Add two security patches:

	patch-support.c: fixes CVE-2006-5815 remote code execution
	patch-mod_tls.c: fixes Bug#2860 Failure to check for data
			 length in mod_tls could lead to remote
			 buffer overwriting.

Submitted by:	maintainer
PR:		ports/106623

3 files changed, 118 insertions, 1 deletions

diff --git a/ftp/proftpd/Makefile b/ftp/proftpd/Makefile
index d392044538e3..fc13ea8ed65a 100644
--- a/ftp/proftpd/Makefile
+++ b/ftp/proftpd/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	proftpd
 DISTVERSION=	1.3.0
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	ftp
 MASTER_SITES=	ftp://ftp.proftpd.org/distrib/source/ \
 		ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
diff --git a/ftp/proftpd/files/patch-mod_tls.c b/ftp/proftpd/files/patch-mod_tls.c
new file mode 100644
index 000000000000..61b62a827fef
--- /dev/null
+++ b/ftp/proftpd/files/patch-mod_tls.c
@@ -0,0 +1,38 @@
+diff -u -r1.100 mod_tls.c
+--- contrib/mod_tls.c	29 Nov 2006 03:47:56 -0000	1.100
++++ contrib/mod_tls.c	29 Nov 2006 04:09:06 -0000
+@@ -3103,17 +3103,25 @@
+   long datalen = 0;
+   int ok;
+    
+-  if ((ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE)))
+-     datalen = BIO_get_mem_data(mem, &data);
++  ok = X509_NAME_print_ex(mem, x509_name, 0, XN_FLAG_ONELINE);
++  if (ok) {
++    datalen = BIO_get_mem_data(mem, &data);
+ 
+-  if (data) {
+-    memset(&buf, '\0', sizeof(buf));
+-    memcpy(buf, data, datalen);
+-    buf[datalen] = '\0';
+-    buf[sizeof(buf)-1] = '\0';
++    if (data) {
++      memset(&buf, '\0', sizeof(buf));
+ 
+-    BIO_free(mem);
+-    return buf;
++      if (datalen >= sizeof(buf)) {
++        datalen = sizeof(buf)-1;
++      }
++
++      memcpy(buf, data, datalen);
++
++      buf[datalen] = '\0';
++      buf[sizeof(buf)-1] = '\0';
++
++      BIO_free(mem);
++      return buf;
++    }
+   }
+ 
+   BIO_free(mem);
diff --git a/ftp/proftpd/files/patch-support.c b/ftp/proftpd/files/patch-support.c
new file mode 100644
index 000000000000..b4066f378711
--- /dev/null
+++ b/ftp/proftpd/files/patch-support.c
@@ -0,0 +1,79 @@
+--- src/support.c	2005/09/28 02:06:26	1.78
++++ src/support.c	2006/11/27 14:49:47	1.80
+@@ -27,7 +27,7 @@
+ /* Various basic support routines for ProFTPD, used by all modules
+  * and not specific to one or another.
+  *
+- * $Id: support.c,v 1.78 2005/09/28 02:06:26 castaglia Exp $
++ * $Id: support.c,v 1.80 2006/11/27 14:49:47 jwm Exp $
+  */
+ 
+ #include "conf.h"
+@@ -632,7 +632,8 @@
+   char **mptr,**rptr;
+   char *marr[33],*rarr[33];
+   char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL;
+-  size_t mlen = 0, rlen = 0, blen;
++  size_t mlen = 0, rlen = 0;
++  int blen;
+   int dyn = TRUE;
+ 
+   cp = buf;
+@@ -646,7 +647,7 @@
+ 
+   while ((m = va_arg(args, char *)) != NULL && mlen < sizeof(marr)-1) {
+     char *tmp = NULL;
+-    size_t count = 0;
++    int count = 0;
+ 
+     if ((r = va_arg(args, char *)) == NULL)
+       break;
+@@ -659,6 +660,12 @@
+     while (tmp) {
+       pr_signals_handle();
+       count++;
++      if (count < 0) {
++        /* Integer overflow. In order to overflow integer range with a count
++         * of escapes, somebody must be doing something very strange.
++         */
++        return s;
++      }
+ 
+       /* Be sure to increment the pointer returned by strstr(3), to
+        * advance past the beginning of the substring for which we are
+@@ -674,6 +681,12 @@
+      */
+     if (count) {
+       blen += count * (strlen(r) - strlen(m));
++      if (blen < 0) {
++        /* Integer overflow. In order to overflow this, somebody must be
++         * doing something very strange.
++         */
++        return s;
++      }
+       marr[mlen] = m;
+       rarr[mlen++] = r;
+     }
+@@ -722,10 +735,11 @@
+     }
+ 
+     if (!*mptr) {
+-      if ((cp - pbuf + 1) > blen) {
++      if ((cp - pbuf + 1) >= blen) {
+ 	pr_log_pri(PR_LOG_ERR,
+ 		"WARNING: attempt to overflow internal ProFTPD buffers");
+ 	cp = pbuf + blen - 1;
++	goto done;
+       }
+       *cp++ = *src++;
+     }
+@@ -768,6 +782,9 @@
+ char *sstrcat(char *dest, const char *src, size_t n) {
+   register char *d;
+ 
++  if (n == 0)
++    return NULL;
++
+   for (d = dest; *d && n > 1; d++, n--) ;
+ 
+   while (n-- > 1 && *src)