From bd7926b22ea691dd40c5b532f1872b555b499aae Mon Sep 17 00:00:00 2001
From: Jakub Bogusz <qboosh@pld-linux.org>
Date: Sat, 28 Feb 2004 15:37:17 +0000
Subject: [PATCH] - security fixes for 3.6.2 (from savannah)

Changed files:
    anubis-securityfixes.patch -> 1.1
---
 anubis-securityfixes.patch | 148 +++++++++++++++++++++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 anubis-securityfixes.patch

diff --git a/anubis-securityfixes.patch b/anubis-securityfixes.patch
new file mode 100644
index 0000000..a40b202
--- /dev/null
+++ b/anubis-securityfixes.patch
@@ -0,0 +1,148 @@
+diff -urN anubis-3.6.2/src/auth.c anubis-3.6.2-fix/src/auth.c
+--- anubis-3.6.2/src/auth.c	Wed Dec  4 22:43:34 2002
++++ anubis-3.6.2-fix/src/auth.c	Wed Feb 25 20:29:40 2004
+@@ -42,6 +42,66 @@
+  IDENT protocol support
+ ************************/
+ 
++#define USERNAME_C "USERID :"
++
++/* If the reply matches sscanf expression
++   
++      "%*[^:]: USERID :%*[^:]:%s"
++
++   and the length of "%s" part does not exceed size-1 bytes,
++   copies this part to USERNAME and returns 0. Otherwise,
++   returns 1 */
++
++static int
++ident_extract_username(char *reply, char *username, size_t size)
++{
++	char *p;
++
++	p = strchr (reply, ':');
++	if (!p)
++		return 1;
++	if (p[1] != ' '
++	    || strncmp (p + 2, USERNAME_C, sizeof (USERNAME_C) - 1))
++		return 1;
++	p += 2 + sizeof (USERNAME_C) - 1;
++	p = strchr (p, ':');
++	if (!p)
++		return 1;
++	p++;
++	if (strlen (p) >= size)
++		return 1;
++	strcpy(username, p);
++	return 0;
++}
++
++/* If the reply matches sscanf expression
++
++      "%*[^ ] %*[^ ] %*[^ ] %*[^ ] %*[^ ] %s"
++
++   and the length of "%s" part does not exceed size-1 bytes,
++   copies this part to USERNAME and returns 0. Otherwise,
++   returns 1 */
++
++static int
++crypt_extract_username(char *reply, char *username, size_t size)
++{
++	int i;
++	char *p = reply;
++#define skip_word(c) while (*c && (*c) != ' ') c++
++
++	/* Skip five words */
++	for (i = 0; i < 5; i++) {
++		skip_word(p);
++		if (!*p++)
++			return 1;
++	}
++	
++	if (strlen (p) >= size)
++		return 1;
++	strcpy(username, p);
++	return 0;
++}
++
+ int
+ auth_ident(struct sockaddr_in *addr, char *user, int size)
+ {
+@@ -51,7 +111,8 @@
+ 	int sd = 0;
+ 
+ 	if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+-		anubis_error(SOFT, _("IDENT: socket() failed: %s."), strerror(errno));
++		anubis_error(SOFT, _("IDENT: socket() failed: %s."),
++			     strerror(errno));
+ 		return 0;
+ 	}
+ 	memcpy(&ident, addr, sizeof(ident));
+@@ -69,11 +130,7 @@
+ 	info(VERBOSE, _("IDENT: connected to %s:%u"),
+ 	inet_ntoa(ident.sin_addr), ntohs(ident.sin_port));
+ 
+-	#ifdef HAVE_SNPRINTF
+ 	snprintf(buf, LINEBUFFER,
+-	#else
+-	sprintf(buf,
+-	#endif /* HAVE_SNPRINTF */
+ 		"%u , %u"CRLF, ntohs(addr->sin_port), session.tunnel_port);
+ 
+ 	if (send(sd, buf, strlen(buf), 0) == -1) {
+@@ -89,7 +146,8 @@
+ 	close_socket(sd);
+ 	memset(user, 0, size);
+ 
+-	if (sscanf(buf, "%*[^:]: USERID :%*[^:]:%s", user) != 1) {
++	remcrlf (buf);
++	if (ident_extract_username(buf, user, size)) {
+ 		info(VERBOSE, _("IDENT: incorrect data."));
+ 		return 0;
+ 	}
+@@ -105,7 +163,8 @@
+ 		if (rs == -1)
+ 			return 0;
+ 
+-		if (sscanf(buf, "%*[^ ] %*[^ ] %*[^ ] %*[^ ] %*[^ ] %s", user) != 1) {
++		remcrlf (buf);
++		if (crypt_extract_username(buf, user, size)) {
+ 			info(VERBOSE, _("IDENT: incorrect data (DES deciphered)."));
+ 			return 0;
+ 		}
+diff -urN anubis-3.6.2/src/errs.c anubis-3.6.2-fix/src/errs.c
+--- anubis-3.6.2/src/errs.c	Wed Dec  4 22:42:02 2002
++++ anubis-3.6.2-fix/src/errs.c	Wed Feb 25 20:33:49 2004
+@@ -51,7 +51,7 @@
+ 			if (options.slogfile)
+ 				filelog(options.slogfile, txt);
+ 			else
+-				syslog(LOG_ERR | LOG_MAIL, txt);
++				syslog(LOG_ERR | LOG_MAIL, "%s", txt);
+ 
+ 			if (options.ulogfile && options.uloglevel >= FAILS)
+ 				filelog(options.ulogfile, txt);
+diff -urN anubis-3.6.2/src/log.c anubis-3.6.2-fix/src/log.c
+--- anubis-3.6.2/src/log.c	Wed Dec  4 22:42:26 2002
++++ anubis-3.6.2-fix/src/log.c	Wed Feb 25 20:32:30 2004
+@@ -70,7 +70,7 @@
+ 		if (options.slogfile)
+ 			filelog(options.slogfile, txt);
+ 		else
+-			syslog(LOG_INFO | LOG_MAIL, txt);
++			syslog(LOG_INFO | LOG_MAIL, "%s", txt);
+ 
+ 		if (options.ulogfile && options.uloglevel >= ALL)
+ 			filelog(options.ulogfile, txt);
+diff -urN anubis-3.6.2/src/ssl.c anubis-3.6.2-fix/src/ssl.c
+--- anubis-3.6.2/src/ssl.c	Wed Dec  4 22:40:45 2002
++++ anubis-3.6.2-fix/src/ssl.c	Wed Feb 25 20:33:28 2004
+@@ -64,7 +64,7 @@
+ 	if (options.termlevel != SILENT) {
+ 		#ifdef HAVE_SYSLOG
+ 		if ((topt & T_DAEMON) && !(topt & T_FOREGROUND))
+-			syslog(LOG_ERR | LOG_MAIL, string_error);
++			syslog(LOG_ERR | LOG_MAIL, "%s", string_error);
+ 		else
+ 		#endif /* HAVE_SYSLOG */
+ 			mprintf(">>%s", string_error);
-- 
2.44.0