OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 17-Dec-2004 18:44:34
Branch: OPENPKG_2_1_SOLID Handle: 2004121717443300
Modified files: (Branch: OPENPKG_2_1_SOLID)
openpkg-src/cvstrac cvstrac.patch cvstrac.spec
Log:
Security Bugfixes (OpenPKG-SA-2005.056-cvstrac, CAN-2004-1146)
Summary:
Revision Changes Path
1.3.2.3 +234 -46 openpkg-src/cvstrac/cvstrac.patch
1.33.2.4 +1 -1 openpkg-src/cvstrac/cvstrac.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/cvstrac/cvstrac.patch
============================================================================
$ cvs diff -u -r1.3.2.2 -r1.3.2.3 cvstrac.patch
--- openpkg-src/cvstrac/cvstrac.patch 10 Aug 2004 15:19:25 -0000 1.3.2.2
+++ openpkg-src/cvstrac/cvstrac.patch 17 Dec 2004 17:44:33 -0000 1.3.2.3
@@ -1,7 +1,40 @@
+Security Bugfixes
+
+Index: browse.c
+--- browse.c.orig 2003-11-28 14:35:52 +0100
++++ browse.c 2004-12-17 18:32:55 +0100
+@@ -348,14 +348,8 @@
+ }
+ zReal = find_repository_file(zDir, zBase);
+ if( zReal==0 ){ cgi_redirect("index"); return; }
+- if( zVers ){
+- int i;
+- for(i=0; zVers[i]; i++){
+- if( zVers[i]=='\'' ){ zVers = 0; break; }
+- }
+- }
+- if( zVers==0 ) zVers = "";
+- zCmd = mprintf("co -q '-p%s' '%s'", zVers, zReal);
++ zCmd = mprintf("co -q '-p%s' '%s'",
++ quotable_string(zVers), quotable_string(zReal));
+ in = popen(zCmd, "r");
+ if( in==0 ){ cgi_redirect("index"); return; }
+ while( !feof(in) ){
+Index: cgi.c
+--- cgi.c.orig 2003-09-22 23:20:37 +0200
++++ cgi.c 2004-12-17 18:32:55 +0100
+@@ -46,6 +46,8 @@
+ */
+ #define P(x) cgi_parameter((x),0)
+ #define PD(x,y) cgi_parameter((x),(y))
++#define QP(x) quotable_string(cgi_parameter((x),0))
++#define QPD(x,y) quotable_string(cgi_parameter((x),(y)))
+
+ #endif /* INTERFACE */
+
Index: db.c
-diff -Nau db.c.orig db.c
--- db.c.orig 2004-02-17 16:41:27 +0100
-+++ db.c 2004-08-06 14:28:02 +0200
++++ db.c 2004-12-17 18:32:55 +0100
@@ -312,7 +312,7 @@
char *zFormat;
char zBuf[200];
@@ -11,48 +44,166 @@
time(&now);
t = atoi(argv[0]);
if( t+8*3600 > now && t-8*3600 <= now ){
+Index: history.c
+--- history.c.orig 2003-04-05 18:04:21 +0200
++++ history.c 2004-12-17 18:32:55 +0100
+@@ -479,7 +479,8 @@
+ @ CVS repository</p></li>
+ continue;
+ }
+- zCmd = mprintf("rlog '-d%s' '%s' 2>/dev/null", zTRange, zFile);
++ zCmd = mprintf("rlog '-d%s' '%s' 2>/dev/null",
++ quotable_string(zTRange), quotable_string(zFile));
+ free(zFile);
+ HTRACE("zCmd",zCmd);
+ in = popen(zCmd, "r");
+Index: login.c
+--- login.c.orig 2003-08-05 18:10:53 +0200
++++ login.c 2004-12-17 18:32:55 +0100
+@@ -134,7 +134,7 @@
+ @ %s(zErrMsg)
+ @ <form action="login" method="POST">
+ if( P("nxp") ){
+- @ <input type="hidden" name="nxp" value="%s(P("nxp"))">
++ @ <input type="hidden" name="nxp" value="%h(P("nxp"))">
+ }
+ @ <table align="left" hspace="10">
+ @ <tr>
+Index: main.c
+--- main.c.orig 2003-11-28 14:34:09 +0100
++++ main.c 2004-12-17 18:32:55 +0100
+@@ -276,7 +276,7 @@
+ }else{
+ cgi_set_status(404,"Not Found");
+ @ <h1>Not Found</h1>
+- @ <p>Page not found: %s(zPath)</p>
++ @ <p>Page not found: %h(zPath)</p>
+ cgi_reply();
+ return 0;
+ }
+@@ -312,7 +312,7 @@
+ }else{
+ cgi_set_status(404,"Not Found");
+ @ <h1>Not Found</h1>
+- @ <p>Page not found: %s(g.zPath)</p>
++ @ <p>Page not found: %h(g.zPath)</p>
+ }
+ cgi_reply();
+ return 0;
+@@ -344,7 +344,7 @@
+ if( !find_path(g.zPath, &xFunc) && !find_path("not_found",&xFunc) ){
+ cgi_set_status(404,"Not Found");
+ @ <h1>Not Found</h1>
+- @ <p>Page not found: %s(g.zPath)</p>
++ @ <p>Page not found: %h(g.zPath)</p>
+ }else{
+ xFunc();
+ }
Index: setup.c
-diff -Nau setup.c.orig setup.c
---- setup.c.orig 2004-08-06 14:45:45 +0200
-+++ setup.c 2004-08-06 14:45:49 +0200
-@@ -930,10 +930,10 @@
- @ <tr><td bgcolor="#e0c0c0">
- @ <big><b>Important Security Note</b></big>
- @
-- @ <p>Be sure to enclose the filename substitutions in single-quotes.
-- @ (ex <tt>'%%F'</tt>) Otherwise, a user who can check in new files
-- @ (with unusual names) can cause arbitrary shell
-- @ commands to be run on your system.</p>
-+ @ <p>Be sure to enclose the filename and version substitutions in
-+ @ single-quotes. (ex <tt>'%%V2'</tt> and <tt>'%%F'</tt>) Otherwise,
-+ @ a user who can check in new files (with unusual names) can cause
-+ @ arbitrary shell commands to be run on your system.</p>
- @
- @ <p>CVSTrac will not attempt to diff a file whose name contains a
- @ single-quote or backslash
-@@ -960,7 +960,7 @@
- @ <p>If you leave the above entry blank, the following command is
used:</p>
- @
- @ <blockquote><pre>
-- @ rcsdiff -q -r%%V1 -r%%V2 -u '%%F'
-+ @ rcsdiff -q -r'%%V1' -r'%%V2' -u '%%F'
- @ </pre></blockquote>
- @ </form>
- @ </p>
-@@ -992,7 +992,7 @@
- @ <p>If you leave the above entry blank, the following command is
used:</p>
- @
- @ <blockquote><pre>
-- @ co -q -p%%V '%%F' | diff -c /dev/null -
-+ @ co -q -p'%%V' '%%F' | diff -c /dev/null -
- @ </pre></blockquote>
- @ </form>
- @ </p>
+--- setup.c.orig 2004-12-17 18:32:55 +0100
++++ setup.c 2004-12-17 18:32:55 +0100
+@@ -756,7 +756,7 @@
+ for(i=0; i<5; i++){
+ const char *zOld;
+ char *zAllowed;
+- char *zDesc;
++ const char *zDesc;
+ char zEnumName[30];
+ sprintf(zEnumName,"extra%d_name",i+1);
+ zOld = db_config(zEnumName,"");
+Index: ticket.c
+--- ticket.c.orig 2004-02-02 16:02:28 +0100
++++ ticket.c 2004-12-17 18:32:55 +0100
+@@ -40,7 +40,7 @@
+ int i, j, c;
+ int cmdSize;
+ int cnt[128];
+- char *azSubst[128];
++ const char *azSubst[128];
+
+ static const struct { int key; char *zColumn; } aKeys[] = {
+ { 'a', "assignedto" },
+@@ -106,15 +106,9 @@
+ */
+ cmdSize = strlen(zNotify)+1;
+ for(i=0; i<sizeof(azSubst)/sizeof(azSubst[0]); i++){
+- int k;
+- char *z;
+ if( azSubst[i]==0 || cnt[i]<=0 ) continue;
+- z = azSubst[i];
+- for(j=k=0; z[j]; j++){
+- if( z[j]!='\'' && z[j]!='\\' ) z[k++] = z[j];
+- }
+- z[k] = 0;
+- cmdSize += cnt[i]*strlen(z);
++ azSubst[i] = quotable_string(azSubst[i]);
++ cmdSize += cnt[i]*strlen(azSubst[i]);
+ }
+
+ zCmd = malloc( cmdSize + 1 );
+@@ -508,7 +502,7 @@
+ const char *zUser;
+ time_t tm, now;
+ const char *z;
+- const char **az;
++ char **az;
+ int i;
+
+ login_check_credentials();
Index: timeline.c
-diff -Nau timeline.c.orig timeline.c
--- timeline.c.orig 2003-11-28 14:35:52 +0100
-+++ timeline.c 2004-08-06 14:28:02 +0200
-@@ -773,6 +773,25 @@
++++ timeline.c 2004-12-17 18:35:48 +0100
+@@ -691,6 +691,27 @@
+ }
+
+ /*
++** If the string is NULL or contains an single-quote of backslash
++** return a pointer to an empty string. If no unauthorized
++** characters are found in the string, return the string itself.
++**
++** This routine is used to make sure that an argument can be safely
++** quoted into a command to be executed by popen().
++*/
++const char *quotable_string(const char *z){
++ int c, i;
++ if( z==0 ){
++ return "";
++ }
++ for(i=0; (c=z[i])!=0; i++){
++ if( c=='\'' || c=='\\' ){
++ return "";
++ }
++ }
++ return z;
++}
++
++/*
+ ** Perform the following substitutions on the input string zInCmd and
+ ** write the result into a new string obtained from malloc. Return the
+ ** result.
+@@ -706,6 +727,12 @@
+ char *zOut;
+ int nByte = 1;
+
++ /* Sanitize the substitutions
++ */
++ for(i=0; azSubst[i]; i+=2){
++ azSubst[i+1] = quotable_string(azSubst[i+1]);
++ }
++
+ /* Figure out how must space is required to hold the result.
+ */
+ nByte = 1; /* For the null terminator */
+@@ -759,7 +786,7 @@
+ zOut[k++] = c;
+ }else{
+ strcpy(&zOut[k], azSubst[j+1]);
+- k += strlen(azSubst[j+1]);
++ k += strlen(&zOut[k]);
+ i += len - 1;
+ }
+ }
+@@ -773,6 +800,25 @@
}
/*
@@ -78,10 +229,20 @@
** Diff two versions of a file, handling all exceptions.
**
** If oldVersion is NULL, then this function will output the
-@@ -814,17 +833,31 @@
- }
+@@ -802,16 +848,18 @@
+ return; /* Don't attempt to compare binaries */
}
+- /* Check to make sure the filename does not have any characters that
+- ** might cause problems for the shell.
+- */
+- for(i=0; file[i]; i++){
+- if( file[i]=='\'' || file[i]=='\\' ){
+- @ <p>
+- @ %h(file) contains a single-quote or backslash character in its
name.
+- @ </p>
+- return;
+- }
+ if( !is_cvs_revision(newVersion) ){
+ @ <p>
+ @ Tag %h(newVersion) contains invalid characters.
@@ -94,10 +255,10 @@
+ @ Tag %h(oldVersion) contains invalid characters.
+ @ </p>
+ return;
-+ }
-+
+ }
+
/* Find the command used to compute the file difference.
- */
+@@ -819,12 +867,12 @@
azSubst[0] = "F";
azSubst[1] = file;
if( oldVersion[0]==0 ){
@@ -112,3 +273,30 @@
azSubst[2] = "V1";
azSubst[3] = oldVersion;
azSubst[4] = "V2";
+@@ -1214,7 +1262,7 @@
+ @ </td></tr>
+ @ </td></tr>
+ @ <tr><td align="right">Branch:</td><td>
+- cgi_v_optionmenu(2, "br", zBr, azAllBr);
++ cgi_v_optionmenu(2, "br", zBr, (const char**)azAllBr);
+ @ </td></tr>
+ @ <tr><td align="right">Comment:</td>
+ @ <td colspan=3>
+Index: wiki.c
+--- wiki.c.orig 2003-11-28 14:35:52 +0100
++++ wiki.c 2004-12-17 18:32:55 +0100
+@@ -197,9 +197,13 @@
+
+ zF1[0] = zF2[0] = 0;
+ if( !write_to_temp(azPage[9], zF1) && !write_to_temp(azPage[4], zF2) ){
+- FILE *p = popen( mprintf("diff -c %s %s", zF1, zF2), "r" );
++ char *zCmd;
++ FILE *p;
+ char zLine[1000];
+ int cnt = 0;
++ zCmd = mprintf("diff -c '%s' '%s'", quotable_string(zF1),
++ quotable_string(zF2));
++ p = popen(zCmd, "r");
+ @ <pre>
+ while( fgets(zLine, sizeof(zLine), p) ){
+ cnt++;
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/cvstrac/cvstrac.spec
============================================================================
$ cvs diff -u -r1.33.2.3 -r1.33.2.4 cvstrac.spec
--- openpkg-src/cvstrac/cvstrac.spec 10 Aug 2004 15:19:25 -0000 1.33.2.3
+++ openpkg-src/cvstrac/cvstrac.spec 17 Dec 2004 17:44:33 -0000 1.33.2.4
@@ -34,7 +34,7 @@
Group: Database
License: GPL
Version: 1.1.3
-Release: 2.1.2
+Release: 2.1.3
# list of sources
Source0: http://www.cvstrac.org/cvstrac-src.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
