rpms/squidGuard/devel squidGuard-1.2.1-SG-2008-06-13.patch, NONE, 1.1 squidGuard.spec, 1.10, 1.11
Jon Ciesla
limb at fedoraproject.org
Thu Feb 12 14:33:54 UTC 2009
Author: limb
Update of /cvs/pkgs/rpms/squidGuard/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28381/devel
Modified Files:
squidGuard.spec
Added Files:
squidGuard-1.2.1-SG-2008-06-13.patch
Log Message:
Patch for SG-2008-06-13.
squidGuard-1.2.1-SG-2008-06-13.patch:
--- NEW FILE squidGuard-1.2.1-SG-2008-06-13.patch ---
--- src/sgDiv.c.orig 2009-02-12 07:31:57.000000000 -0600
+++ src/sgDiv.c 2008-06-13 11:52:17.000000000 -0500
@@ -94,6 +94,9 @@
{
char *p, *d = NULL, *a = NULL, *e = NULL, *o, *field;
int i = 0;
+ int report_once = 1;
+ int trailingdot = 0;
+ size_t strsz;
char c;
int ndx = 0;
@@ -126,22 +129,38 @@
*/
/* Fix for multiple slash vulnerability (bug1). */
/* Check if there are still two or more slashes in sequence which must not happen */
- int report_once = 1;
+ strsz = strlen(p);
- /* loop thru the string 'p' until the char '?' is hit */
+ /* loop thru the string 'p' until the char '?' is hit or the "end" is hit */
while('?' != p[ndx] && '\0' != p[ndx])
{
- /* if this char and the next char are slashes,
- then shift the rest of the string left one char */
- if('/' == p[ndx] && '/' == p[ndx+1])
- {
- size_t sz = strlen(p+ndx+1);
- strncpy(p+ndx,p+ndx+1, sz);
- p[ndx+sz] = '\0';
- if(1 == report_once) {
- sgLogError("Warning: Possible bypass attempt. Found multiple slashes where only one is expected: %s", s->orig);
- report_once--;
+ /* in case this is a '://' skip over it, but try to not read past EOS */
+ if(3 <= strsz-ndx) {
+ if(':' == p[ndx] && '/' == p[ndx+1] && '/' == p[ndx+2]) {
+ ndx+=3; /* 3 == strlen("://"); */
+ }
}
+
+ /* if this char and the next char are slashes,
+ * then shift the rest of the string left one char */
+ if('/' == p[ndx] && '/' == p[ndx+1]) {
+ size_t sz = strlen(p+ndx+1);
+ strncpy(p+ndx,p+ndx+1, sz);
+ p[ndx+sz] = '\0';
+ if(1 == report_once) {
+ sgLogError("Warning: Possible bypass attempt. Found multiple slashes where only one is expected: %s", s->orig);
+ report_once--;
+ }
+ }
+ else if ('.' == p[ndx] && '/' == p[ndx+1] && trailingdot == 0) {
+ /* If the domain has trailing dot, remove (problem found with squid 3.0 stable1-5) the trailing dot (fixes bug 38). */
+ /* if this char is a dot and the next char is a slash, then shift the rest of the string left one char */
+ /* We do this only the first time it is encountered. */
+ trailingdot++;
+ size_t sz = strlen(p+ndx+1);
+ strncpy(p+ndx,p+ndx+1, sz);
+ p[ndx+sz] = '\0';
+ sgLogError("Warning: Possible bypass attempt. Found a trailing dot in the domain name: %s", s->orig);
}
else
{
@@ -537,13 +556,13 @@
#endif
{
struct sgRegExp *re;
- regmatch_t pm[10];
+ regmatch_t pm;
static char newstring[MAX_BUF];
char *result = NULL, *p;
int substlen;
*newstring='\0';
for(re = regexp; re != NULL; re = re->next){
- if (regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, 0) != 0){
+ if (regexec (re->compiled, pattern, 1, &pm, 0) != 0){
result = NULL;
} else {
substlen = strlen(re->substitute);
@@ -553,65 +572,14 @@
*newstring = '\0';
p = newstring;
do {
- if((p - newstring)+ pm[0].rm_so >= MAX_BUF)
+ if((p - newstring)+ pm.rm_so >= MAX_BUF)
break;
- p = strncat(newstring,pattern,pm[0].rm_so);
- {
- char *p_cur;
- char *p_next;
-
- for (p_next = p_cur = re->substitute;
- p_next < (re->substitute + substlen);
- p_next++)
- {
- if (*p_next == '\\')
- {
- if (p_cur < p_next)
- {
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_cur, p_next - p_cur);
- }
- p_next++;
- if (p_next < (re->substitute + substlen)
- && '0' <= *p_next && *p_next <= '9')
- {
- int i = *p_next - '0';
- if ((p - newstring) + (pm[i].rm_eo - pm[i].rm_so) >= MAX_BUF)
- goto err;
- p = strncat(newstring, pattern + pm[i].rm_so, pm[i].rm_eo - pm[i].rm_so);
- }
- else
- {
- if ((p - newstring + 1) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_next, 1);
- }
- p_cur = p_next + 1;
- }
- else if (*p_next == '&')
- {
- if (p_cur < p_next)
- {
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_cur, p_next - p_cur);
- }
- if (((p - newstring) + (pm[0].rm_eo - pm[0].rm_so)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, pattern + pm[0].rm_so, pm[0].rm_eo - pm[0].rm_so);
- p_cur = p_next + 1;
- }
- }
- if (p_cur < p_next)
- {
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_cur, p_next - p_cur);
- }
- }
- pattern = pattern + pm[0].rm_eo;
- } while(regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, REG_NOTBOL)== 0 &&
+ p = strncat(newstring,pattern,pm.rm_so);
+ if((p - newstring)+ substlen >= MAX_BUF)
+ break;
+ p = strcat(newstring,re->substitute);
+ pattern = pattern + pm.rm_eo;
+ } while(regexec (re->compiled, pattern, 1, &pm, REG_NOTBOL)== 0 &&
re->global);
if((p - newstring)+ strlen(pattern) <= MAX_BUF)
p = strcat(newstring,pattern);
@@ -619,7 +587,6 @@
break;
}
}
-err:
return result;
}
Index: squidGuard.spec
===================================================================
RCS file: /cvs/pkgs/rpms/squidGuard/devel/squidGuard.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- squidGuard.spec 12 Feb 2009 13:49:14 -0000 1.10
+++ squidGuard.spec 12 Feb 2009 14:33:23 -0000 1.11
@@ -7,7 +7,7 @@
Name: squidGuard
Version: 1.2.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Filter, redirector and access controller plugin for squid
Group: System Environment/Daemons
@@ -34,6 +34,7 @@
Patch3: squidGuard-perlwarning.patch
Patch4: squidGuard-sed.patch
Patch5: squidGuard-makeinstall.patch
+Patch6: squidGuard-1.2.1-SG-2008-06-13.patch
URL: http://www.squidguard.org/
@@ -76,6 +77,7 @@
%patch3 -p2
%patch4 -p1
%patch5 -p1
+%patch6 -p0
%{__cp} %{SOURCE100} ./squidGuard.conf.k12ltsp.template
%{__cp} %{SOURCE101} ./update_squidguard_blacklists.k12ltsp.sh
@@ -182,7 +184,10 @@
%changelog
* Wed Feb 11 2009 Jon Ciesla <limb at jcomserv.net> - 1.2.1-1
-- Update to 1.2.1, fix sg-2008-06-13 BZ 245377, 452467.
+- Fix sg-2008-06-13, BZ 452467.
+
+* Wed Feb 11 2009 Jon Ciesla <limb at jcomserv.net> - 1.2.1-1
+- Update to 1.2.1, BZ 245377.
- Dropped upstream patch.
- Updated blacklists.
More information about the scm-commits
mailing list