diff options
author | miwi <miwi@FreeBSD.org> | 2009-01-12 03:42:13 +0800 |
---|---|---|
committer | miwi <miwi@FreeBSD.org> | 2009-01-12 03:42:13 +0800 |
commit | 83a6844c3bdb54d46fcd9260277c9d89e9a7e46e (patch) | |
tree | 7eb33c873a760e8d5ceafe35dd1acb7b37f5fd00 /net-p2p | |
parent | f226dc7ff9726058c3988371d64c6d74ff8b1abd (diff) | |
download | freebsd-ports-gnome-83a6844c3bdb54d46fcd9260277c9d89e9a7e46e.tar.gz freebsd-ports-gnome-83a6844c3bdb54d46fcd9260277c9d89e9a7e46e.tar.zst freebsd-ports-gnome-83a6844c3bdb54d46fcd9260277c9d89e9a7e46e.zip |
- Fix insecure temporary file usage and arbitrary command execution
PR: 129981 (based on)
Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Approved by: maintainer
Diffstat (limited to 'net-p2p')
-rw-r--r-- | net-p2p/verlihub/Makefile | 5 | ||||
-rw-r--r-- | net-p2p/verlihub/files/patch-CVE-2008-5706 | 82 |
2 files changed, 84 insertions, 3 deletions
diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile index 7d5091d15a9a..009cd1f04384 100644 --- a/net-p2p/verlihub/Makefile +++ b/net-p2p/verlihub/Makefile @@ -7,11 +7,10 @@ PORTNAME= verlihub DISTVERSION= 0.9.8d-RC2 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= net-p2p -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} -MASTER_SITE_SUBDIR= ${PORTNAME} +MASTER_SITES= SF MAINTAINER= skylord@vt.net.ru COMMENT= A Direct Connect protocol server (Hub) diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706 new file mode 100644 index 000000000000..61dc4ca9bef6 --- /dev/null +++ b/net-p2p/verlihub/files/patch-CVE-2008-5706 @@ -0,0 +1,82 @@ +--- src/ctrigger.cpp.orig 2005-04-11 19:18:38.000000000 +0400 ++++ src/ctrigger.cpp 2008-12-27 23:28:14.000000000 +0300 +@@ -7,6 +7,9 @@ + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + ***************************************************************************/ ++#include <errno.h> ++#include <stdio.h> ++#include <string.h> + #include "cserverdc.h" + #include "ctrigger.h" + #include "cconndc.h" +@@ -44,16 +47,33 @@ + { + string buf, filename, sender; + string par1, end1, parall; ++ string cmdl; ++ + if (conn && conn->mpUser) + { ++ cmd_line >> cmdl; ++ /* Sanitise user input if we're going to exec anything */ ++ if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { ++ string cleaned = string(); ++ const string toclean = string(";\"'\\`:!${}[]&><|~/"); ++ ++ for (string::iterator i = cmdl.begin(); ++ i < cmdl.end(); ++ i++) { ++ if (toclean.find(*i) == string::npos) ++ cleaned.append(1, *i); ++ } ++ cmdl = cleaned; ++ } ++ + int uclass = conn->mpUser->mClass; + if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) { + +- if(cmd_line.str().size() > mCommand.size()) { +- parall.assign(cmd_line.str(),mCommand.size()+1,string::npos); ++ if(cmdl.size() > mCommand.size()) { ++ parall.assign(cmdl,mCommand.size()+1,string::npos); + } +- cmd_line >> par1; +- end1 = cmd_line.str(); ++ par1 = cmdl; ++ end1 = cmdl; + + sender = server.mC.hub_security; + if (mSendAs.size()) sender = mSendAs; +@@ -104,14 +124,25 @@ + + if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) { + string command(buf); +- filename = server.mConfigBaseDir; +- filename.append("/tmp/trigger.tmp"); +- command.append(" > "); +- command.append(filename); ++ char buffer[1024]; ++ FILE *stream; ++ + cout << command << endl; +- system(command.c_str()); + buf = ""; +- if (!LoadFileInString(filename,buf)) return 0; ++ stream = popen(command.c_str(), "r"); ++ if (stream == NULL) { ++ cout << strerror(errno) << std::endl; ++ return 0; ++ } else { ++ while (fgets(buffer, sizeof(buffer), ++ stream) != NULL) ++ buf.append(buffer); ++ if (pclose(stream) == -1) { ++ cout << strerror(errno) << ++ std::endl; ++ return 0; ++ } ++ } + } + + // @CHANGED by dReiska +BEGINS+ |