Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 169490 Details for
Bug 239047
net-ftp/netkit-ftpd Cross-Site Request Forgery Vulnerability (CVE-2008-4247)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
netkit-ftpd-0.17-CVE-2008-4247.patch
netkit-ftpd-0.17-CVE-2008-4247.patch (text/plain), 3.13 KB, created by
Robert Buchholz (RETIRED)
on 2008-10-22 20:31:32 UTC
(
hide
)
Description:
netkit-ftpd-0.17-CVE-2008-4247.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-10-22 20:31:32 UTC
Size:
3.13 KB
patch
obsolete
>Index: linux-ftpd-0.17/ftpd/extern.h >=================================================================== >--- linux-ftpd-0.17.orig/ftpd/extern.h >+++ linux-ftpd-0.17/ftpd/extern.h >@@ -43,7 +43,7 @@ void dologout __P((int)); > void fatal __P((const char *)); > int ftpd_pclose __P((FILE *)); > FILE *ftpd_popen __P((char *, const char *)); >-char *ftpd_getline __P((char *, int, FILE *)); >+int ftpd_getline __P((char *, int, FILE *)); > void ftpdlogwtmp __P((const char *, const char *, const char *)); > void lreply __P((int, const char *, ...)); > void makedir __P((char *)); >Index: linux-ftpd-0.17/ftpd/ftpcmd.y >=================================================================== >--- linux-ftpd-0.17.orig/ftpd/ftpcmd.y >+++ linux-ftpd-0.17/ftpd/ftpcmd.y >@@ -980,7 +980,7 @@ static struct tab *lookup(struct tab *p, > /* > * getline - a hacked up version of fgets to ignore TELNET escape codes. > */ >-char * ftpd_getline(char *s, int n, FILE *iop) >+int ftpd_getline(char *s, int n, FILE *iop) > { > int c; > register char *cs; >@@ -995,7 +995,7 @@ char * ftpd_getline(char *s, int n, FILE > if (debug) > syslog(LOG_DEBUG, "command: %s", s); > tmpline[0] = '\0'; >- return(s); >+ return(0); > } > if (c == 0) > tmpline[0] = '\0'; >@@ -1037,11 +1037,22 @@ char * ftpd_getline(char *s, int n, FILE > } > } > *cs++ = c; >- if (--n <= 0 || c == '\n') >+ if (--n <= 0) { >+ /* >+ * If command doesn't fit into buffer, discard the >+ * rest of the command and indicate truncation. >+ * This prevents the command to be split up into >+ * multiple commands. >+ */ >+ while (c != '\n' && (c = getc(iop)) != EOF) >+ ; >+ return (-2); >+ } >+ if (c == '\n') > break; > } > if (c == EOF && cs == s) >- return (NULL); >+ return (-1); > *cs++ = '\0'; > if (debug) { > if (!guest && strncasecmp("pass ", s, 5) == 0) { >@@ -1061,7 +1072,7 @@ char * ftpd_getline(char *s, int n, FILE > syslog(LOG_DEBUG, "command: %.*s", len, s); > } > } >- return (s); >+ return (0); > } > > void toolong(int signo) >@@ -1090,9 +1101,14 @@ static int yylex(void) > case CMD: > (void) signal(SIGALRM, toolong); > (void) alarm((unsigned) timeout); >- if (ftpd_getline(cbuf, sizeof(cbuf)-1, stdin)==NULL) { >+ n = ftpd_getline(cbuf, sizeof(cbuf)-1, stdin); >+ if (n == -1) { > reply(221, "You could at least say goodbye."); > dologout(0); >+ } else if (n == -2) { >+ reply(500, "Command too long."); >+ alarm(0); >+ continue; > } > (void) alarm(0); > if ((cp = strchr(cbuf, '\r'))) { >Index: linux-ftpd-0.17/ftpd/ftpd.c >=================================================================== >--- linux-ftpd-0.17.orig/ftpd/ftpd.c >+++ linux-ftpd-0.17/ftpd/ftpd.c >@@ -2210,6 +2210,7 @@ void dologout(int status) > static void myoob(int signo) > { > char *cp; >+ int ret; > int save_errno = errno; > > (void)signo; >@@ -2218,9 +2219,13 @@ static void myoob(int signo) > if (!transflag) > return; > cp = tmpline; >- if (ftpd_getline(cp, 7, stdin) == NULL) { >+ ret = ftpd_getline(cp, 7, stdin); >+ if (ret == -1) { > reply(221, "You could at least say goodbye."); > dologout(0); >+ } else if (ret == -2) { >+ /* Ignore truncated command */ >+ return; > } > upper(cp); > if (strcmp(cp, "ABOR\r\n") == 0) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 239047
: 169490