Package: tcp-wrappers Version: 7.6.dbs-13 Severity: normal Tags: patch The "05_wildcard_match" patch that was imported from RedHat does not correctly match with case insensitivity. This makes the matching much less powerful, as any patterns must be repeated for every combination of case to catch all spellings (e.g. "*-adsl-*" must be written as "*-Adsl-*", "*-aDsl-*", etc etc) leading to massive rule bloat.
The attached patch is a possible fix. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
diff -u tcp-wrappers-7.6.dbs/debian/patches/05_wildcard_matching tcp-wrappers-7.6.dbs/debian/patches/05_wildcard_matching --- tcp-wrappers-7.6.dbs/debian/patches/05_wildcard_matching +++ tcp-wrappers-7.6.dbs/debian/patches/05_wildcard_matching @@ -1,9 +1,10 @@ See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847 +(Though the original code needs to be patched to be case-insensitive.) -diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 ---- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 18:54:33.000000000 +0200 -+++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 18:54:27.000000000 +0200 -@@ -89,6 +89,10 @@ +diff -uNrp tcp_wrappers_7.6~/hosts_access.5 tcp_wrappers_7.6/hosts_access.5 +--- tcp_wrappers_7.6~/hosts_access.5 2007-05-30 20:29:50.000000000 -0700 ++++ tcp_wrappers_7.6/hosts_access.5 2007-05-30 20:30:19.000000000 -0700 +@@ -89,6 +89,10 @@ An expression of the form `n.n.n.n/m.m.m bitwise AND of the address and the `mask\'. For example, the net/mask pattern `131.155.72.0/255.255.254.0\' matches every address in the range `131.155.72.0\' through `131.155.73.255\'. @@ -14,10 +15,10 @@ .SH WILDCARDS The access control language supports explicit wildcards: .IP ALL -diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c ---- tcp_wrappers_7.6.orig/hosts_access.c 1997-02-12 02:13:23.000000000 +0100 -+++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 18:52:21.000000000 +0200 -@@ -289,6 +289,11 @@ +diff -uNrp tcp_wrappers_7.6~/hosts_access.c tcp_wrappers_7.6/hosts_access.c +--- tcp_wrappers_7.6~/hosts_access.c 2007-05-30 20:29:23.000000000 -0700 ++++ tcp_wrappers_7.6/hosts_access.c 2007-05-30 20:35:56.000000000 -0700 +@@ -289,6 +289,11 @@ char *string; { int n; @@ -29,7 +30,7 @@ if (tok[0] == '.') { /* suffix */ n = strlen(string) - strlen(tok); return (n > 0 && STR_EQ(tok, string + n)); -@@ -329,3 +334,71 @@ +@@ -329,3 +334,78 @@ char *string; } return ((addr & mask) == net); } @@ -47,6 +48,8 @@ + +int match_pattern_ylo(const char *s, const char *pattern) +{ ++ char src; ++ char pat; + while (1) + { + /* If at end of pattern, accept if also at end of string. */ @@ -68,10 +71,13 @@ + { + /* Look instances of the next character in pattern, and try + to match starting from those. */ -+ for (; *s; s++) -+ if (*s == *pattern && ++ pat = *pattern; ++ for (; *s; s++) { ++ src = *s; ++ if (toupper(src) == toupper(pat) && + match_pattern_ylo(s + 1, pattern + 1)) + return 1; ++ } + /* Failed. */ + return 0; + } @@ -91,7 +97,9 @@ + return 0; + + /* Check if the next character of the string is acceptable. */ -+ if (*pattern != '?' && *pattern != *s) ++ pat = *pattern; ++ src = *s; ++ if (*pattern != '?' && toupper(pat) != toupper(src)) + return 0; + + /* Move to the next character, both in string and in pattern. */
