packages: tpop3d/tpop3d.spec, tpop3d/tpop3d-bug-33413.patch (NEW)=?UTF-8?Q?=20?=- rel 11; ...

Sun Feb 12 08:52:36 CET 2012

Author: arekm                        Date: Sun Feb 12 07:52:36 2012 GMT
Module: packages                      Tag: HEAD
---- Log message:
- rel 11; fix remote dos

---- Files affected:
packages/tpop3d:
   tpop3d.spec (1.104 -> 1.105) , tpop3d-bug-33413.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/tpop3d/tpop3d.spec
diff -u packages/tpop3d/tpop3d.spec:1.104 packages/tpop3d/tpop3d.spec:1.105

--- packages/tpop3d/tpop3d.spec:1.104	Fri May 27 13:40:27 2011
+++ packages/tpop3d/tpop3d.spec	Sun Feb 12 08:52:31 2012
@@ -17,7 +17,7 @@
 Summary(pl.UTF-8):	Serwer POP3
 Name:		tpop3d
 Version:	1.5.5
-Release:	10
+Release:	11
 License:	GPL
 Group:		Networking/Daemons/POP3
 Source0:	http://download.savannah.nongnu.org/releases/tpop3d/%{name}-%{version}.tar.gz
@@ -30,6 +30,7 @@
 Patch2:		%{name}-sql-getpwuid-optional.patch
 Patch3:		%{name}-lib.patch
 Patch4:		%{name}-ssl-chain.patch
+Patch5:		%{name}-bug-33413.patch
 URL:		https://savannah.nongnu.org/projects/tpop3d
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -119,6 +120,7 @@
 %endif
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %build
 %{__aclocal}
@@ -188,6 +190,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.105  2012/02/12 07:52:31  arekm
+- rel 11; fix remote dos
+
 Revision 1.104  2011/05/27 11:40:27  arekm
 - rel 10; load cert chain and not only one cert
 

================================================================
Index: packages/tpop3d/tpop3d-bug-33413.patch
diff -u /dev/null packages/tpop3d/tpop3d-bug-33413.patch:1.1
--- /dev/null	Sun Feb 12 08:52:36 2012
+++ packages/tpop3d/tpop3d-bug-33413.patch	Sun Feb 12 08:52:31 2012
@@ -0,0 +1,108 @@
+commit ae0c8b3372ca10718c68f767944cbce3928573d7
+Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
+Date:   Sun Feb 12 08:22:44 2012 +0100
+
+    buffer_consume_to_mark: simplify to avoid accessing unallocated memory
+    
+    buffer_consume_to_mark() was trying to use Boyer-Moore search to find
+    specified mark string but implementation was walking through unallocated
+    mamory.
+    
+    tpop3d only use case is to look for single character mark, so simplify
+    code for our use case.
+    
+    Fixes bug #33413.
+
+diff --git a/buffer.c b/buffer.c
+index 280a01e..5824856 100644
+--- a/buffer.c
++++ b/buffer.c
+@@ -136,46 +136,36 @@ char *buffer_consume_all(buffer B, char *str, size_t *slen) {
+     return str;
+ }
+ 
+-/* buffer_consume_to_mark BUFFER MARK MLEN STR SLEN
+- * Consume data from BUFFER up to and including MARK of length MLEN, returning
++/* buffer_consume_to_mark BUFFER MARK STR SLEN
++ * Consume data from BUFFER up to and including single character MARK, returning
+  * a pointer to a string allocated with malloc(3) or NULL if the mark was not
+  * found. The number of bytes consumed is recorded in SLEN. If STR is not
+  * NULL, it must point to a buffer of length at least *SLEN allocated with
+  * malloc(3); this buffer will be used as is if the returned string is small
+  * enough, or reallocated with realloc(3) otherwise. The returned string is
+- * null-terminated.
+- *
+- * This uses a Boyer-Moore search, but we can't just reuse memstr because we
+- * may have to search across the end of the buffer. */
+-char *buffer_consume_to_mark(buffer B, const char *mark, const size_t mlen, char *str, size_t *slen) {
+-    size_t skip[256], a;
++ * null-terminated. */
++char *buffer_consume_to_mark(buffer B, const char *mark, char *str, size_t *slen) {
++    size_t a;
+     int k;
+ 
+     assert(B);
+-    assert(mlen > 0 && mlen <= (size_t)INT_MAX);
+     
+-    if ((a = buffer_available(B)) < mlen) return NULL;
++    if ((a = buffer_available(B)) < 1) return NULL;
+ 
+     assert(a <= (size_t)INT_MAX);
+ 
+-    /* Oh dear. Should special-case the mlen == 1 case, since it's the only
+-     * one we use.... */
+-    for (k = 0; k < 256; ++k) skip[k] = mlen;
+-    for (k = 0; k < (int)mlen - 1; ++k) skip[(unsigned char)mark[k]] = mlen - k - 1;
+-
+-    for (k = (int)mlen - 1; k < (int)a; k += skip[(unsigned char)mark[k]]) {
+-        int i, j;
+-        for (j = (int)mlen - 1, i = k; j >= 0 && B->buf[(B->get + i) % B->len] == mark[j]; j--) i--;
+-        if (j == -1) {
+-            /* Have found the mark at location i + 1. */
+-            i += 1 + mlen;  /* account for mark and terminating null */
+-            if (!str || *slen < (size_t)i + 1)
+-                str = xrealloc(str, (size_t)i + 1);
+-            *slen = (size_t)i + 1;
+-            for (j = 0; j < i; ++j)
++    for (k = 0; k < (int)a; k++) {
++        if (B->buf[(B->get + k) % B->len] == mark[0]) {
++            int j, len;
++            /* Have found the mark at location k. */
++            len = k + 1; /* string length */
++            if (!str || *slen < (size_t)len + 1)
++                str = xrealloc(str, (size_t)len + 1);
++            *slen = (size_t)len + 1;
++            for (j = 0; j < len; j++)
+                 str[j] = B->buf[(B->get + j) % B->len];
+             str[j] = 0;
+-            B->get = (B->get + i) % B->len;
++            B->get = (B->get + len) % B->len;
+             return str;
+         }
+     }
+diff --git a/buffer.h b/buffer.h
+index d8c7278..52c4378 100644
+--- a/buffer.h
++++ b/buffer.h
+@@ -41,7 +41,7 @@ void buffer_make_contiguous(buffer B);
+ char *buffer_get_consume_ptr(buffer B, size_t *slen);
+ void buffer_consume_bytes(buffer B, const size_t num);
+ char *buffer_consume_all(buffer B, char *str, size_t *slen);
+-char *buffer_consume_to_mark(buffer B, const char *mark, const size_t mlen, char *str, size_t *slen);
++char *buffer_consume_to_mark(buffer B, const char *mark, char *str, size_t *slen);
+ void buffer_expand(buffer B, const size_t num);
+ void buffer_push_data(buffer B, const char *data, const size_t dlen);
+ char *buffer_get_push_ptr(buffer B, size_t *len);
+diff --git a/connection.c b/connection.c
+index f552cb9..cfe3a24 100644
+--- a/connection.c
++++ b/connection.c
+@@ -316,7 +316,7 @@ pop3command connection_parsecommand(connection c) {
+      * latter case we must be careful not to interpret command1\ncommand2\r\n
+      * as a single command. So always use \n as the line ending and strip off
+      * any trailing \r. */
+-    if (!(p = buffer_consume_to_mark(c->rdb, "\n", 1, line, &llen)))
++    if (!(p = buffer_consume_to_mark(c->rdb, "\n", line, &llen)))
+         return NULL;
+     else
+         line = p;
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/tpop3d/tpop3d.spec?r1=1.104&r2=1.105&f=u

