--- /dev/null
+revision 1.3
+date: 2009/10/10 06:09:31; author: rakesh; state: Exp; lines: +11 -9
+Patch7: ntop-http_c_user.patch for #518264 (CVE-2009-2732)
+----------------------------
+revision 1.2
+date: 2009/08/05 15:25:07; author: rakesh; state: dead; lines: +0 -0
+
+ - Updated to 3.3.10, updated geoip patch
+ - lua_wget patch to prevent wget lua
+ - removed ntop-http_c.patch
+----------------------------
+revision 1.1
+date: 2009/03/17 08:28:30; author: rakesh; state: Exp;
+Fixed world-writable access log (#490561)
+
+--- ntop-3.3.10.org/http.c 2009-09-13 14:23:48.895204786 +0530
++++ ntop-3.3.10/http.c 2009-09-13 14:45:35.603204376 +0530
+@@ -3439,6 +3439,9 @@
+ strncpy(thePw, &outBuffer[i+1], thePwLen-1)[thePwLen-1] = '\0';
+ }
+
++ if(user == NULL)
++ user = "";
++
+ if(strlen(user) >= sizeof(theHttpUser)) user[sizeof(theHttpUser)-1] = '\0';
+ strcpy(theHttpUser, user);
+
--- /dev/null
+--- ntop-3.2/prefs.c 2005-09-29 10:39:06.000000000 +1200
++++ ntop-3.2/prefs.c.mjk 2006-07-06 17:34:34.000000000 +1200
+@@ -772,8 +772,8 @@
+ /* We're root */
+ char *user;
+
+- pw = getpwnam(user = "nobody");
+- if(pw == NULL) pw = getpwnam(user = "anonymous");
++ pw = getpwnam(user = "ntop");
++ if(pw == NULL) pw = getpwnam(user = "nobody");
+
+ if(pw != NULL) {
+ myGlobals.userId = pw->pw_uid;
# TODO
# - see if it uses system files for ettercap and geoip files we did not package
-# - see if /etc/ntop/oui.txt.gz can be externalized (whatever it is)
+# - see if /etc/ntop/oui.txt.gz can be externalized (ethernet vendor id file),
+# hwdata uses same file for example. url: http://linux.die.net/man/1/get-oui
#
# Conditional build:
%bcond_with mysql # with mysql support
Patch2: %{name}-am.patch
Patch3: %{name}-lua_wget.patch
Patch4: %{name}-geoip.patch
+Patch5: %{name}-http_c.patch
+Patch6: %{name}-running-user.patch
URL: http://www.ntop.org/
BuildRequires: GeoIP-devel
BuildRequires: autoconf
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
+%patch6 -p1
# taken from autogen.sh
cp -f %{_aclocaldir}/libtool.m4 libtool.m4.in