OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 17-Dec-2004 18:30:22
Branch: OPENPKG_2_2_SOLID Handle: 2004121717302200
Added files: (Branch: OPENPKG_2_2_SOLID)
openpkg-src/cvstrac cvstrac.patch
Modified files: (Branch: OPENPKG_2_2_SOLID)
openpkg-src/cvstrac cvstrac.spec
Log:
Security Bugfixes (OpenPKG-SA-2005.056-cvstrac, CAN-2004-1146)
Summary:
Revision Changes Path
1.5.2.1 +242 -0 openpkg-src/cvstrac/cvstrac.patch
1.35.2.2 +3 -1 openpkg-src/cvstrac/cvstrac.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/cvstrac/cvstrac.patch
============================================================================
$ cvs diff -u -r0 -r1.5.2.1 cvstrac.patch
--- /dev/null 2004-12-17 18:30:22 +0100
+++ cvstrac.patch 2004-12-17 18:30:22 +0100
@@ -0,0 +1,242 @@
+Security Bugfixes (OpenPKG-SA-2005.056-cvstrac, CAN-2004-1146)
+
+Index: browse.c
+--- browse.c.orig 2004-08-06 17:49:07 +0200
++++ browse.c 2004-12-17 18:06:03 +0100
+@@ -348,14 +348,8 @@
+ }
+ zReal = find_repository_file(zDir, zBase);
+ if( zReal==0 ){ cgi_redirect("index"); return; }
+- if( zVers ){
+- int i;
+- for(i=0; zVers[i]; i++){
+- if( zVers[i]=='\'' ){ zVers = 0; break; }
+- }
+- }
+- if( zVers==0 ) zVers = "";
+- zCmd = mprintf("co -q '-p%s' '%s'", zVers, zReal);
++ zCmd = mprintf("co -q '-p%s' '%s'",
++ quotable_string(zVers), quotable_string(zReal));
+ in = popen(zCmd, "r");
+ if( in==0 ){ cgi_redirect("index"); return; }
+ while( !feof(in) ){
+Index: cgi.c
+--- cgi.c.orig 2003-09-22 23:20:37 +0200
++++ cgi.c 2004-12-17 18:06:03 +0100
+@@ -46,6 +46,8 @@
+ */
+ #define P(x) cgi_parameter((x),0)
+ #define PD(x,y) cgi_parameter((x),(y))
++#define QP(x) quotable_string(cgi_parameter((x),0))
++#define QPD(x,y) quotable_string(cgi_parameter((x),(y)))
+
+ #endif /* INTERFACE */
+
+Index: history.c
+--- history.c.orig 2004-03-19 15:59:57 +0100
++++ history.c 2004-12-17 18:06:03 +0100
+@@ -479,7 +479,8 @@
+ @ CVS repository</p></li>
+ continue;
+ }
+- zCmd = mprintf("rlog '-d%s' '%s' 2>/dev/null", zTRange, zFile);
++ zCmd = mprintf("rlog '-d%s' '%s' 2>/dev/null",
++ quotable_string(zTRange), quotable_string(zFile));
+ free(zFile);
+ HTRACE("zCmd",zCmd);
+ in = popen(zCmd, "r");
+Index: login.c
+--- login.c.orig 2003-08-05 18:10:53 +0200
++++ login.c 2004-12-17 18:06:03 +0100
+@@ -134,7 +134,7 @@
+ @ %s(zErrMsg)
+ @ <form action="login" method="POST">
+ if( P("nxp") ){
+- @ <input type="hidden" name="nxp" value="%s(P("nxp"))">
++ @ <input type="hidden" name="nxp" value="%h(P("nxp"))">
+ }
+ @ <table align="left" hspace="10">
+ @ <tr>
+Index: main.c
+--- main.c.orig 2004-06-26 04:57:00 +0200
++++ main.c 2004-12-17 18:06:03 +0100
+@@ -276,7 +276,7 @@
+ }else{
+ cgi_set_status(404,"Not Found");
+ @ <h1>Not Found</h1>
+- @ <p>Page not found: %s(zPath)</p>
++ @ <p>Page not found: %h(zPath)</p>
+ cgi_reply();
+ return 0;
+ }
+@@ -312,7 +312,7 @@
+ }else{
+ cgi_set_status(404,"Not Found");
+ @ <h1>Not Found</h1>
+- @ <p>Page not found: %s(g.zPath)</p>
++ @ <p>Page not found: %h(g.zPath)</p>
+ }
+ cgi_reply();
+ return 0;
+@@ -344,7 +344,7 @@
+ if( !find_path(g.zPath, &xFunc) && !find_path("not_found",&xFunc) ){
+ cgi_set_status(404,"Not Found");
+ @ <h1>Not Found</h1>
+- @ <p>Page not found: %s(g.zPath)</p>
++ @ <p>Page not found: %h(g.zPath)</p>
+ }else{
+ xFunc();
+ }
+Index: setup.c
+--- setup.c.orig 2004-08-06 17:58:30 +0200
++++ setup.c 2004-12-17 18:06:03 +0100
+@@ -800,7 +800,7 @@
+ for(i=0; i<5; i++){
+ const char *zOld;
+ char *zAllowed;
+- char *zDesc;
++ const char *zDesc;
+ char zEnumName[30];
+ sprintf(zEnumName,"extra%d_name",i+1);
+ zOld = db_config(zEnumName,"");
+Index: ticket.c
+--- ticket.c.orig 2004-04-19 19:41:46 +0200
++++ ticket.c 2004-12-17 18:06:03 +0100
+@@ -40,7 +40,7 @@
+ int i, j, c;
+ int cmdSize;
+ int cnt[128];
+- char *azSubst[128];
++ const char *azSubst[128];
+
+ static const struct { int key; char *zColumn; } aKeys[] = {
+ { 'a', "assignedto" },
+@@ -106,15 +106,9 @@
+ */
+ cmdSize = strlen(zNotify)+1;
+ for(i=0; i<sizeof(azSubst)/sizeof(azSubst[0]); i++){
+- int k;
+- char *z;
+ if( azSubst[i]==0 || cnt[i]<=0 ) continue;
+- z = azSubst[i];
+- for(j=k=0; z[j]; j++){
+- if( z[j]!='\'' && z[j]!='\\' ) z[k++] = z[j];
+- }
+- z[k] = 0;
+- cmdSize += cnt[i]*strlen(z);
++ azSubst[i] = quotable_string(azSubst[i]);
++ cmdSize += cnt[i]*strlen(azSubst[i]);
+ }
+
+ zCmd = malloc( cmdSize + 1 );
+@@ -508,7 +502,7 @@
+ const char *zUser;
+ time_t tm, now;
+ const char *z;
+- const char **az;
++ char **az;
+ int i;
+
+ login_check_credentials();
+Index: timeline.c
+--- timeline.c.orig 2004-08-06 17:57:12 +0200
++++ timeline.c 2004-12-17 18:06:03 +0100
+@@ -691,13 +691,24 @@
+ }
+
+ /*
+-** Change all instances of the ' character into #.
++** If the string is NULL or contains an single-quote of backslash
++** return a pointer to an empty string. If no unauthorized
++** characters are found in the string, return the string itself.
++**
++** This routine is used to make sure that an argument can be safely
++** quoted into a command to be executed by popen().
+ */
+-static void convertQuote(char *z){
+- while( *z ){
+- if( *z=='\'' ) *z = '#';
+- z++;
++const char *quotable_string(const char *z){
++ int c, i;
++ if( z==0 ){
++ return "";
++ }
++ for(i=0; (c=z[i])!=0; i++){
++ if( c=='\'' || c=='\\' ){
++ return "";
++ }
+ }
++ return z;
+ }
+
+ /*
+@@ -716,6 +727,12 @@
+ char *zOut;
+ int nByte = 1;
+
++ /* Sanitize the substitutions
++ */
++ for(i=0; azSubst[i]; i+=2){
++ azSubst[i+1] = quotable_string(azSubst[i+1]);
++ }
++
+ /* Figure out how must space is required to hold the result.
+ */
+ nByte = 1; /* For the null terminator */
+@@ -769,8 +786,7 @@
+ zOut[k++] = c;
+ }else{
+ strcpy(&zOut[k], azSubst[j+1]);
+- convertQuote(&zOut[k]);
+- k += strlen(azSubst[j+1]);
++ k += strlen(&zOut[k]);
+ i += len - 1;
+ }
+ }
+@@ -813,18 +829,6 @@
+ return; /* Don't attempt to compare binaries */
+ }
+
+- /* Check to make sure the filename does not have any characters that
+- ** might cause problems for the shell.
+- */
+- for(i=0; file[i]; i++){
+- if( file[i]=='\'' || file[i]=='\\' ){
+- @ <p>
+- @ %h(file) contains a single-quote or backslash character in its
name.
+- @ </p>
+- return;
+- }
+- }
+-
+ /* Find the command used to compute the file difference.
+ */
+ azSubst[0] = "F";
+@@ -1225,7 +1229,7 @@
+ @ </td></tr>
+ @ </td></tr>
+ @ <tr><td align="right">Branch:</td><td>
+- cgi_v_optionmenu(2, "br", zBr, azAllBr);
++ cgi_v_optionmenu(2, "br", zBr, (const char**)azAllBr);
+ @ </td></tr>
+ @ <tr><td align="right">Comment:</td>
+ @ <td colspan=3>
+Index: wiki.c
+--- wiki.c.orig 2003-11-28 14:35:52 +0100
++++ wiki.c 2004-12-17 18:06:03 +0100
+@@ -197,9 +197,13 @@
+
+ zF1[0] = zF2[0] = 0;
+ if( !write_to_temp(azPage[9], zF1) && !write_to_temp(azPage[4], zF2) ){
+- FILE *p = popen( mprintf("diff -c %s %s", zF1, zF2), "r" );
++ char *zCmd;
++ FILE *p;
+ char zLine[1000];
+ int cnt = 0;
++ zCmd = mprintf("diff -c '%s' '%s'", quotable_string(zF1),
++ quotable_string(zF2));
++ p = popen(zCmd, "r");
+ @ <pre>
+ while( fgets(zLine, sizeof(zLine), p) ){
+ cnt++;
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/cvstrac/cvstrac.spec
============================================================================
$ cvs diff -u -r1.35.2.1 -r1.35.2.2 cvstrac.spec
--- openpkg-src/cvstrac/cvstrac.spec 11 Oct 2004 18:54:32 -0000 1.35.2.1
+++ openpkg-src/cvstrac/cvstrac.spec 17 Dec 2004 17:30:22 -0000 1.35.2.2
@@ -34,11 +34,12 @@
Group: Database
License: GPL
Version: 1.1.4
-Release: 2.2.0
+Release: 2.2.1
# list of sources
Source0:
ftp://ftp.openpkg.org/sources/CPY/cvstrac/cvstrac-%{version}.tar.gz
Source1: cvstrac.cgi
+Patch0: cvstrac.patch
# build information
Prefix: %{l_prefix}
@@ -65,6 +66,7 @@
%prep
%setup -q -n cvstrac
+ %patch -p0
%build
libs="-lsqlite -lcrypt -lm"
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
