news/inn: fix plaintext command injection, CVE-2012-3523

Relevant only for INN installations that are using encryption.

PR:		171013
Approved by:	fluffy@FreeBSD.org (maintainer)
Security:	http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html

2 files changed, 62 insertions, 1 deletions

diff --git a/news/inn/Makefile b/news/inn/Makefile
index 0021a40786d..706472cb3f0 100644
--- a/news/inn/Makefile
+++ b/news/inn/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME?=	inn
 PORTVERSION?=	2.5.2
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	news ipv6
 # Master distribution broken
 #MASTER_SITES?=	${MASTER_SITE_ISC}
diff --git a/news/inn/files/patch-cve-2012-3523-minimal b/news/inn/files/patch-cve-2012-3523-minimal
new file mode 100644
index 00000000000..3d166378a7a
--- /dev/null
+++ b/news/inn/files/patch-cve-2012-3523-minimal
@@ -0,0 +1,61 @@
+Fixes CVE-2012-3523.  This is a stripped down version of 2.5.2 -> 2.5.3
+patch that adds line_reset() to the relevant places.
+
+Obtained-from: ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
+diff -Nurp inn-2.5.2/nnrpd/line.c inn-2.5.3/nnrpd/line.c
+--- nnrpd/line.c	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/line.c	2012-06-15 11:25:36.000000000 -0700
+@@ -66,6 +66,17 @@ line_init(struct line *line)
+     line->remaining = 0;
+ }
+ 
++/*
++**  Reset a line structure.
++*/
++void
++line_reset(struct line *line)
++{
++    assert(line);
++    line->where = line->start;
++    line->remaining = 0;
++}
++
+ /*
+ **  Timeout is used only if HAVE_SSL is defined.
+ */
+diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c
+--- nnrpd/misc.c	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/misc.c	2012-06-15 11:25:36.000000000 -0700
+@@ -518,5 +518,8 @@ CMDstarttls(int ac UNUSED, char *av[] UN
+         GRPcount = 0;
+         PERMgroupmadeinvalid = false;
+     }
++
++    /* Reset our read buffer so as to prevent plaintext command injection. */
++    line_reset(&NNTPline);
+ }
+ #endif /* HAVE_SSL */
+diff -Nurp inn-2.5.2/nnrpd/nnrpd.h inn-2.5.3/nnrpd/nnrpd.h
+--- nnrpd/nnrpd.h	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/nnrpd.h	2012-06-15 11:25:36.000000000 -0700
+@@ -292,6 +292,7 @@ void PY_dynamic_init (char* file);
+ 
+ void line_free(struct line *);
+ void line_init(struct line *);
++void line_reset(struct line *);
+ READTYPE line_read(struct line *, int, const char **, size_t *, size_t *);
+ 
+ #ifdef HAVE_SASL
+diff -Nurp inn-2.5.2/nnrpd/sasl.c inn-2.5.3/nnrpd/sasl.c
+--- nnrpd/sasl.c	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/sasl.c	2012-06-15 11:25:36.000000000 -0700
+@@ -326,6 +326,9 @@ SASLauth(int ac, char *av[])
+                 GRPcount = 0;
+                 PERMgroupmadeinvalid = false;
+             }
++
++            /* Reset our read buffer so as to prevent plaintext command injection. */
++            line_reset(&NNTPline);
+         }
+     } else {
+ 	/* Failure. */