[CVS] OpenPKG: openpkg-src/cvstrac/ cvstrac.patch cvstrac.spec

Fri, 06 Aug 2004 06:56:30 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Michael Schloh
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   06-Aug-2004 15:56:33
  Branch: HEAD                             Handle: 2004080614563300

  Modified files:
    openpkg-src/cvstrac     cvstrac.patch cvstrac.spec

  Log:
    add logic to repair remote arbitrary code execution exploit
    (SA-2004.036)

  Summary:
    Revision    Changes     Path
    1.4         +104 -2     openpkg-src/cvstrac/cvstrac.patch
    1.34        +1  -1      openpkg-src/cvstrac/cvstrac.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/cvstrac/cvstrac.patch
  ============================================================================
  $ cvs diff -u -r1.3 -r1.4 cvstrac.patch
  --- openpkg-src/cvstrac/cvstrac.patch 5 May 2004 09:05:00 -0000       1.3
  +++ openpkg-src/cvstrac/cvstrac.patch 6 Aug 2004 13:56:33 -0000       1.4
  @@ -1,6 +1,7 @@
   Index: db.c
  ---- db.c.orig        2004-02-17 16:41:27.000000000 +0100
  -+++ db.c     2004-05-05 11:01:23.000000000 +0200
  +diff -Nau db.c.orig db.c
  +--- db.c.orig        2004-02-17 16:41:27 +0100
  ++++ db.c     2004-08-06 14:28:02 +0200
   @@ -312,7 +312,7 @@
      char *zFormat;
      char zBuf[200];
  @@ -10,3 +11,104 @@
      time(&now);
      t = atoi(argv[0]);
      if( t+8*3600 > now && t-8*3600 <= now ){
  +Index: setup.c
  +diff -Nau setup.c.orig setup.c
  +--- setup.c.orig     2004-08-06 14:45:45 +0200
  ++++ setup.c  2004-08-06 14:45:49 +0200
  +@@ -930,10 +930,10 @@
  +   @ <tr><td bgcolor="#e0c0c0">
  +   @ <big><b>Important Security Note</b></big>
  +   @
  +-  @ <p>Be sure to enclose the filename substitutions in single-quotes.
  +-  @ (ex <tt>'%%F'</tt>)  Otherwise, a user who can check in new files
  +-  @ (with unusual names) can cause arbitrary shell
  +-  @ commands to be run on your system.</p>
  ++  @ <p>Be sure to enclose the filename and version substitutions in
  ++  @ single-quotes. (ex <tt>'%%V2'</tt> and <tt>'%%F'</tt>)  Otherwise,
  ++  @ a user who can check in new files (with unusual names) can cause
  ++  @ arbitrary shell commands to be run on your system.</p>
  +   @  
  +   @ <p>CVSTrac will not attempt to diff a file whose name contains a
  +   @ single-quote or backslash
  +@@ -960,7 +960,7 @@
  +   @ <p>If you leave the above entry blank, the following command is used:</p>
  +   @
  +   @ <blockquote><pre>
  +-  @ rcsdiff -q -r%%V1 -r%%V2 -u '%%F'
  ++  @ rcsdiff -q -r '%%V1' -r '%%V2' -u '%%F'
  +   @ </pre></blockquote>
  +   @ </form>
  +   @ </p>
  +@@ -992,7 +992,7 @@
  +   @ <p>If you leave the above entry blank, the following command is used:</p>
  +   @
  +   @ <blockquote><pre>
  +-  @ co -q -p%%V '%%F' | diff -c /dev/null -
  ++  @ co -q -p '%%V' '%%F' | diff -c /dev/null -
  +   @ </pre></blockquote>
  +   @ </form>
  +   @ </p>
  +Index: timeline.c
  +diff -Nau timeline.c.orig timeline.c
  +--- timeline.c.orig  2003-11-28 14:35:52 +0100
  ++++ timeline.c       2004-08-06 14:28:02 +0200
  +@@ -773,6 +773,25 @@
  + }
  + 
  + /*
  ++** Check to see that a CVS tag is good.
  ++**
  ++** A good CVS tag is either a numeric format x.y.z or must be alphanumeric,
  ++** possibly using _ and -. Technically a symbolic tag should start with
  ++** a letter but this function is intended to be simple and catch shell
  ++** characters.
  ++*/
  ++static int is_cvs_revision(const char *tag) {
  ++  int i;
  ++  if( tag == NULL ) return 1;  /* empty tag is good */
  ++  for( i = 0; tag[i]; i++ ) {
  ++    if( !isalnum(tag[i]) && tag[i] != '_' && tag[i] != '-' && tag[i] != '.' ){
  ++      return 0;
  ++    }
  ++  }
  ++  return 1;
  ++}
  ++
  ++/*
  + ** Diff two versions of a file, handling all exceptions.
  + **
  + ** If oldVersion is NULL, then this function will output the
  +@@ -814,17 +833,31 @@
  +     }
  +   }
  + 
  ++  if( !is_cvs_revision(newVersion) ){
  ++    @ <p>
  ++    @ Tag %h(newVersion) contains invalid characters.
  ++    @ </p>
  ++    return;
  ++  }
  ++
  ++  if( !is_cvs_revision(oldVersion) ){
  ++    @ <p>
  ++    @ Tag %h(oldVersion) contains invalid characters.
  ++    @ </p>
  ++    return;
  ++  }
  ++
  +   /* Find the command used to compute the file difference.
  +   */
  +   azSubst[0] = "F";
  +   azSubst[1] = file;
  +   if( oldVersion[0]==0 ){
  +-    zTemplate = db_config("filelist","co -q -p%V '%F' | diff -c /dev/null -");
  ++    zTemplate = db_config("filelist","co -q -p '%V' '%F' | diff -c /dev/null -");
  +     azSubst[2] = "V";
  +     azSubst[3] = newVersion;
  +     azSubst[4] = 0;
  +   }else{
  +-    zTemplate = db_config("filediff","rcsdiff -q -r%V1 -r%V2 -u '%F'");
  ++    zTemplate = db_config("filediff","rcsdiff -q -r '%V1' -r '%V2' -u '%F'");
  +     azSubst[2] = "V1";
  +     azSubst[3] = oldVersion;
  +     azSubst[4] = "V2";
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/cvstrac/cvstrac.spec
  ============================================================================
  $ cvs diff -u -r1.33 -r1.34 cvstrac.spec
  --- openpkg-src/cvstrac/cvstrac.spec  5 May 2004 09:05:00 -0000       1.33
  +++ openpkg-src/cvstrac/cvstrac.spec  6 Aug 2004 13:56:33 -0000       1.34
  @@ -34,7 +34,7 @@
   Group:        Database
   License:      GPL
   Version:      1.1.3
  -Release:      20040505
  +Release:      20040806
   
   #   list of sources
   Source0:      http://www.cvstrac.org/cvstrac-src.tar.gz
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to