* Recai Oktaş:
> Thanks for the backport, unfortunately I don't have a Sarge box at the
> moment, but will try to find one.
A sarge chroot is probably good enough for this kind of package.
>> The following potential security issues have been fixed upstream, but
>> not in the sid version (there are some more issues apparently, but
>> those bugs were introduced past the sid version AFAICS):
>
> I'm going to prepare an urgent sid upload for those bugs.
I'm not sure if it is worth the effort, until we have all other issues
sorted out.
> Thanks for the backport, unfortunately I don't have a Sarge box at the
> moment, but will try to find one. Could you please supply the url of
> backported patch so that I can also work on it?
Okay, the four patches for sarge I've got so far are included below.
Patch five and six address a few issues I spotted while backporting.
Everything is completely untested.
Subject: [PATCH] r1333: Fixed crashes with very long (revisions) attributes
---
debian/changelog | 8 +++++
src/elogd.c | 85 ++++++++++++++++++++++++++++++------------------------
2 files changed, 56 insertions(+), 37 deletions(-)
6bb233bc624fcb196935dc069238777f06a90cca
diff --git a/debian/changelog b/debian/changelog
index 6f8e6a7..9f49646 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+elog (2.5.7+r1558-4+sarge1) unstable; urgency=low
+
+ * Security update
+ * Backport r1333 from upstream's Subversion repository:
+ "Fixed crashes with very long (revisions) attributes"
+
+ -- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100
+
elog (2.5.7+r1558-3) testing-proposed-updates; urgency=high
* Security update. Backport the fix (r1.648) for a buffer overflow:
diff --git a/src/elogd.c b/src/elogd.c
index 5a5da40..802e1dd 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -1648,17 +1648,19 @@ size_t strlcat(char *dst, const char *sr
/*-------------------------------------------------------------------*/
-void strsubst(char *string, char name[][NAME_LENGTH], char
value[][NAME_LENGTH], int n)
- /* subsitute "$name"
with value corresponding to name */
+void strsubst(char *string, int size, char name[][NAME_LENGTH], char
value[][NAME_LENGTH], int n)
+/* subsitute "$name" with value corresponding to name */
{
int i, j;
- char tmp[1000], str[NAME_LENGTH], uattr[NAME_LENGTH], *ps, *pt, *p;
+ char tmp[2*NAME_LENGTH], str[2*NAME_LENGTH], uattr[2*NAME_LENGTH], *ps,
*pt, *p;
pt = tmp;
ps = string;
for (p = strchr(ps, '$'); p != NULL; p = strchr(ps, '$')) {
/* copy leading characters */
j = (int) (p - ps);
+ if (j >= sizeof(tmp))
+ return;
memcpy(pt, ps, j);
pt += j;
p++;
@@ -1680,7 +1682,7 @@ void strsubst(char *string, char name[][
/* copy value */
if (i < n) {
- strcpy(pt, value[i]);
+ strlcpy(pt, value[i], sizeof(tmp)-((int)pt-(int)tmp));
pt += strlen(pt);
ps = p + strlen(uattr);
} else {
@@ -1690,10 +1692,10 @@ void strsubst(char *string, char name[][
}
/* copy remainder */
- strcpy(pt, ps);
+ strlcpy(pt, ps, sizeof(tmp)-((int)pt-(int)tmp));
/* return result */
- strcpy(string, tmp);
+ strlcpy(string, tmp, size);
}
/*------------------------------------------------------------------*/
@@ -3534,7 +3536,7 @@ void retrieve_email_from(LOGBOOK * lbs,
if (attrib) {
i = build_subst_list(lbs, slist, svalue, attrib, TRUE);
- strsubst(str, slist, svalue, i);
+ strsubst(str, sizeof(str), slist, svalue, i);
/* remove possible 'mailto:' */
if ((p = strstr(str, "mailto:";)) != NULL)
@@ -7446,7 +7448,7 @@ auto-increment tags */
BOOL is_author(LOGBOOK * lbs, char attrib[MAX_N_ATTR][NAME_LENGTH], char
*owner)
{
- char str[1000], preset[1000];
+ char str[NAME_LENGTH], preset[NAME_LENGTH];
int i;
/* check if current user is admin */
@@ -7553,7 +7555,7 @@ void show_date_selector(int day, int mon
void attrib_from_param(int n_attr, char attrib[MAX_N_ATTR][NAME_LENGTH])
{
int i, j, first, year, month, day;
- char str[1000], ua[NAME_LENGTH];
+ char str[NAME_LENGTH], ua[NAME_LENGTH];
time_t ltime;
struct tm ts;
@@ -7616,7 +7618,7 @@ void show_edit_form(LOGBOOK * lbs, int m
{
int i, j, n, index, aindex, size, width, height, fh, length, input_size,
input_maxlen,
format_flags[MAX_N_ATTR], year, month, day, n_attr, n_disp_attr,
attr_index[MAX_N_ATTR];
- char str[1000], preset[1000], *p, *pend, star[80], comment[10000],
reply_string[256],
+ char str[2*NAME_LENGTH], preset[2*NAME_LENGTH], *p, *pend, star[80],
comment[10000], reply_string[256],
list[MAX_N_ATTR][NAME_LENGTH], file_name[256], *buffer, format[256],
date[80],
attrib[MAX_N_ATTR][NAME_LENGTH], *text, orig_tag[80],
reply_tag[MAX_REPLY_TO * 10], att[MAX_ATTACHMENTS][256], encoding[80],
@@ -7692,7 +7694,7 @@ void show_edit_form(LOGBOOK * lbs, int m
/* do not format date for date attributes */
i = build_subst_list(lbs, slist, svalue, attrib,
(attr_flags[index] & AF_DATE) == 0);
- strsubst(preset, slist, svalue, i);
+ strsubst(preset, sizeof(preset), slist, svalue, i);
/* check for index substitution */
if (!bedit && strchr(preset, '%')) {
@@ -7715,7 +7717,7 @@ void show_edit_form(LOGBOOK * lbs, int m
/* do not format date for date attributes */
i = build_subst_list(lbs, slist, svalue, attrib,
(attr_flags[index] & AF_DATE) == 0);
- strsubst(preset, slist, svalue, i);
+ strsubst(preset, sizeof(preset), slist, svalue, i);
/* check for index substitution */
if (!bedit && strchr(preset, '%')) {
@@ -7839,7 +7841,7 @@ void show_edit_form(LOGBOOK * lbs, int m
sprintf(str, "%d", message_id);
add_subst_list(slist, svalue, "message id", str, &i);
add_subst_time(lbs, slist, svalue, "entry time", date, &i);
- strsubst(preset, slist, svalue, i);
+ strsubst(preset, sizeof(preset), slist, svalue, i);
strcpy(attrib[index], preset);
}
}
@@ -7859,7 +7861,16 @@ void show_edit_form(LOGBOOK * lbs, int m
add_subst_list(slist, svalue, "message id", str, &i);
add_subst_time(lbs, slist, svalue, "entry time", date, &i);
- strsubst(preset, slist, svalue, i);
+ strsubst(preset, sizeof(preset), slist, svalue, i);
+ if (strlen(preset) > NAME_LENGTH - 100) {
+ if (strstr(preset+100, "<br>")) {
+ strlcpy(str, strstr(preset+100, "<br>"), sizeof(str));
+ } else
+ strlcpy(str, preset+100, sizeof(str));
+
+ strcpy(preset, "...");
+ strlcat(preset, str, sizeof(str));
+ }
if (strncmp(preset, "<br>", 4) == 0)
strcpy(attrib[index], preset + 4);
else
@@ -8575,7 +8586,7 @@ void show_edit_form(LOGBOOK * lbs, int m
add_subst_time(lbs, slist, svalue, "entry time", date, &j);
if (getcfg(lbs->name, "Prepend on edit", str, sizeof(str))) {
- strsubst(str, slist, svalue, j);
+ strsubst(str, sizeof(preset), slist, svalue, j);
while (strstr(str, "\\n"))
memcpy(strstr(str, "\\n"), "\r\n", 2);
rsprintf(str);
@@ -8587,7 +8598,7 @@ void show_edit_form(LOGBOOK * lbs, int m
if (!bupload)
if (getcfg(lbs->name, "Append on edit", str, sizeof(str))) {
- strsubst(str, slist, svalue, j);
+ strsubst(str, sizeof(str), slist, svalue, j);
while (strstr(str, "\\n"))
memcpy(strstr(str, "\\n"), "\r\n", 2);
rsputs3(str);
@@ -8602,7 +8613,7 @@ void show_edit_form(LOGBOOK * lbs, int m
add_subst_list(slist, svalue, "message id", mid, &j);
add_subst_time(lbs, slist, svalue, "entry time", date, &j);
- strsubst(str, slist, svalue, j);
+ strsubst(str, sizeof(str), slist, svalue, j);
while (strstr(str, "\\n"))
memcpy(strstr(str, "\\n"), "\r\n", 2);
rsputs3(str);
@@ -8652,7 +8663,7 @@ void show_edit_form(LOGBOOK * lbs, int m
sprintf(mid, "%d", message_id);
add_subst_list(slist, svalue, "message id", mid, &j);
add_subst_time(lbs, slist, svalue, "entry time", date, &j);
- strsubst(str, slist, svalue, j);
+ strsubst(str, sizeof(str), slist, svalue, j);
while (strstr(str, "\\n"))
memcpy(strstr(str, "\\n"), "\r\n", 2);
rsputs3(str);
@@ -8685,7 +8696,7 @@ void show_edit_form(LOGBOOK * lbs, int m
xfree(buffer);
} else {
j = build_subst_list(lbs, slist, svalue, attrib, TRUE);
- strsubst(str, slist, svalue, j);
+ strsubst(str, sizeof(str), slist, svalue, j);
while (strstr(str, "\\n"))
memcpy(strstr(str, "\\n"), "\r\n", 2);
rsputs3(str);
@@ -13394,7 +13405,7 @@ void display_line(LOGBOOK * lbs, int mes
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue,
"entry time", date, &j);
- strsubst(display, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH])
svalue, j);
+ strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
if (highlight != message_id)
rsprintf("<a href=\"%s\">", ref);
@@ -13457,7 +13468,7 @@ void display_line(LOGBOOK * lbs, int mes
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, "entry time",
date, &j);
- strsubst(display, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
+ strsubst(display, sizeof(display), (char (*)[NAME_LENGTH])
slist, (char (*)[NAME_LENGTH]) svalue, j);
} else
sprintf(display, "%d", message_id);
@@ -13597,7 +13608,7 @@ void display_line(LOGBOOK * lbs, int mes
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue,
"entry time", date, &j);
- strsubst(display, (char (*)[NAME_LENGTH]) slist,
+ strsubst(display, sizeof(display), (char
(*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, j);
} else
@@ -14708,7 +14719,7 @@ void show_rss_feed(LOGBOOK * lbs)
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue,
"entry time", date, &i);
- strsubst(title, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, i);
+ strsubst(title, sizeof(title), (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, i);
} else {
title[0] = 0;
@@ -15220,7 +15231,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, "entry time", date,
&j);
- strsubst(str, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
+ strsubst(str, sizeof(str), (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
setparam(attr_list[i], str);
}
@@ -15322,7 +15333,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, "entry time",
date, &j);
- strsubst(str, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
+ strsubst(str, sizeof(str), (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, j);
setparam(attr_list[i], str);
}
@@ -15495,7 +15506,7 @@ void show_elog_list(LOGBOOK * lbs, INT p
if (getcfg(lbs->name, "Summary Page Title", str, sizeof(str))) {
i = build_subst_list(lbs, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, NULL, TRUE);
- strsubst(str, (char (*)[NAME_LENGTH]) slist, (char (*)[NAME_LENGTH])
svalue, i);
+ strsubst(str, sizeof(str), (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, i);
strip_html(str);
} else
sprintf(str, "ELOG %s", lbs->name);
@@ -16329,7 +16340,7 @@ int compose_email(LOGBOOK * lbs, char *m
j = build_subst_list(lbs, slist, svalue, attrib, TRUE);
sprintf(str, "%d", message_id);
add_subst_list(slist, svalue, "message id", str, &j);
- strsubst(subject, slist, svalue, j);
+ strsubst(subject, sizeof(subject), slist, svalue, j);
} else {
if (old_mail)
strcpy(subject, "Updated ELOG entry");
@@ -16432,7 +16443,7 @@ int execute_shell(LOGBOOK * lbs, int mes
i = build_subst_list(lbs, slist, svalue, attrib, TRUE);
sprintf(str, "%d", message_id);
add_subst_list(slist, svalue, "message id", str, &i);
- strsubst(shell_cmd, slist, svalue, i);
+ strsubst(shell_cmd, sizeof(shell_cmd), slist, svalue, i);
write_logfile(lbs, "SHELL \"%s\"", shell_cmd);
@@ -16619,7 +16630,7 @@ int set_attributes(LOGBOOK * lbs, char a
void submit_elog(LOGBOOK * lbs)
{
- char str[1000], str2[1000], file_name[256], error[1000], date[80],
+ char str[NAME_LENGTH], str2[NAME_LENGTH], file_name[256], error[1000],
date[80],
mail_list[MAX_N_LIST][NAME_LENGTH], list[10000], *p,
attrib[MAX_N_ATTR][NAME_LENGTH], subst_str[MAX_PATH_LENGTH],
in_reply_to[80], reply_to[MAX_REPLY_TO * 10], user[256],
user_email[256],
@@ -16855,7 +16866,7 @@ void submit_elog(LOGBOOK * lbs)
if (!*getparam("edit_id")) {
sprintf(str, "Subst %s", attr_list[i]);
if (getcfg(lbs->name, str, subst_str, sizeof(subst_str))) {
- strsubst(subst_str, slist, svalue, n);
+ strsubst(subst_str, sizeof(subst_str), slist, svalue, n);
strcpy(attrib[i], subst_str);
}
}
@@ -16987,7 +16998,7 @@ void submit_elog(LOGBOOK * lbs)
sprintf(str, "%d", message_id);
add_subst_list(slist, svalue, "message id", str, &j);
add_subst_time(lbs, slist, svalue, "entry time", date, &j);
- strsubst(mail_list[i], slist, svalue, j);
+ strsubst(mail_list[i], NAME_LENGTH, slist, svalue, j);
/* remove possible 'mailto:' */
if ((p = strstr(mail_list[i], "mailto:";)) != NULL)
@@ -17360,9 +17371,9 @@ void show_elog_entry(LOGBOOK * lbs, char
int size, i, j, n, n_log, status, fh, length, message_error, index,
n_hidden,
message_id, orig_message_id, format_flags[MAX_N_ATTR],
att_hide[MAX_ATTACHMENTS],
n_attachments, n_lines;
- char str[1000], ref[256], file_enc[256], attrib[MAX_N_ATTR][NAME_LENGTH];
+ char str[2*NAME_LENGTH], ref[256], file_enc[256],
attrib[MAX_N_ATTR][NAME_LENGTH];
char date[80], text[TEXT_SIZE], menu_str[1000], cmd[256], cmd_enc[256],
- orig_tag[80], reply_tag[MAX_REPLY_TO * 10], display[256],
+ orig_tag[80], reply_tag[MAX_REPLY_TO * 10], display[NAME_LENGTH],
attachment[MAX_ATTACHMENTS][MAX_PATH_LENGTH], encoding[80],
locked_by[256],
att[256], lattr[256], mid[80], menu_item[MAX_N_LIST][NAME_LENGTH],
format[80],
slist[MAX_N_ATTR + 10][NAME_LENGTH], file_name[MAX_PATH_LENGTH],
@@ -17537,7 +17548,7 @@ void show_elog_entry(LOGBOOK * lbs, char
sprintf(mid, "%d", message_id);
add_subst_list(slist, svalue, "message id", mid, &i);
add_subst_time(lbs, slist, svalue, "entry time", date, &i);
- strsubst(str, slist, svalue, i);
+ strsubst(str, sizeof(str), slist, svalue, i);
strip_html(str);
} else
strcpy(str, "ELOG");
@@ -17780,7 +17791,7 @@ void show_elog_entry(LOGBOOK * lbs, char
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, "entry time", date,
&j);
- strsubst(display, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
+ strsubst(display, sizeof(display), (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, j);
} else
sprintf(display, "%d", message_id);
@@ -17961,7 +17972,7 @@ void show_elog_entry(LOGBOOK * lbs, char
add_subst_time(lbs, (char (*)[NAME_LENGTH]) slist,
(char (*)[NAME_LENGTH]) svalue, "entry time",
date, &j);
- strsubst(display, (char (*)[NAME_LENGTH]) slist, (char
(*)[NAME_LENGTH]) svalue, j);
+ strsubst(display, sizeof(display), (char (*)[NAME_LENGTH])
slist, (char (*)[NAME_LENGTH]) svalue, j);
} else
strcpy(display, attrib[i]);
@@ -18764,7 +18775,7 @@ void show_logbook_node(LBLIST plb, LBLIS
sprintf(mid, "%d", message_id);
add_subst_list(slist, svalue, "message id", mid, &j);
add_subst_time(&lb_list[index], slist, svalue, "entry time", date,
&j);
- strsubst(str, slist, svalue, j);
+ strsubst(str, sizeof(str), slist, svalue, j);
rsputs(str);
}
rsprintf("</td></tr>\n");
--
1.1.3
Subject: [PATCH] r1335: Applied patch from Emiliano to fix possible buffer
overflow
---
debian/changelog | 2 ++
src/elogd.c | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
be90cd68ad16c29ef3b7ba8c5ad89aa4a08afec1
diff --git a/debian/changelog b/debian/changelog
index 9f49646..36c80d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur
* Security update
* Backport r1333 from upstream's Subversion repository:
"Fixed crashes with very long (revisions) attributes"
+ * Backport r1335 from upstream's Subversion repository:
+ "Applied patch from Emiliano to fix possible buffer overflow"
-- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100
diff --git a/src/elogd.c b/src/elogd.c
index 802e1dd..5417544 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -5257,7 +5257,7 @@ void write_logfile(LOGBOOK * lbs, const
char str[10000];
FILE *f;
time_t now;
- char buf[1000];
+ char buf[10000];
if (lbs == NULL) {
if (!getcfg("global", "logfile", str, sizeof(str)))
@@ -7239,7 +7239,7 @@ BOOL change_pwd(LOGBOOK * lbs, char *use
getcfg(lbs->name, "Password file", str, sizeof(str));
if (str[0] == DIR_SEPARATOR || str[1] == ':')
- strcpy(file_name, str);
+ strlcpy(file_name, str, sizeof(file_name));
else {
strlcpy(file_name, resource_dir, sizeof(file_name));
strlcat(file_name, str, sizeof(file_name));
--
1.1.3
Subject: [PATCH] r1472: Do not distinguish between invalid user name and
invalid password
---
debian/changelog | 3 ++
src/elog.c | 12 +++------
src/elogd.c | 70 ++++++++++++++----------------------------------------
3 files changed, 25 insertions(+), 60 deletions(-)
4496b5d8e83505698c9c16c527653f2224499fda
diff --git a/debian/changelog b/debian/changelog
index 36c80d1..07e1ce7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,9 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur
"Fixed crashes with very long (revisions) attributes"
* Backport r1335 from upstream's Subversion repository:
"Applied patch from Emiliano to fix possible buffer overflow"
+ * Backport r1472 from upstream's Subversion repository:
+ "Do not distinguish between invalid user name and invalid password for
+ security reasons"
-- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100
diff --git a/src/elog.c b/src/elog.c
index 60f4efe..9a2d1db 100755
--- a/src/elog.c
+++ b/src/elog.c
@@ -527,10 +527,8 @@ INT retrieve_elog(char *host, int port,
if (strstr(response, "302 Found")) {
if (strstr(response, "Location:")) {
- if (strstr(response, "wpwd"))
- printf("Error: Invalid password\n");
- else if (strstr(response, "wusr"))
- printf("Error: Invalid user name\n");
+ if (strstr(response, "fail"))
+ printf("Error: Invalid user name or password\n");
else {
strncpy(str, strstr(response, "Location:") + 10, sizeof(str));
if (strchr(str, '?'))
@@ -922,10 +920,8 @@ INT submit_elog(char *host, int port, ch
/* check response status */
if (strstr(response, "302 Found")) {
if (strstr(response, "Location:")) {
- if (strstr(response, "wpwd"))
- printf("Error: Invalid password\n");
- else if (strstr(response, "wusr"))
- printf("Error: Invalid user name\n");
+ if (strstr(response, "fail"))
+ printf("Error: Invalid user name or password\n");
else {
strncpy(str, strstr(response, "Location:") + 10, sizeof(str));
if (strchr(str, '?'))
diff --git a/src/elogd.c b/src/elogd.c
index 5417544..9d259b4 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -11437,11 +11437,8 @@ int retrieve_remote_md5(LOGBOOK * lbs, c
if (isparam("debug"))
rsputs(text);
- if (strstr(text, "?wusr="))
- sprintf(error_str, loc("User \"%s\" has no access to remote
logbook"), getparam("unm"));
- else if (strstr(text, "?wpwd="))
- sprintf(error_str,
- loc("Passwords for user \"%s\" do not match locally and
remotely"), getparam("unm"));
+ if (strstr(text, "?fail="))
+ sprintf(error_str, loc("Invalid user name \"%s\" or password for
remote logbook"), getparam("unm"));
else {
strlcpy(str, p + 9, sizeof(str));
if (strchr(str, '?'))
@@ -11764,10 +11761,8 @@ int submit_message(LOGBOOK * lbs, char *
/* check response status */
if (strstr(response, "302 Found")) {
if (strstr(response, "Location:")) {
- if (strstr(response, "wpwd"))
- sprintf(error_str, "Invalid password\n");
- else if (strstr(response, "wusr"))
- sprintf(error_str, "Invalid user name\n");
+ if (strstr(response, "fail"))
+ sprintf(error_str, "Invalid user name or password\n");
strlcpy(str, strstr(response, "Location:") + 9, sizeof(str));
if (strchr(str, '\n'))
@@ -12058,10 +12053,8 @@ void submit_config(LOGBOOK * lbs, char *
/* check response status */
if (strstr(response, "302 Found")) {
if (strstr(response, "Location:")) {
- if (strstr(response, "wpwd"))
- sprintf(error_str, "Invalid password\n");
- else if (strstr(response, "wusr"))
- sprintf(error_str, "Invalid user name\n");
+ if (strstr(response, "fail"))
+ sprintf(error_str, "Invalid usr name or password\n");
}
} else if (strstr(response, "Logbook Selection"))
sprintf(error_str, "No logbook specified\n");
@@ -12342,7 +12335,7 @@ void receive_pwdfile(LOGBOOK * lbs, char
/* check for logbook access */
if (strstr(p, loc("Please login")) || strstr(p, "GetPwdFile") || status
== 302) {
- if (strstr(buffer, "?wusr=") || strstr(buffer, "?wpwd="))
+ if (strstr(buffer, "?fail="))
eprintf("\nInvalid username or password.");
if (strstr(p, loc("Please login")) == NULL && strstr(p, "GetPwdFile")
&& isparam("unm"))
@@ -18222,12 +18215,12 @@ BOOL check_password(LOGBOOK * lbs, char
if (strcmp(password, str) == 0)
return TRUE;
- if (!isparam("wpwd") && password[0]) {
+ if (!isparam("fail") && password[0]) {
strlcpy(str, redir, sizeof(str));
if (strchr(str, '?'))
- strlcat(str, "&wpwd=1", sizeof(str));
+ strlcat(str, "&fail=1", sizeof(str));
else
- strlcat(str, "?wpwd=1", sizeof(str));
+ strlcat(str, "?fail=1", sizeof(str));
redirect(lbs, str);
return FALSE;
}
@@ -18237,7 +18230,7 @@ BOOL check_password(LOGBOOK * lbs, char
rsprintf("<table class=\"dlgframe\" cellspacing=0 align=center>");
- if (isparam("wpwd"))
+ if (isparam("fail"))
rsprintf("<tr><td class=\"dlgerror\">%s!</td></tr>\n", loc("Wrong
password"));
rsprintf("<tr><td class=\"dlgtitle\">\n");
@@ -18515,31 +18508,8 @@ BOOL check_user_password(LOGBOOK * lbs,
return FALSE;
}
- /* display error message for invalid user */
- if (isparam("iusr")) {
- /* header */
- show_html_header(NULL, FALSE, "ELOG error", TRUE, FALSE);
-
- rsprintf("<body><center>\n");
- rsprintf("<table class=\"dlgframe\" width=\"50%%\" cellpadding=1
cellspacing=0>");
- sprintf(str, loc("User <i>\"%s\"</i> has no access to logbook
<i>\"%s\"</i>"),
- getparam("iusr"), lbs->name);
- rsprintf("<tr><td class=\"errormsg\">%s</td></tr>\n", str);
-
- rsprintf("<tr><td class=\"errormsg\">");
- rsprintf("<a href=\"?LO=1\">%s</a></td></tr>", loc("Login as different
user"));
-
- rsprintf("<tr><td class=\"errormsg\">");
- rsprintf("<a href=\"../\">%s</a></td></tr>", loc("Goto logbook selection
page"));
-
- rsprintf("</table>\n");
- rsprintf("</center></body></html>\n");
-
- return FALSE;
- }
-
if (!check_login_user(lbs, user)) {
- sprintf(str, "?iusr=%s", user);
+ sprintf(str, "?fail=%s", user);
redirect(lbs, str);
return FALSE;
@@ -18552,8 +18522,8 @@ BOOL check_user_password(LOGBOOK * lbs,
return TRUE;
}
- if (!isparam("wpwd") && password[0]) {
- redirect(lbs, "?wpwd=1");
+ if (!isparam("fail") && password[0]) {
+ redirect(lbs, "?fail=1");
return FALSE;
}
@@ -18585,11 +18555,8 @@ BOOL check_user_password(LOGBOOK * lbs,
rsprintf("<table class=\"dlgframe\" cellspacing=0 align=center>");
- if (isparam("wpwd"))
- rsprintf("<tr><td colspan=2 class=\"dlgerror\">%s!</td></tr>\n",
loc("Wrong password"));
-
- if (isparam("wusr")) {
- sprintf(str, loc("Invalid user name <i>\"%s\"</i>"),
getparam("wusr"));
+ if (isparam("fail")) {
+ sprintf(str, loc("Invalid user name or password"));
rsprintf("<tr><td colspan=2 class=\"dlgerror\">%s!</td></tr>\n", str);
}
@@ -18640,7 +18607,7 @@ BOOL check_user_password(LOGBOOK * lbs,
} else {
if (status == 2) {
- sprintf(str, "?wusr=%s", user);
+ sprintf(str, "?fail");
setparam("redir", str);
/* remove remaining cookies */
@@ -19452,8 +19419,7 @@ void interprete(char *lbook, char *path)
/* check if guest access */
if (!(getcfg(lbs->name, "Guest menu commands", str, sizeof(str))
- && *getparam("unm") == 0 && !isparam("wpwd")
- && !isparam("wusr"))) {
+ && *getparam("unm") == 0 && !isparam("fail"))) {
if (strcmp(path, css) != 0) {
/* if no guest menu commands but self register, evaluate new user
commands */
if (getcfg(lbs->name, "Self register", str, sizeof(str)) &&
atoi(str) > 0) {
--
1.1.3
Subject: [PATCH] r1529: Fixed bug with fprintf and buffer containing "%"
Our patch just eliminates the format string vulnerability.
---
debian/changelog | 3 +++
src/elogd.c | 2 +-
2 files changed, 4 insertions(+), 1 deletions(-)
5f621ef178ca89cc0d15097dedd6fe58c17800f1
diff --git a/debian/changelog b/debian/changelog
index 07e1ce7..636c566 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,9 @@ elog (2.5.7+r1558-4+sarge1) unstable; ur
* Backport r1472 from upstream's Subversion repository:
"Do not distinguish between invalid user name and invalid password for
security reasons"
+ * Backport r1529 from upstream's Subversion repository:
+ "Fixed bug with fprintf and buffer containing "%""
+ (Our patch just eliminates the format string vulnerability.)
-- Florian Weimer <[EMAIL PROTECTED]> Mon, 23 Jan 2006 15:56:37 +0100
diff --git a/src/elogd.c b/src/elogd.c
index 9d259b4..16dc751 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -5296,7 +5296,7 @@ void write_logfile(LOGBOOK * lbs, const
if (buf[strlen(buf) - 1] != '\n')
strlcat(buf, "\n", sizeof(buf));
- fprintf(f, buf);
+ fprintf(f, "%s", buf);
fclose(f);
}
--
1.1.3
Subject: [PATCH] Fix potential format string issues when calling write_logfile
---
src/elogd.c | 64 ++++++++++++++++++++++++++++++-----------------------------
1 files changed, 32 insertions(+), 32 deletions(-)
08bf2529af3f023688dcf50df44167574851ac75
diff --git a/src/elogd.c b/src/elogd.c
index 16dc751..466a928 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -2326,7 +2326,7 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
recv_string(s, str, strsize, 10000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
/* drain server messages */
do {
@@ -2334,28 +2334,28 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
recv_string(s, str, strsize, 300);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
} while (str[0]);
snprintf(str, strsize - 1, "HELO %s\r\n", host_name);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
recv_string(s, str, strsize, 3000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1, "MAIL FROM: %s\r\n", from);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
recv_string(s, str, strsize, 3000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
/* break recipients into list */
n = strbreak(to, list, 1024, ",");
@@ -2365,24 +2365,24 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
/* increased timeout for SMTP servers with long alias lists */
recv_string(s, str, strsize, 30000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
}
snprintf(str, strsize - 1, "DATA\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
recv_string(s, str, strsize, 3000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
if (email_to)
snprintf(str, strsize - 1, "To: %s\r\n", to);
@@ -2392,33 +2392,33 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1, "From: %s\r\nSubject: %s\r\n", from, subject);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1, "X-Mailer: Elog, Version %s\r\n", VERSION);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
if (url) {
snprintf(str, strsize - 1, "X-Elog-URL: %s\r\n", url);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
}
snprintf(str, strsize - 1, "X-Elog-submit-type: web|elog\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
/* switch locale temporarily back to english to comply with RFC2822 date
format */
setlocale(LC_ALL, "C");
@@ -2438,7 +2438,7 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
getcfg("global", "Language", str, sizeof(str));
if (str[0])
@@ -2449,40 +2449,40 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
sprintf(boundary, "%04X-%04X=:%04X", rand(), rand(), rand());
snprintf(str, strsize - 1, "Content-Type: MULTIPART/MIXED;
BOUNDARY=\"%s\"\r\n\r\n", boundary);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1,
" This message is in MIME format. The first part should be
readable text,\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1,
" while the remaining parts are likely unreadable without
MIME-aware tools.\r\n\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1, "--%s\r\nContent-Type: TEXT/PLAIN;
charset=US-ASCII\r\n\r\n", boundary);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
} else {
snprintf(str, strsize - 1, "Content-Type: TEXT/PLAIN;
charset=US-ASCII\r\n\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
}
/* analyze text for "." at beginning of line */
@@ -2505,7 +2505,7 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
for (index = 0; index < n_att; index++) {
/* return proper Content-Type for file type */
@@ -2529,20 +2529,20 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1, "Content-Transfer-Encoding: BASE64\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1,
"Content-Disposition: attachment; filename=\"%s\"\r\n\r\n",
att_file[index] + 14);
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
/* encode file */
strlcpy(file_name, lbs->data_dir, sizeof(file_name));
@@ -2574,7 +2574,7 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
}
}
@@ -2583,22 +2583,22 @@ INT sendmail(LOGBOOK * lbs, char *smtp_h
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
recv_string(s, str, strsize, 3000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
snprintf(str, strsize - 1, "QUIT\r\n");
send(s, str, strlen(str), 0);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
recv_string(s, str, strsize, 3000);
if (verbose)
efputs(str);
- write_logfile(lbs, str);
+ write_logfile(lbs, "%s", str);
closesocket(s);
xfree(str);
@@ -12526,7 +12526,7 @@ void mprint(LOGBOOK * lbs, int mode, cha
else if (mode == SYNC_CRON) {
if (_logging_level > 1) {
sprintf(line, "MIRROR: %s", str);
- write_logfile(lbs, line);
+ write_logfile(lbs, "%s", line);
}
} else
eputs(str);
--
1.1.3
Subject: [PATCH] Fix potential buffer overflow in write_logfile
---
src/elogd.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
1bfce0e88fd5479e35a2c08d2a4dddfa6f681a69
diff --git a/src/elogd.c b/src/elogd.c
index 466a928..a24f27e 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -5273,7 +5273,7 @@ void write_logfile(LOGBOOK * lbs, const
}
va_start(argptr, format);
- vsprintf(str, (char *) format, argptr);
+ vsnprintf(str, sizeof(str), (char *) format, argptr);
va_end(argptr);
f = fopen(file_name, "a");
--
1.1.3
