Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 181876 Details for
Bug 258838
net-ftp/proftpd-1.3.2 - version bump with security fix
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proftpd 1.3.1 upstream security bug 3173 patch
proftpd-1.3.1-upstream-security-bug-3173.patch (text/plain), 7.91 KB, created by
Bernd Lommerzheim
on 2009-02-13 14:36:55 UTC
(
hide
)
Description:
proftpd 1.3.1 upstream security bug 3173 patch
Filename:
MIME Type:
Creator:
Bernd Lommerzheim
Created:
2009-02-13 14:36:55 UTC
Size:
7.91 KB
patch
obsolete
>diff -ur ../proftpd-1.3.1-orig/contrib/mod_sql_mysql.c ./contrib/mod_sql_mysql.c >--- ../proftpd-1.3.1-orig/contrib/mod_sql_mysql.c Fri Jul 6 15:40:58 2007 >+++ ./contrib/mod_sql_mysql.c Wed Feb 4 09:57:53 2009 >@@ -128,7 +128,7 @@ > * Internal define used for debug and logging. All backends are encouraged > * to use the same format. > */ >-#define MOD_SQL_MYSQL_VERSION "mod_sql_mysql/4.0.7" >+#define MOD_SQL_MYSQL_VERSION "mod_sql_mysql/4.0.8" > > #define _MYSQL_PORT "3306" > >@@ -441,6 +441,49 @@ > return _build_error(cmd, conn); > } > >+#ifdef PR_USE_NLS >+ if (pr_utf8_get_encoding() != NULL) { >+ >+# if MYSQL_VERSION_ID >= 50007 >+ /* Configure the connection for the current local character set. >+ * >+ * Note: the mysql_set_character_set() function appeared in MySQL 5.0.7, >+ * as per: >+ * >+ * http://dev.mysql.com/doc/refman/5.0/en/mysql-set-character-set.html >+ */ >+ if (!mysql_set_character_set(conn->mysql, pr_utf8_get_charset())) { >+ sql_log(DEBUG_FUNC, "%s", "exiting \tmysql cmd_open"); >+ return _build_error(cmd, conn); >+ } >+ >+ sql_log(DEBUG_FUNC, "MySQL connection character set now '%s' (from '%s')", >+ mysql_character_set_name(conn->mysql), pr_utf8_get_charset()); >+ >+# else >+ /* No mysql_set_character_set() API available. But >+ * mysql_character_set_name() has been around for a while; we can use it >+ * to at least see whether there might be a character set discrepancy. >+ */ >+ >+ const char *local_charset = pr_utf8_get_charset(); >+ const char *mysql_charset = mysql_character_set_name(conn->mysql); >+ >+ if (local_charset && >+ mysql_charset && >+ strcasecmp(local_charset, mysql_charset) != 0) { >+ pr_log_pri(PR_LOG_ERR, MOD_SQL_MYSQL_VERSION >+ ": local character set '%s' does not match MySQL character set '%s', " >+ "SQL injection possible, shutting down", local_charset, mysql_charset); >+ sql_log(DEBUG_WARN, "local character set '%s' does not match MySQL " >+ "character set '%s', SQL injection possible, shutting down", >+ local_charset, mysql_charset); >+ end_login(1); >+ } >+# endif /* older MySQL */ >+ } >+#endif /* !PR_USE_NLS */ >+ > /* bump connections */ > entry->connections++; > >diff -ur ../proftpd-1.3.1-orig/contrib/mod_sql_postgres.c ./contrib/mod_sql_postgres.c >--- ../proftpd-1.3.1-orig/contrib/mod_sql_postgres.c Fri Jul 6 15:40:58 2007 >+++ ./contrib/mod_sql_postgres.c Wed Feb 4 10:22:32 2009 >@@ -34,7 +34,7 @@ > * Internal define used for debug and logging. All backends are encouraged > * to use the same format. > */ >-#define MOD_SQL_POSTGRES_VERSION "mod_sql_postgres/4.03" >+#define MOD_SQL_POSTGRES_VERSION "mod_sql_postgres/4.0.4" > > #define _POSTGRES_PORT "5432" > >@@ -43,6 +43,21 @@ > > #include <libpq-fe.h> > >+/* For the pg_encoding_to_char() function, used for NLS support, we need >+ * to include the <mb/pg_wchar.h> file. It's OK; the function has been >+ * declared in that file for a while, according to: >+ * >+ * http://archives.postgresql.org/pgsql-bugs/2006-07/msg00125.php >+ * >+ * But it's a pain to quell all of the compiler warnings about redefined >+ * this, undefined that. The linker finds the symbol without issue, so >+ * punt on including <mb/pg_wchar.h> file. Instead, we'll copy the >+ * function declaration here. >+ */ >+#ifdef PR_USE_NLS >+extern const char *pg_encoding_to_char(int encoding); >+#endif >+ > /* > * timer-handling code adds the need for a couple of forward declarations > */ >@@ -307,6 +322,39 @@ > return _build_error( cmd, conn ); > } > >+#ifdef PR_USE_NLS >+ if (pr_utf8_get_encoding() != NULL) { >+ const char *encoding = pr_utf8_get_encoding(); >+ >+ /* XXX Hack to deal with Postgres' incredibly broken behavior when >+ * handling the 'ASCII' encoding. Specifically, Postgres chokes on >+ * 'ASCII', and instead insists on calling it 'SQL_ASCII' (which, of >+ * course, is not even close to being a valid encoding name according >+ * to libiconv.) >+ * >+ * Treat 'ANSI_X3.4-1968' (another common name/alias for ASCII) the >+ * same; rename it to 'SQL_ASCII' for Postgres' benefit. And same for >+ * 'US-ASCII'. >+ */ >+ if (strcmp(encoding, "ANSI_X3.4-1968") == 0 || >+ strcmp(encoding, "ASCII") == 0 || >+ strcmp(encoding, "US-ASCII") == 0) { >+ encoding = "SQL_ASCII"; >+ } >+ >+ /* Configure the connection for the current local character set. */ >+ if (PQsetClientEncoding(conn->postgres, encoding) < 0) { >+ /* if it didn't work, return an error */ >+ sql_log(DEBUG_FUNC, "%s", "exiting \tpostgres cmd_open"); >+ return _build_error(cmd, conn); >+ } >+ >+ sql_log(DEBUG_FUNC, "Postgres connection character set now '%s' " >+ "(from '%s')", pg_encoding_to_char(PQclientEncoding(conn->postgres)), >+ pr_utf8_get_charset()); >+ } >+#endif /* !PR_USE_NLS */ >+ > /* bump connections */ > entry->connections++; > >diff -ur ../proftpd-1.3.1-orig/include/utf8.h ./include/utf8.h >--- ../proftpd-1.3.1-orig/include/utf8.h Thu May 25 09:55:34 2006 >+++ ./include/utf8.h Wed Feb 4 10:19:13 2009 >@@ -37,6 +37,9 @@ > */ > char *pr_utf8_encode(pool *p, const char *in, size_t inlen, size_t *outlen); > >+const char *pr_utf8_get_charset(void); >+const char *pr_utf8_get_encoding(void); >+ > /* Internal use only. */ > int utf8_init(void); > int utf8_free(void); >diff -ur ../proftpd-1.3.1-orig/src/utf8.c ./src/utf8.c >--- ../proftpd-1.3.1-orig/src/utf8.c Fri Dec 15 10:51:50 2006 >+++ ./src/utf8.c Wed Feb 4 10:19:15 2009 >@@ -42,6 +42,9 @@ > static iconv_t decode_conv = (iconv_t) -1; > static iconv_t encode_conv = (iconv_t) -1; > >+static const char *local_charset = NULL; >+static const char *encoding = "UTF-8"; >+ > static int utf8_convert(iconv_t conv, char *inbuf, size_t *inbuflen, > char *outbuf, size_t *outbuflen) { > # ifdef HAVE_ICONV >@@ -78,10 +81,14 @@ > if (res < 0) > return -1; > >+ encode_conv = (iconv_t) -1; >+ > res = iconv_close(decode_conv); > if (res < 0) > return -1; > >+ decode_conv = (iconv_t) -1; >+ > return 0; > # else > errno = ENOSYS; >@@ -90,36 +97,37 @@ > } > > int utf8_init(void) { >- const char *local_charset; > >+ if (local_charset == NULL) { > #ifdef HAVE_NL_LANGINFO >- /* Look up the current charset. If there's a problem, default to >- * UCS-2. >- */ >- local_charset = nl_langinfo(CODESET); >- if (!local_charset) { >+ /* Look up the current charset. If there's a problem, default to >+ * UCS-2. >+ */ >+ local_charset = nl_langinfo(CODESET); >+ if (!local_charset) { >+ local_charset = "C"; >+ pr_trace_msg("utf8", 1, >+ "unable to determine locale, defaulting to 'C' for UTF8 conversion"); >+ >+ } else { >+ pr_trace_msg("utf8", 1, "converting UTF8 to local character set '%s'", >+ local_charset); >+ } >+#else > local_charset = "C"; > pr_trace_msg("utf8", 1, >- "unable to determine locale, defaulting to 'C' for UTF8 conversion"); >- >- } else { >- pr_trace_msg("utf8", 1, "converting UTF8 to local character set '%s'", >- local_charset); >- } >-#else >- local_charset = "C"; >- pr_trace_msg("utf8", 1, >- "nl_langinfo(3) not supported, defaulting to using 'C' for UTF8 " >- "conversion"); >+ "nl_langinfo(3) not supported, defaulting to using 'C' for UTF8 " >+ "conversion"); > #endif /* HAVE_NL_LANGINFO */ >+ } > > # ifdef HAVE_ICONV > /* Get the iconv handles. */ >- encode_conv = iconv_open(local_charset, "UTF-8"); >+ encode_conv = iconv_open(encoding, local_charset); > if (encode_conv == (iconv_t) -1) > return -1; > >- decode_conv = iconv_open("UTF-8", local_charset); >+ decode_conv = iconv_open(local_charset, encoding); > if (decode_conv == (iconv_t) -1) > return -1; > >@@ -200,4 +208,24 @@ > #endif /* !HAVE_ICONV_H */ > } > >+const char *pr_utf8_get_charset(void) { >+#ifdef HAVE_ICONV_H >+ return local_charset; >+ >+#else >+ errno = ENOSYS; >+ return NULL; >+#endif /* !HAVE_ICONV_H */ >+} >+ >+const char *pr_utf8_get_encoding(void) { >+#ifdef HAVE_ICONV_H >+ return encoding; >+ >+#else >+ errno = ENOSYS; >+ return NULL; >+#endif /* !HAVE_ICONV_H */ >+} >+ > #endif /* PR_USE_NLS */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 258838
:
181863
|
181865
|
181874
|
181875
| 181876 |
181980
|
181982
|
182237