adding proftpd-1.3.1-r1 to get a regression-free version of proftpd which ships a patch for security bug 238762, adding proftpd-1.3.2_rc2-r2 to fix a mod_shaper-related compile failure as pointed out by Joker in bug 238762; also fixing bug 221275

Package-Manager: portage-2.2_rc13/cvs/Linux 2.6.27-gentoo x86_64

1 files changed, 172 insertions, 0 deletions

diff --git a/net-ftp/proftpd/files/proftpd-1.3.1-CVE-2008-4242.patch b/net-ftp/proftpd/files/proftpd-1.3.1-CVE-2008-4242.patch
new file mode 100644
index 000000000000..9b08cade2ab9
--- /dev/null
+++ b/net-ftp/proftpd/files/proftpd-1.3.1-CVE-2008-4242.patch
@@ -0,0 +1,172 @@
+Patch taken from debian, closes
+http://secunia.com/advisories/cve_reference/CVE-2008-4242/
+https://bugs.gentoo.org/show_bug.cgi?id=238762
+diff -urNad trunk~/src/main.c trunk/src/main.c
+--- trunk~/src/main.c	2008-09-21 23:50:55.000000000 +0200
++++ trunk/src/main.c	2008-09-21 23:50:55.000000000 +0200
+@@ -674,12 +674,17 @@
+   while (TRUE) {
+     pr_signals_handle();
+ 
++    memset(buf,'\0',sizeof(buf));
++
+     if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm,
+         session.c->outstrm) == NULL) {
+ 
+-      if (PR_NETIO_ERRNO(session.c->instrm) == EINTR)
+-        /* Simple interrupted syscall */
++      if (errno == E2BIG) {
++         /* The client sent a too-long command which was ignored; give
++          * them another chance?
++          */
+ 	continue;
++      }
+ 
+ #ifndef PR_DEVEL_NO_DAEMON
+       /* Otherwise, EOF */
+@@ -695,20 +700,31 @@
+ 
+     if (cmd_buf_size == -1) {
+       int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE);
++      size_t default_cmd_bufsz;
++
++      /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which
++       * is smaller than PR_DEFAULT_CMD_BUFSZ.  We need to handle such cases
++       * properly.
++       */
++      default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ;
++      if (default_cmd_bufsz > sizeof(buf)) {
++        default_cmd_bufsz = sizeof(buf);
++      }
++  
+       if (bufsz == NULL) {
+-        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++        cmd_buf_size = default_cmd_bufsz;
+ 
+       } else if (*bufsz <= 0) {
+         pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
+           "given, using default buffer size (%u) instead",
+-          *bufsz, PR_DEFAULT_CMD_BUFSZ);
+-        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++          *bufsz, default_cmd_bufsz);
++        cmd_buf_size = default_cmd_bufsz;
+ 
+       } else if (*bufsz + 1 > sizeof(buf)) {
+         pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
+           "given, using default buffer size (%u) instead",
+-          *bufsz, PR_DEFAULT_CMD_BUFSZ);
+-        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++          *bufsz, default_cmd_bufsz);
++        cmd_buf_size = default_cmd_bufsz;
+ 
+       } else {
+         pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz);
+diff -urNad trunk~/src/netio.c trunk/src/netio.c
+--- trunk~/src/netio.c	2008-09-21 23:39:34.000000000 +0200
++++ trunk/src/netio.c	2008-09-21 23:52:17.000000000 +0200
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - FTP server daemon
+- * Copyright (c) 2001-2007 The ProFTPD Project team
++ * Copyright (c) 2001-2008 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -30,19 +30,19 @@
+ #include <signal.h>
+ 
+ #ifndef IAC
+-#define IAC	255
++# define IAC	255
+ #endif
+ #ifndef DONT
+-#define DONT	254
++# define DONT	254
+ #endif
+ #ifndef DO
+-#define DO	253
++# define DO	253
+ #endif
+ #ifndef WONT
+-#define WONT	252
++# define WONT	252
+ #endif
+ #ifndef WILL
+-#define WILL	251
++# define WILL	251
+ #endif
+ 
+ static const char *trace_channel = "netio";
+@@ -51,6 +51,17 @@
+ static pr_netio_t *core_data_netio = NULL, *data_netio = NULL;
+ static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL;
+ 
++/* Used to track whether the previous text read from the client's control
++ * connection was a properly-terminated command.  If so, then read in the
++ * next/current text as per normal.  If NOT (e.g. the client sent a too-long
++ * command), then read in the next/current text, but ignore it.  Only clear
++ * this flag if the next/current command can be read as per normal.
++ *
++ * The pr_netio_telnet_gets() uses this variable, in conjunction with its
++ * saw_newline flag, for handling too-long commands from clients.
++ */
++static int properly_terminated_prev_command = TRUE;
++
+ static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) {
+   pool *netio_pool = NULL;
+   pr_netio_stream_t *nstrm = NULL;
+@@ -911,7 +922,7 @@
+   char *bp = buf;
+   unsigned char cp;
+   static unsigned char mode = 0;
+-  int toread;
++  int toread, saw_newline = FALSE;
+   pr_buffer_t *pbuf = NULL;
+ 
+   if (buflen == 0) {
+@@ -940,8 +951,9 @@
+           *bp = '\0';
+           return buf;
+ 
+-        } else
++        } else {
+           return NULL;
++        }
+       }
+ 
+       pbuf->remaining = pbuf->buflen - toread;
+@@ -1004,6 +1016,8 @@
+       toread--;
+       *bp++ = *pbuf->current++;
+       pbuf->remaining++;
++
++      saw_newline = TRUE;
+       break;
+     }
+ 
+@@ -1011,6 +1025,25 @@
+       pbuf->current = NULL;
+   }
+ 
++  if (!saw_newline) {
++    /* If we haven't seen a newline, then assume the client is deliberately
++     * sending a too-long command, trying to exploit buffer sizes and make
++     * the server make some possibly bad assumptions.
++     */
++
++    properly_terminated_prev_command = FALSE;
++    errno = E2BIG;
++    return NULL;
++  }
++
++  if (!properly_terminated_prev_command) {
++    properly_terminated_prev_command = TRUE;
++    pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring");
++    errno = E2BIG;
++    return NULL;
++  }
++
++  properly_terminated_prev_command = TRUE;
+   *bp = '\0';
+   return buf;
+ }