rpms/squidGuard/EL-5 squidGuard-1.2.1-SG-2008-06-13.patch, NONE, 1.1 squidGuard-1.3-SG-2008-06-13.patch, NONE, 1.1 squidGuard-1.4-20091015.patch, NONE, 1.1 squidGuard-1.4-20091019.patch, NONE, 1.1
Jon Ciesla
limb at fedoraproject.org
Tue Oct 27 12:30:21 UTC 2009
Author: limb
Update of /cvs/pkgs/rpms/squidGuard/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31614
Added Files:
squidGuard-1.2.1-SG-2008-06-13.patch
squidGuard-1.3-SG-2008-06-13.patch
squidGuard-1.4-20091015.patch squidGuard-1.4-20091019.patch
Log Message:
Patches.
squidGuard-1.2.1-SG-2008-06-13.patch:
sgDiv.c | 113 ++++++++++++++++++++++------------------------------------------
1 file changed, 40 insertions(+), 73 deletions(-)
--- NEW FILE squidGuard-1.2.1-SG-2008-06-13.patch ---
--- src/sgDiv.c.orig 2009-02-12 07:31:57.000000000 -0600
+++ src/sgDiv.c 2008-06-13 11:52:17.000000000 -0500
@@ -94,6 +94,9 @@
{
char *p, *d = NULL, *a = NULL, *e = NULL, *o, *field;
int i = 0;
+ int report_once = 1;
+ int trailingdot = 0;
+ size_t strsz;
char c;
int ndx = 0;
@@ -126,22 +129,38 @@
*/
/* Fix for multiple slash vulnerability (bug1). */
/* Check if there are still two or more slashes in sequence which must not happen */
- int report_once = 1;
+ strsz = strlen(p);
- /* loop thru the string 'p' until the char '?' is hit */
+ /* loop thru the string 'p' until the char '?' is hit or the "end" is hit */
while('?' != p[ndx] && '\0' != p[ndx])
{
- /* if this char and the next char are slashes,
- then shift the rest of the string left one char */
- if('/' == p[ndx] && '/' == p[ndx+1])
- {
- size_t sz = strlen(p+ndx+1);
- strncpy(p+ndx,p+ndx+1, sz);
- p[ndx+sz] = '\0';
- if(1 == report_once) {
- sgLogError("Warning: Possible bypass attempt. Found multiple slashes where only one is expected: %s", s->orig);
- report_once--;
+ /* in case this is a '://' skip over it, but try to not read past EOS */
+ if(3 <= strsz-ndx) {
+ if(':' == p[ndx] && '/' == p[ndx+1] && '/' == p[ndx+2]) {
+ ndx+=3; /* 3 == strlen("://"); */
+ }
}
+
+ /* if this char and the next char are slashes,
+ * then shift the rest of the string left one char */
+ if('/' == p[ndx] && '/' == p[ndx+1]) {
+ size_t sz = strlen(p+ndx+1);
+ strncpy(p+ndx,p+ndx+1, sz);
+ p[ndx+sz] = '\0';
+ if(1 == report_once) {
+ sgLogError("Warning: Possible bypass attempt. Found multiple slashes where only one is expected: %s", s->orig);
+ report_once--;
+ }
+ }
+ else if ('.' == p[ndx] && '/' == p[ndx+1] && trailingdot == 0) {
+ /* If the domain has trailing dot, remove (problem found with squid 3.0 stable1-5) the trailing dot (fixes bug 38). */
+ /* if this char is a dot and the next char is a slash, then shift the rest of the string left one char */
+ /* We do this only the first time it is encountered. */
+ trailingdot++;
+ size_t sz = strlen(p+ndx+1);
+ strncpy(p+ndx,p+ndx+1, sz);
+ p[ndx+sz] = '\0';
+ sgLogError("Warning: Possible bypass attempt. Found a trailing dot in the domain name: %s", s->orig);
}
else
{
@@ -537,13 +556,13 @@
#endif
{
struct sgRegExp *re;
- regmatch_t pm[10];
+ regmatch_t pm;
static char newstring[MAX_BUF];
char *result = NULL, *p;
int substlen;
*newstring='\0';
for(re = regexp; re != NULL; re = re->next){
- if (regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, 0) != 0){
+ if (regexec (re->compiled, pattern, 1, &pm, 0) != 0){
result = NULL;
} else {
substlen = strlen(re->substitute);
@@ -553,65 +572,14 @@
*newstring = '\0';
p = newstring;
do {
- if((p - newstring)+ pm[0].rm_so >= MAX_BUF)
+ if((p - newstring)+ pm.rm_so >= MAX_BUF)
break;
- p = strncat(newstring,pattern,pm[0].rm_so);
- {
- char *p_cur;
- char *p_next;
-
- for (p_next = p_cur = re->substitute;
- p_next < (re->substitute + substlen);
- p_next++)
- {
- if (*p_next == '\\')
- {
- if (p_cur < p_next)
- {
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_cur, p_next - p_cur);
- }
- p_next++;
- if (p_next < (re->substitute + substlen)
- && '0' <= *p_next && *p_next <= '9')
- {
- int i = *p_next - '0';
- if ((p - newstring) + (pm[i].rm_eo - pm[i].rm_so) >= MAX_BUF)
- goto err;
- p = strncat(newstring, pattern + pm[i].rm_so, pm[i].rm_eo - pm[i].rm_so);
- }
- else
- {
- if ((p - newstring + 1) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_next, 1);
- }
- p_cur = p_next + 1;
- }
- else if (*p_next == '&')
- {
- if (p_cur < p_next)
- {
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_cur, p_next - p_cur);
- }
- if (((p - newstring) + (pm[0].rm_eo - pm[0].rm_so)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, pattern + pm[0].rm_so, pm[0].rm_eo - pm[0].rm_so);
- p_cur = p_next + 1;
- }
- }
- if (p_cur < p_next)
- {
- if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)
- goto err;
- p = strncat(newstring, p_cur, p_next - p_cur);
- }
- }
- pattern = pattern + pm[0].rm_eo;
- } while(regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, REG_NOTBOL)== 0 &&
+ p = strncat(newstring,pattern,pm.rm_so);
+ if((p - newstring)+ substlen >= MAX_BUF)
+ break;
+ p = strcat(newstring,re->substitute);
+ pattern = pattern + pm.rm_eo;
+ } while(regexec (re->compiled, pattern, 1, &pm, REG_NOTBOL)== 0 &&
re->global);
if((p - newstring)+ strlen(pattern) <= MAX_BUF)
p = strcat(newstring,pattern);
@@ -619,7 +587,6 @@
break;
}
}
-err:
return result;
}
squidGuard-1.3-SG-2008-06-13.patch:
sgDiv.c.in | 11 +++++++++++
1 file changed, 11 insertions(+)
--- NEW FILE squidGuard-1.3-SG-2008-06-13.patch ---
--- src/sgDiv.c.in.orig 2007-11-03 08:59:49.000000000 -0500
+++ src/sgDiv.c.in 2008-06-13 12:01:43.000000000 -0500
@@ -94,6 +94,7 @@
int i = 0;
char c;
int report_once = 1;
+ int trailingdot = 1;
size_t strsz;
int ndx = 0;
@@ -148,6 +149,16 @@
report_once--;
}
}
+ else if ('.' == p[ndx] && '/' == p[ndx+1] && trailingdot == 0) {
+ /* If the domain has trailing dot, remove (problem found with squid 3.0 stable1-5) */
+ /* if this char is a dot and the next char is a slash, then shift the rest of the string left one char */
+ /* We do this only the first time it is encountered. */
+ trailingdot++;
+ size_t sz = strlen(p+ndx+1);
+ strncpy(p+ndx,p+ndx+1, sz);
+ p[ndx+sz] = '\0';
+ @NOLOG1@ sgLogError("Warning: Possible bypass attempt. Found a trailing dot in the domain name: %s", s->orig); @NOLOG2@
+ }
else
{
/* increment the string indexer */
squidGuard-1.4-20091015.patch:
sgLog.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- NEW FILE squidGuard-1.4-20091015.patch ---
--- src/sgLog.c 2007-11-16 10:58:32.000000000 -0600
+++ src/sgLog.c 2009-10-15 14:25:14.000000000 -0500
@@ -5 +5 @@
- This software product, squidGuard, is copyrighted (C) 1998-2007
+ This software product, squidGuard, is copyrighted (C) 1998-2009
@@ -58,2 +58,2 @@
- if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
- fprintf(stderr,"overflow in vsprintf (sgLog): %s",strerror(errno));
+ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1))
+ fprintf(stderr,"overflow in vsnprintf (sgLog): %s",strerror(errno));
@@ -90,2 +90,2 @@
- if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
- sgLogFatalError("overflow in vsprintf (sgLogError): %s",strerror(errno));
+ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1))
+ sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno));
@@ -107,2 +107,2 @@
- if(vsprintf(msg, format, ap) > (MAX_BUF - 1))
- return;
+ if(vsnprintf(msg, MAX_BUF, format, ap) > (MAX_BUF - 1))
+ sgLog(globalErrorLog, "overflow in vsnprintf (sgLogError): %s",strerror(errno));
squidGuard-1.4-20091019.patch:
sgDiv.c.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE squidGuard-1.4-20091019.patch ---
--- src/sgDiv.c.in 2008-07-14 11:02:43.000000000 -0500
+++ src/sgDiv.c.in 2009-10-19 14:26:04.000000000 -0500
@@ -748 +748 @@
- strcat(buf, req->orig);
+ strncat(buf, req->orig, 2048);
--- src/sg.h.in 2007-11-16 10:58:32.000000000 -0600
+++ src/sg.h.in 2009-10-19 14:25:23.000000000 -0500
@@ -76 +76 @@
-#define MAX_BUF 4096
+#define MAX_BUF 12288
More information about the scm-commits
mailing list