- two more patches from fc

Changed files:
    ntop-http_c.patch -> 1.1
    ntop-running-user.patch -> 1.1
    ntop.spec -> 1.86

diff --git a/ntop-http_c.patch b/ntop-http_c.patch
new file mode 100644 (file)
index 0000000..3596067
--- /dev/null
+++ b/ntop-http_c.patch
@@ -0,0 +1,27 @@
+revision 1.3
+date: 2009/10/10 06:09:31;  author: rakesh;  state: Exp;  lines: +11 -9
+Patch7: ntop-http_c_user.patch for #518264 (CVE-2009-2732)
+----------------------------
+revision 1.2
+date: 2009/08/05 15:25:07;  author: rakesh;  state: dead;  lines: +0 -0
+
+ - Updated to 3.3.10, updated geoip patch
+ - lua_wget patch to prevent wget lua
+ - removed ntop-http_c.patch
+----------------------------
+revision 1.1
+date: 2009/03/17 08:28:30;  author: rakesh;  state: Exp;
+Fixed world-writable access log (#490561)
+
+--- ntop-3.3.10.org/http.c     2009-09-13 14:23:48.895204786 +0530
++++ ntop-3.3.10/http.c 2009-09-13 14:45:35.603204376 +0530
+@@ -3439,6 +3439,9 @@
+     strncpy(thePw, &outBuffer[i+1], thePwLen-1)[thePwLen-1] = '\0';
+   }
+ 
++  if(user == NULL)
++    user = "";
++
+   if(strlen(user) >= sizeof(theHttpUser)) user[sizeof(theHttpUser)-1] = '\0';
+   strcpy(theHttpUser, user);
+ 

diff --git a/ntop-running-user.patch b/ntop-running-user.patch
new file mode 100644 (file)
index 0000000..a60f10d
--- /dev/null
+++ b/ntop-running-user.patch
@@ -0,0 +1,13 @@
+--- ntop-3.2/prefs.c   2005-09-29 10:39:06.000000000 +1200
++++ ntop-3.2/prefs.c.mjk       2006-07-06 17:34:34.000000000 +1200
+@@ -772,8 +772,8 @@
+       /* We're root */
+       char *user;
+ 
+-      pw = getpwnam(user = "nobody");
+-      if(pw == NULL) pw = getpwnam(user = "anonymous");
++      pw = getpwnam(user = "ntop");
++      if(pw == NULL) pw = getpwnam(user = "nobody");
+ 
+       if(pw != NULL) {
+       myGlobals.userId  = pw->pw_uid;

diff --git a/ntop.spec b/ntop.spec
index 8b2b57f2cf986e72a4f18905b14b18204bfc83e6..7bcef49848e06a543bdba698f81615730882bece 100644 (file)
--- a/ntop.spec
+++ b/ntop.spec
@@ -1,6 +1,7 @@
 # TODO
 # - see if it uses system files for ettercap and geoip files we did not package
-# - see if /etc/ntop/oui.txt.gz can be externalized (whatever it is)
+# - see if /etc/ntop/oui.txt.gz can be externalized (ethernet vendor id file),
+#   hwdata uses same file for example. url: http://linux.die.net/man/1/get-oui
 #
 # Conditional build:
 %bcond_with    mysql   # with mysql support
@@ -21,6 +22,8 @@ Patch1:               %{name}-config.patch
 Patch2:                %{name}-am.patch
 Patch3:                %{name}-lua_wget.patch
 Patch4:                %{name}-geoip.patch
+Patch5:                %{name}-http_c.patch
+Patch6:                %{name}-running-user.patch
 URL:           http://www.ntop.org/
 BuildRequires: GeoIP-devel
 BuildRequires: autoconf
@@ -77,6 +80,8 @@ robi to popularna uniksowa komenda top.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 # taken from autogen.sh
 cp -f %{_aclocaldir}/libtool.m4 libtool.m4.in