OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src openpkg-web Date: 02-Jul-2003 17:25:55
Branch: HEAD Handle: 2003070216255302
Added files:
openpkg-src/proftpd proftpd.patch
Modified files:
openpkg-src/proftpd proftpd.spec
openpkg-web news.txt
Log:
apply security fix
Summary:
Revision Changes Path
1.5 +42 -0 openpkg-src/proftpd/proftpd.patch
1.55 +2 -0 openpkg-src/proftpd/proftpd.spec
1.5159 +1 -0 openpkg-web/news.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/proftpd/proftpd.patch
============================================================================
$ cvs diff -u -r0 -r1.5 proftpd.patch
--- /dev/null 2003-07-02 17:25:55.000000000 +0200
+++ proftpd.patch 2003-07-02 17:25:55.000000000 +0200
@@ -0,0 +1,42 @@
+http://www.debian.org/security/2003/dsa-338
+DSA-338-1 proftpd -- SQL injection, Date Reported: 29 Jun 2003
+
+ runlevel [EMAIL PROTECTED] reported that ProFTPD's PostgreSQL
+ authentication module is vulnerable to a SQL injection attack. This
+ vulnerability could be exploited by a remote, unauthenticated
+ attacker to execute arbitrary SQL statements, potentially exposing
+ the passwords of other users, or to connect to ProFTPD as an
+ arbitrary user without supplying the correct password.
+
+patch AE.mod_sql_postgres.c.diff extracted from
+http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2.tar.gz
+
+--- contrib/mod_sql_postgres.c.orig Wed Jul 2 16:49:26 2003
++++ contrib/mod_sql_postgres.c Wed Jul 2 16:56:35 2003
+@@ -1082,6 +1082,8 @@
+ {
+ conn_entry_t *entry = NULL;
+ db_conn_t *conn = NULL;
++ char *unescaped = NULL;
++ char *escaped = NULL;
+
+ sql_log(DEBUG_FUNC, "%s", "entering \tpostgres cmd_escapestring");
+
+@@ -1102,9 +1104,16 @@
+ conn = (db_conn_t *) entry->data;
+
+ /* PostgreSQL has no way to escape strings internally */
++ /* Note: the PQescapeString() function appeared in the C API as of
++ * Postgres-7.2.
++ */
++ unescaped = cmd->argv[1];
++ escaped = (char *) pcalloc(cmd->tmp_pool, sizeof(char) *
++ (strlen(unescaped) * 2) + 1);
+
++ PQescapeString(escaped, unescaped, strlen(unescaped));
+ sql_log(DEBUG_FUNC, "%s", "exiting \tpostgres cmd_escapestring");
+- return mod_create_data(cmd, (void *) cmd->argv[1]);
++ return mod_create_data(cmd, (void *) escaped );
+ }
+
+ /*
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/proftpd/proftpd.spec
============================================================================
$ cvs diff -u -r1.54 -r1.55 proftpd.spec
--- openpkg-src/proftpd/proftpd.spec 2 Jul 2003 15:20:38 -0000 1.54
+++ openpkg-src/proftpd/proftpd.spec 2 Jul 2003 15:25:55 -0000 1.55
@@ -52,6 +52,7 @@
Source2: proftpd.msg.goaway
Source3: proftpd.msg.login
Source4: rc.proftpd
+Patch0: proftpd.patch
# build information
Prefix: %{l_prefix}
@@ -93,6 +94,7 @@
%prep
%setup -q
+ %patch -p0
# utils also require link with getopt
%{l_shtool} subst \
-e 's;\(\$(BUILD_FTPCOUNT_OBJS).*\);\1 %{l_ldflags} -lgetopt;g' \
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/news.txt
============================================================================
$ cvs diff -u -r1.5158 -r1.5159 news.txt
--- openpkg-web/news.txt 2 Jul 2003 14:54:53 -0000 1.5158
+++ openpkg-web/news.txt 2 Jul 2003 15:25:53 -0000 1.5159
@@ -1,3 +1,4 @@
+02-Jul-2003: Upgraded package: P<proftpd-1.2.8-20030702>
02-Jul-2003: Upgraded package: P<arpd-0.2-20030702>
02-Jul-2003: Upgraded package: P<joe-2.9.8-20030702>
02-Jul-2003: Upgraded package: P<gsoap-2.1.10-20030702>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
