- security fixes for 3.6.2 (from savannah)

Changed files:
    anubis-securityfixes.patch -> 1.1

diff --git a/anubis-securityfixes.patch b/anubis-securityfixes.patch
new file mode 100644 (file)
index 0000000..a40b202
--- /dev/null
+++ b/anubis-securityfixes.patch
@@ -0,0 +1,148 @@
+diff -urN anubis-3.6.2/src/auth.c anubis-3.6.2-fix/src/auth.c
+--- anubis-3.6.2/src/auth.c    Wed Dec  4 22:43:34 2002
++++ anubis-3.6.2-fix/src/auth.c        Wed Feb 25 20:29:40 2004
+@@ -42,6 +42,66 @@
+  IDENT protocol support
+ ************************/
+ 
++#define USERNAME_C "USERID :"
++
++/* If the reply matches sscanf expression
++   
++      "%*[^:]: USERID :%*[^:]:%s"
++
++   and the length of "%s" part does not exceed size-1 bytes,
++   copies this part to USERNAME and returns 0. Otherwise,
++   returns 1 */
++
++static int
++ident_extract_username(char *reply, char *username, size_t size)
++{
++      char *p;
++
++      p = strchr (reply, ':');
++      if (!p)
++              return 1;
++      if (p[1] != ' '
++          || strncmp (p + 2, USERNAME_C, sizeof (USERNAME_C) - 1))
++              return 1;
++      p += 2 + sizeof (USERNAME_C) - 1;
++      p = strchr (p, ':');
++      if (!p)
++              return 1;
++      p++;
++      if (strlen (p) >= size)
++              return 1;
++      strcpy(username, p);
++      return 0;
++}
++
++/* If the reply matches sscanf expression
++
++      "%*[^ ] %*[^ ] %*[^ ] %*[^ ] %*[^ ] %s"
++
++   and the length of "%s" part does not exceed size-1 bytes,
++   copies this part to USERNAME and returns 0. Otherwise,
++   returns 1 */
++
++static int
++crypt_extract_username(char *reply, char *username, size_t size)
++{
++      int i;
++      char *p = reply;
++#define skip_word(c) while (*c && (*c) != ' ') c++
++
++      /* Skip five words */
++      for (i = 0; i < 5; i++) {
++              skip_word(p);
++              if (!*p++)
++                      return 1;
++      }
++      
++      if (strlen (p) >= size)
++              return 1;
++      strcpy(username, p);
++      return 0;
++}
++
+ int
+ auth_ident(struct sockaddr_in *addr, char *user, int size)
+ {
+@@ -51,7 +111,8 @@
+       int sd = 0;
+ 
+       if ((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
+-              anubis_error(SOFT, _("IDENT: socket() failed: %s."), strerror(errno));
++              anubis_error(SOFT, _("IDENT: socket() failed: %s."),
++                           strerror(errno));
+               return 0;
+       }
+       memcpy(&ident, addr, sizeof(ident));
+@@ -69,11 +130,7 @@
+       info(VERBOSE, _("IDENT: connected to %s:%u"),
+       inet_ntoa(ident.sin_addr), ntohs(ident.sin_port));
+ 
+-      #ifdef HAVE_SNPRINTF
+       snprintf(buf, LINEBUFFER,
+-      #else
+-      sprintf(buf,
+-      #endif /* HAVE_SNPRINTF */
+               "%u , %u"CRLF, ntohs(addr->sin_port), session.tunnel_port);
+ 
+       if (send(sd, buf, strlen(buf), 0) == -1) {
+@@ -89,7 +146,8 @@
+       close_socket(sd);
+       memset(user, 0, size);
+ 
+-      if (sscanf(buf, "%*[^:]: USERID :%*[^:]:%s", user) != 1) {
++      remcrlf (buf);
++      if (ident_extract_username(buf, user, size)) {
+               info(VERBOSE, _("IDENT: incorrect data."));
+               return 0;
+       }
+@@ -105,7 +163,8 @@
+               if (rs == -1)
+                       return 0;
+ 
+-              if (sscanf(buf, "%*[^ ] %*[^ ] %*[^ ] %*[^ ] %*[^ ] %s", user) != 1) {
++              remcrlf (buf);
++              if (crypt_extract_username(buf, user, size)) {
+                       info(VERBOSE, _("IDENT: incorrect data (DES deciphered)."));
+                       return 0;
+               }
+diff -urN anubis-3.6.2/src/errs.c anubis-3.6.2-fix/src/errs.c
+--- anubis-3.6.2/src/errs.c    Wed Dec  4 22:42:02 2002
++++ anubis-3.6.2-fix/src/errs.c        Wed Feb 25 20:33:49 2004
+@@ -51,7 +51,7 @@
+                       if (options.slogfile)
+                               filelog(options.slogfile, txt);
+                       else
+-                              syslog(LOG_ERR | LOG_MAIL, txt);
++                              syslog(LOG_ERR | LOG_MAIL, "%s", txt);
+ 
+                       if (options.ulogfile && options.uloglevel >= FAILS)
+                               filelog(options.ulogfile, txt);
+diff -urN anubis-3.6.2/src/log.c anubis-3.6.2-fix/src/log.c
+--- anubis-3.6.2/src/log.c     Wed Dec  4 22:42:26 2002
++++ anubis-3.6.2-fix/src/log.c Wed Feb 25 20:32:30 2004
+@@ -70,7 +70,7 @@
+               if (options.slogfile)
+                       filelog(options.slogfile, txt);
+               else
+-                      syslog(LOG_INFO | LOG_MAIL, txt);
++                      syslog(LOG_INFO | LOG_MAIL, "%s", txt);
+ 
+               if (options.ulogfile && options.uloglevel >= ALL)
+                       filelog(options.ulogfile, txt);
+diff -urN anubis-3.6.2/src/ssl.c anubis-3.6.2-fix/src/ssl.c
+--- anubis-3.6.2/src/ssl.c     Wed Dec  4 22:40:45 2002
++++ anubis-3.6.2-fix/src/ssl.c Wed Feb 25 20:33:28 2004
+@@ -64,7 +64,7 @@
+       if (options.termlevel != SILENT) {
+               #ifdef HAVE_SYSLOG
+               if ((topt & T_DAEMON) && !(topt & T_FOREGROUND))
+-                      syslog(LOG_ERR | LOG_MAIL, string_error);
++                      syslog(LOG_ERR | LOG_MAIL, "%s", string_error);
+               else
+               #endif /* HAVE_SYSLOG */
+                       mprintf(">>%s", string_error);