ if (*getparam("subtext")) { - strcpy(str, getparam("subtext")); + strlcpy(str, getparam("subtext"), sizeof(str)); flags = REG_EXTENDED; if (!isparam("casesensitive")) flags |= REG_ICASE; @@ -15215,7 +15228,7 @@ void show_elog_list(LOGBOOK * lbs, INT p /* compile regex for attributes */ for (i = 0; i < lbs->n_attr; i++) { if (*getparam(attr_list[i])) { - strcpy(str, getparam(attr_list[i])); + strlcpy(str, getparam(attr_list[i]), sizeof(str)); /* if value starts with '$', substitute it */ if (str[0] == '$') { @@ -15313,7 +15326,7 @@ void show_elog_list(LOGBOOK * lbs, INT p } else { - strcpy(str, getparam(attr_list[i])); + strlcpy(str, isparam(attr_list[i]) ? getparam(attr_list[i]) : "", sizeof(str)); /* if value starts with '$', substitute it */ if (str[0] == '$') { @@ -15397,7 +15410,7 @@ void show_elog_list(LOGBOOK * lbs, INT p if (j < index) { /* set date from current message, if later */ if (strcmp(msg_list[j].string, msg_list[index].string) < 0) - strcpy(msg_list[j].string, msg_list[index].string); + strlcpy(msg_list[j].string, msg_list[index].string, 256); msg_list[index].lbs = NULL; // delete current message continue; @@ -15558,7 +15571,7 @@ void show_elog_list(LOGBOOK * lbs, INT p /*---- title ----*/ - strcpy(str, ", "); + strlcpy(str, ", ", sizeof(str)); if (past_n == 1) strcat(str, loc("Last day")); else if (past_n > 1) @@ -15583,7 +15596,7 @@ void show_elog_list(LOGBOOK * lbs, INT p rsprintf("<tr><td class=\"menuframe\"><span class=\"menu1\">\n"); /* current command line for select command */ - strcpy(str, getparam("cmdline")); + strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "", sizeof(str)); /* remove select switch */ if (strstr(str, "select=1")) { @@ -15603,18 +15616,18 @@ void show_elog_list(LOGBOOK * lbs, INT p /* default menu commands */ if (menu_str[0] == 0) { - strcpy(menu_str, "New, Find, Select, CSV Import, "); + strlcpy(menu_str, "New, Find, Select, CSV Import, ", sizeof(menu_str)); if (getcfg(lbs->name, "Password file", str, sizeof(str))) - strcat(menu_str, "Config, Logout, "); + strlcat(menu_str, "Config, Logout, ", sizeof(menu_str)); else - strcat(menu_str, "Config, "); + strlcat(menu_str, "Config, ", sizeof(menu_str)); if (getcfg(lbs->name, "Mirror server", str, sizeof(str))) - strcat(menu_str, "Synchronize, "); + strlcat(menu_str, "Synchronize, ", sizeof(menu_str)); - strcpy(str, loc("Last x")); - strcat(menu_str, "Last x, Help"); + strlcpy(str, loc("Last x"), sizeof(str)); + strlcat(menu_str, "Last x, Help, ", sizeof(menu_str)); } n = strbreak(menu_str, menu_item, MAX_N_LIST, ","); @@ -15632,7 +15645,7 @@ void show_elog_list(LOGBOOK * lbs, INT p rsprintf(" <a href=\"last%d?mode=%s\">%s</a> |\n", last_n * 2, mode, str); } } else if (strieq(menu_item[i], "Select")) { - strcpy(str, getparam("cmdline")); + strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "", sizeof(str)); if (atoi(getparam("select")) == 1) { /* remove select switch */ if (strstr(str, "select=1")) { @@ -15649,7 +15662,7 @@ void show_elog_list(LOGBOOK * lbs, INT p } rsprintf(" <a href=\"%s\">%s</a> |\n", str, loc("Select")); } else { - strcpy(str, loc(menu_item[i])); + strlcpy(str, loc(menu_item[i]), sizeof(str)); url_encode(str, sizeof(str)); if (i < n - 1) @@ -15673,7 +15686,7 @@ void show_elog_list(LOGBOOK * lbs, INT p /* check if file starts with an absolute directory */ if (str[0] == DIR_SEPARATOR || str[1] == ':') - strcpy(file_name, str); + strlcpy(file_name, str, sizeof(file_name)); else { strlcpy(file_name, resource_dir, sizeof(file_name)); strlcat(file_name, str, sizeof(file_name)); @@ -19145,10 +19158,10 @@ void interprete(char *lbook, char *path) \********************************************************************/ { int status, i, j, n, index, lb_index, message_id; - char exp[80], list[1000], section[256], str[NAME_LENGTH], str2[NAME_LENGTH], - enc_pwd[80], file_name[256], command[80], ref[256], enc_path[256], dec_path[256], + char exp[80], list[1000], section[256], str[NAME_LENGTH], str2[NAME_LENGTH], edit_id[80], + enc_pwd[80], file_name[256], command[80], ref[256], enc_path[256], dec_path[256], uname[80], logbook[256], logbook_enc[256], *experiment, *value, *group, css[256], *pfile, - attachment[MAX_PATH_LENGTH]; + attachment[MAX_PATH_LENGTH], full_name[256]; BOOL global; LOGBOOK *lbs; FILE *f; @@ -19158,7 +19171,7 @@ void interprete(char *lbook, char *path) url_decode(dec_path); strcpy(enc_path, dec_path); url_encode(enc_path, sizeof(enc_path)); - strcpy(command, getparam("cmd")); + strlcpy(command, isparam("cmd") ? getparam("cmd") : "", sizeof(command)); experiment = getparam("exp"); value = getparam("value"); group = getparam("group"); @@ -19171,7 +19184,7 @@ void interprete(char *lbook, char *path) /* evaluate "jcmd" */ if (isparam("jcmd") && *getparam("jcmd")) - strcpy(command, getparam("jcmd")); + strlcpy(command, getparam("jcmd"), sizeof(command)); /* if experiment given, use it as logbook (for elog!) */ if (experiment && experiment[0]) { @@ -19267,20 +19280,23 @@ void interprete(char *lbook, char *path) } /* if data from login screen, evaluate it and set cookies */ - if (*getparam("uname") && getparam("upassword")) { + if (isparam("uname") && isparam("upassword")) { /* check if password correct */ - do_crypt(getparam("upassword"), enc_pwd); + do_crypt(getparam("upassword"), enc_pwd, sizeof(enc_pwd)); /* log logins */ - write_logfile(NULL, "LOGIN user \"%s\" (attempt) for logbook selection page", getparam("uname")); + strlcpy(uname, getparam("uname"), sizeof(uname)); + sprintf(str, "LOGIN user \"%s\" (attempt) for logbook selection page", uname); + write_logfile(NULL, str); if (isparam("redir")) - strcpy(str, getparam("redir")); + strlcpy(str, getparam("redir"), sizeof(str)); else - strcpy(str, getparam("cmdline")); + strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "", sizeof(str)); if (!check_user_password(NULL, getparam("uname"), enc_pwd, str)) return; - write_logfile(NULL, "LOGIN user \"%s\" (success)", getparam("uname")); + sprintf(str, "LOGIN user \"%s\" (success)", uname); + write_logfile(NULL, str); /* set cookies */ - set_login_cookies(NULL, getparam("uname"), enc_pwd); + set_login_cookies(NULL, uname, enc_pwd); return; } @@ -19345,7 +19361,7 @@ void interprete(char *lbook, char *path) lbs->n_attr = scan_attributes(lbs->name); if (*getparam("wpassword")) { /* check if password correct */ - do_crypt(getparam("wpassword"), enc_pwd); + do_crypt(getparam("wpassword"), enc_pwd, sizeof(enc_pwd)); if (!check_password(lbs, "Write password", enc_pwd, getparam("redir"))) return; rsprintf("HTTP/1.1 302 Found\r\n"); @@ -19369,7 +19385,7 @@ void interprete(char *lbook, char *path) if (*getparam("apassword")) { /* check if password correct */ - do_crypt(getparam("apassword"), enc_pwd); + do_crypt(getparam("apassword"), enc_pwd, sizeof(enc_pwd)); if (!check_password(lbs, "Admin password", enc_pwd, getparam("redir"))) return; rsprintf("HTTP/1.1 302 Found\r\n"); @@ -19393,18 +19409,21 @@ void interprete(char *lbook, char *path) if (*getparam("uname") && getparam("upassword")) { /* check if password correct */ - do_crypt(getparam("upassword"), enc_pwd); + do_crypt(getparam("upassword"), enc_pwd, sizeof(enc_pwd)); /* log logins */ - write_logfile(lbs, "LOGIN user \"%s\" (attempt)", getparam("uname")); + strlcpy(uname, getparam("uname"), sizeof(uname)); + sprintf(str, "LOGIN user \"%s\" (attempt)", uname); + write_logfile(lbs, str); if (isparam("redir")) - strcpy(str, getparam("redir")); + strlcpy(str, getparam("redir"), sizeof(str)); else - strcpy(str, getparam("cmdline")); - if (!check_user_password(lbs, getparam("uname"), enc_pwd, str)) + strlcpy(str, isparam("cmdline") ? getparam("cmdline") : "", sizeof(str)); + if (!check_user_password(lbs, uname, enc_pwd, str)) return; - write_logfile(lbs, "LOGIN user \"%s\" (success)", getparam("uname")); + sprintf(str, "LOGIN user \"%s\" (success)", uname); + write_logfile(lbs, str); /* set cookies */ - set_login_cookies(lbs, getparam("uname"), enc_pwd); + set_login_cookies(lbs, uname, enc_pwd); return; } @@ -19461,7 +19480,8 @@ void interprete(char *lbook, char *path) /* unlock message */ el_lock_message(lbs, atoi(getparam("edit_id")), NULL); /* redirect to message */ - sprintf(str, "../%s/%s", logbook_enc, getparam("edit_id")); + strlcpy(edit_id, getparam("edit_id"), sizeof(edit_id)); + sprintf(str, "../%s/%s", logbook_enc, edit_id); } else sprintf(str, "../%s/", logbook_enc); @@ -19488,17 +19508,20 @@ void interprete(char *lbook, char *path) } /* check for "Last n*2 Entries" */ - strcpy(str, getparam("last")); + strlcpy(str, isparam("last") ? getparam("last") : "", sizeof(str)); if (strchr(str, ' ')) { i = atoi(strchr(str, ' ')); sprintf(str, "last%d", i); - if (isparam("mode")) - sprintf(str + strlen(str), "?mode=%s", getparam("mode")); + if (isparam("mode")) { + sprintf(str + strlen(str), "?mode="); + strlcat(str, getparam("mode"), sizeof(str)); + } redirect(lbs, str); return; } strcpy(str, getparam("past")); + strlcpy(str, isparam("past") ? getparam("past") : "", sizeof(str)); if (strchr(str, ' ')) { i = atoi(strchr(str, ' ')); sprintf(str, "past%d", i); @@ -19618,10 +19641,14 @@ void interprete(char *lbook, char *path) strcpy(command, loc("Last")); /* check if command allowed for current user */ if (command[0] && !is_user_allowed(lbs, command)) { + if (isparam("full_name")) + strlcpy(full_name, getparam("full_name"), sizeof(full_name)); + else + full_name[0] = 0; sprintf(str, loc ("Error: Command \"<b>%s</b>\" is not allowed for user \"<b>%s</b>\""), - command, getparam("full_name")); + command, full_name); show_error(str); return; } @@ -19859,8 +19886,10 @@ void interprete(char *lbook, char *path) if (isparam("global")) { if (strieq(getparam("global"), "global")) strcpy(section, "global"); - else - sprintf(section, "global %s", getparam("global")); + else { + sprintf(section, "global "); + strlcat(section, getparam("global"), sizeof(section)); + } } else strlcpy(section, lbs->name, sizeof(section)); @@ -19873,11 +19902,13 @@ void interprete(char *lbook, char *path) sprintf(str, "../%s/", lbs->name_enc); else sprintf(str, "."); - if (isparam("new_user_name")) - sprintf(str + strlen(str), "?cmd=%s&cfg_user=%s", loc("Config"), getparam("new_user_name")); - else if (isparam("cfg_user")) - sprintf(str + strlen(str), "?cmd=%s&cfg_user=%s", loc("Config"), getparam("cfg_user")); - else if (getcfg(lbs->name, "password file", str2, sizeof(str2))) + if (isparam("new_user_name")) { + sprintf(str + strlen(str), "?cmd=%s&cfg_user=", loc("Config")); + strlcat(str, getparam("new_user_name"), sizeof(str)); + } else if (isparam("cfg_user")) { + sprintf(str + strlen(str), "?cmd=%s&cfg_user=", loc("Config")); + strlcat(str, getparam("cfg_user"), sizeof(str)); + } else if (getcfg(lbs->name, "password file", str2, sizeof(str2))) sprintf(str + strlen(str), "?cmd=%s", loc("Config")); redirect(lbs, str); @@ -21119,7 +21150,7 @@ void server_loop(void) base64_decode(str, cl_pwd); if (strchr(cl_pwd, ':')) { p = strchr(cl_pwd, ':') + 1; - do_crypt(p, str); + do_crypt(p, str, sizeof(str)); strcpy(cl_pwd, str); /* check authorization */ if (strcmp(str, pwd) == 0) @@ -22182,19 +22213,19 @@ int main(int argc, char *argv[]) } if (read_pwd[0]) { - do_crypt(read_pwd, str); + do_crypt(read_pwd, str, sizeof(str)); create_password(logbook, "Read Password", str); exit(EXIT_SUCCESS); } if (write_pwd[0]) { - do_crypt(write_pwd, str); + do_crypt(write_pwd, str, sizeof(str)); create_password(logbook, "Write Password", str); exit(EXIT_SUCCESS); } if (admin_pwd[0]) { - do_crypt(admin_pwd, str); + do_crypt(admin_pwd, str, sizeof(str)); create_password(logbook, "Admin Password", str); exit(EXIT_SUCCESS); }
Subject: [PATCH] r1487: Fixed infinite redirection --- a/debian/changelog 2006-01-25 08:21:48.000000000 +0200 +++ b/debian/changelog 2006-01-25 08:32:25.000000000 +0200 @@ -8,6 +8,8 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur * Backport r1472 from upstream's Subversion repository: "Do not distinguish between invalid user name and invalid password for security reasons" + * Backport r1487 from upstream's Subversion repository: + "Fixed infinite redirection with ?fail=1" * Backport r1529 from upstream's Subversion repository: "Fixed bug with fprintf and buffer containing "%"" (Our patch just eliminates the format string vulnerability.) --- a/src/elogd.c 2006-01-25 08:21:48.000000000 +0200 +++ b/src/elogd.c 2006-01-25 08:32:25.000000000 +0200 @@ -6932,6 +6932,30 @@ void set_login_cookies(LOGBOOK * lbs, ch /*------------------------------------------------------------------*/ +void remove_all_login_cookies(LOGBOOK * lbs) +{ + int i; + + rsprintf("HTTP/1.1 302 Found\r\n"); + rsprintf("Server: ELOG HTTP %s-%d\r\n", VERSION, atoi(cvs_revision + 13)); + if (use_keepalive) { + rsprintf("Connection: Keep-Alive\r\n"); + rsprintf("Keep-Alive: timeout=60, max=10\r\n"); + } + + /* remove global cookies */ + set_cookie(NULL, "unm", "", TRUE, ""); + set_cookie(NULL, "upwd", "", TRUE, ""); + + for (i = 0; lb_list[i].name[0]; i++) { + set_cookie(&lb_list[i], "unm", "", 0, ""); + set_cookie(&lb_list[i], "upwd", "", 0, ""); + } + + set_redir(lbs, isparam("redir") ? getparam("redir") : ""); +} + +/*------------------------------------------------------------------*/ int exist_file(char *file_name) { int fh; @@ -18522,7 +18522,11 @@ BOOL check_user_password(LOGBOOK * lbs, } if (!check_login_user(lbs, user)) { - sprintf(str, "?fail=%s", user); + if (isparam("fail")) { + /* remove remaining cookies */ + remove_all_login_cookies(lbs); + return FALSE; + } redirect(lbs, str); return FALSE;
Subject: [PATCH] r1636: Add IP address to log file --- a/debian/changelog 2006-01-25 08:53:07.000000000 +0200 +++ b/debian/changelog 2006-01-25 09:08:49.000000000 +0200 @@ -17,6 +17,8 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur "Fixed potential buffer overflows" This backport addresses CVE-2005-4439: buffer overflow through long URL parameters <http://marc.theaimsgroup.com/?m=113498708213563> + * Backport r1636 from upstream's Subversion repository: + "Added IP address to log file" -- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100 --- a/src/elogd.c 2006-01-25 09:00:51.000000000 +0200 +++ b/src/elogd.c 2006-01-25 09:04:18.000000000 +0200 @@ -975,6 +975,7 @@ INT _attachment_size; INT _max_content_length = MAX_CONTENT_LENGTH; struct in_addr rem_addr; char rem_host[256]; +char rem_host_ip[256]; INT _sock; BOOL verbose, use_keepalive, enable_execute = FALSE; INT _current_message_id; @@ -5293,9 +5294,17 @@ void write_logfile(LOGBOOK * lbs, const if (isparam("unm") && rem_host[0]) { strlcpy(unm, getparam("unm"), sizeof(unm)); - sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", unm, rem_host); - } else if (rem_host[0]) - sprintf(buf + strlen(buf), "[%s] ", rem_host); + if (rem_host_ip[0]) + sprintf(buf + strlen(buf), "[EMAIL PROTECTED](%s)] ", unm, rem_host, rem_host_ip); + else + sprintf(buf + strlen(buf), "[EMAIL PROTECTED] ", unm, rem_host); + } else if (rem_host[0]) { + if (rem_host_ip[0]) + sprintf(buf + strlen(buf), "[%s(%s)] ", rem_host, rem_host_ip); + else + sprintf(buf + strlen(buf), "[%s] ", rem_host); + } else + sprintf(buf + strlen(buf), "[%s] ", rem_host_ip); if (lbs) sprintf(buf + strlen(buf), "{%s} ", lbs->name); @@ -20403,7 +20412,7 @@ void server_loop(void) struct sockaddr_in serv_addr, acc_addr; char pwd[256], str[1000], url[256], cl_pwd[256], *p, *pd; char cookie[256], boundary[256], list[1000], theme[256], - host_list[MAX_N_LIST][NAME_LENGTH], rem_host_ip[256], logbook[256], logbook_enc[256], global_cmd[256]; + host_list[MAX_N_LIST][NAME_LENGTH], logbook[256], logbook_enc[256], global_cmd[256]; int lsock, len, flag, content_length, header_length; struct hostent *phe; fd_set readfds;
signature.asc
Description: Digital signature