head 1.1;
access;
symbols
OPENPKG_2_STABLE_MP:1.1
OPENPKG_E1_MP_HEAD:1.1
OPENPKG_E1_MP:1.1
OPENPKG_E1_MP_2_STABLE:1.1
OPENPKG_E1_FP:1.1
OPENPKG_2_STABLE_20061018:1.1
OPENPKG_2_STABLE:1.1.0.18
OPENPKG_2_STABLE_BP:1.1
OPENPKG_2_5_SOLID:1.1.0.16
OPENPKG_2_5_SOLID_BP:1.1
OPENPKG_2_4_RELEASE:1.1
OPENPKG_2_4_SOLID:1.1.0.14
OPENPKG_2_4_SOLID_BP:1.1
OPENPKG_2_3_RELEASE:1.1
OPENPKG_2_3_SOLID:1.1.0.12
OPENPKG_2_3_SOLID_BP:1.1
OPENPKG_2_2_RELEASE:1.1
OPENPKG_2_2_SOLID:1.1.0.10
OPENPKG_2_2_SOLID_BP:1.1
OPENPKG_2_1_RELEASE:1.1
OPENPKG_2_1_SOLID:1.1.0.8
OPENPKG_2_1_SOLID_BP:1.1
OPENPKG_2_0_RELEASE:1.1
OPENPKG_2_0_SOLID:1.1.0.6
OPENPKG_2_0_SOLID_BP:1.1
OPENPKG_1_3_RELEASE:1.1.2.2
OPENPKG_1_3_SOLID:1.1.2.2.0.2
OPENPKG_1_3_SOLID_BP:1.1.2.2
OPENPKG_1_2_SOLID:1.1.0.4
OPENPKG_1_STABLE:1.1.0.2;
locks; strict;
comment @# @;
1.1
date 2003.03.04.09.46.01; author mlelstv; state dead;
branches
1.1.2.1
1.1.4.1
1.1.6.1;
next ;
1.1.2.1
date 2003.03.04.09.46.01; author mlelstv; state Exp;
branches;
next 1.1.2.2;
1.1.2.2
date 2003.07.24.20.50.11; author rse; state dead;
branches
1.1.2.2.2.1;
next ;
1.1.2.2.2.1
date 2004.04.16.14.08.29; author ms; state Exp;
branches;
next 1.1.2.2.2.2;
1.1.2.2.2.2
date 2004.05.19.20.04.13; author rse; state Exp;
branches;
next ;
1.1.4.1
date 2003.03.04.09.48.38; author mlelstv; state Exp;
branches;
next ;
1.1.6.1
date 2004.04.16.14.08.21; author ms; state Exp;
branches;
next 1.1.6.2;
1.1.6.2
date 2004.05.19.20.03.12; author rse; state Exp;
branches;
next ;
desc
@@
1.1
log
@file neon.patch was initially added on branch OPENPKG_1_STABLE.
@
text
@@
1.1.6.1
log
@add patchcode to remove vulnerabilities in format string handling as
described in OpenPKG-SA-2004.016 (CAN-2004-0179)
@
text
@a0 142
diff -Nau src/ne_207.c.orig src/ne_207.c
--- src/ne_207.c.orig 2003-07-23 23:48:21.000000000 +0200
+++ src/ne_207.c 2004-04-16 14:47:53.000000000 +0200
@@@@ -320,12 +320,12 @@@@
if (ne_get_status(req)->code == 207) {
if (!ne_xml_valid(p)) {
/* The parse was invalid */
- ne_set_error(sess, ne_xml_get_error(p));
+ ne_set_error(sess, "%s", ne_xml_get_error(p));
ret = NE_ERROR;
} else if (ctx.is_error) {
/* If we've actually got any error information
* from the 207, then set that as the error */
- ne_set_error(sess, ctx.buf->data);
+ ne_set_error(sess, "%s", ctx.buf->data);
ret = NE_ERROR;
}
} else if (ne_get_status(req)->klass != 2) {
diff -Nau src/ne_auth.c.orig src/ne_auth.c
--- src/ne_auth.c.orig 2003-10-21 21:32:55.000000000 +0200
+++ src/ne_auth.c 2004-04-16 14:47:53.000000000 +0200
@@@@ -1080,7 +1080,7 @@@@
if (areq->auth_info_hdr != NULL &&
verify_response(areq, sess, areq->auth_info_hdr)) {
NE_DEBUG(NE_DBG_HTTPAUTH, "Response authentication invalid.\n");
- ne_set_error(sess->sess, _(sess->spec->fail_msg));
+ ne_set_error(sess->sess, "%s", _(sess->spec->fail_msg));
ret = NE_ERROR;
} else if (status->code == sess->spec->status_code &&
areq->auth_hdr != NULL) {
diff -Nau src/ne_locks.c.orig src/ne_locks.c
--- src/ne_locks.c.orig 2003-06-19 00:10:58.000000000 +0200
+++ src/ne_locks.c 2004-04-16 14:47:53.000000000 +0200
@@@@ -734,7 +734,7 @@@@
}
else if (parse_failed) {
ret = NE_ERROR;
- ne_set_error(sess, ne_xml_get_error(parser));
+ ne_set_error(sess, "%s", ne_xml_get_error(parser));
}
else if (ne_get_status(req)->code == 207) {
ret = NE_ERROR;
@@@@ -802,7 +802,7 @@@@
if (ret == NE_OK && ne_get_status(req)->klass == 2) {
if (parse_failed) {
ret = NE_ERROR;
- ne_set_error(sess, ne_xml_get_error(parser));
+ ne_set_error(sess, "%s", ne_xml_get_error(parser));
}
else if (ne_get_status(req)->code == 207) {
ret = NE_ERROR;
diff -Nau src/ne_props.c.orig src/ne_props.c
--- src/ne_props.c.orig 2003-06-19 00:10:58.000000000 +0200
+++ src/ne_props.c 2004-04-16 14:47:53.000000000 +0200
@@@@ -142,7 +142,7 @@@@
if (ret == NE_OK && ne_get_status(req)->klass != 2) {
ret = NE_ERROR;
} else if (!ne_xml_valid(handler->parser)) {
- ne_set_error(handler->sess, ne_xml_get_error(handler->parser));
+ ne_set_error(handler->sess, "%s", ne_xml_get_error(handler->parser));
ret = NE_ERROR;
}
diff -Nau src/ne_xml.c.orig src/ne_xml.c
--- src/ne_xml.c.orig 2003-09-25 21:05:58.000000000 +0200
+++ src/ne_xml.c 2004-04-16 14:47:53.000000000 +0200
@@@@ -539,7 +539,7 @@@@
void ne_xml_set_error(ne_xml_parser *p, const char *msg)
{
- ne_snprintf(p->error, ERR_SIZE, msg);
+ ne_snprintf(p->error, ERR_SIZE, "%s", msg);
}
#ifdef HAVE_LIBXML
diff -Nau test/props.c.orig test/props.c
--- test/props.c.orig 2003-04-22 16:13:56.000000000 +0200
+++ test/props.c 2004-04-16 14:47:53.000000000 +0200
@@@@ -81,6 +81,14 @@@@
""
"HTTP/1.1 404 Not Found"
"",
+
+ /* format string handling with neon <= 0.24.4 */
+ RESP207 ""
+ "/foo/"
+ ""
+ "%s%s%s%s"
+ "",
+
NULL,
};
ne_session *sess;
@@@@ -96,6 +104,40 @@@@
return OK;
}
+static int patch_regress(void)
+{
+ static const char *bodies[] = {
+ /* format string handling bugs with neon <= 0.24.4 */
+ RESP207 ""
+ "/foo/"
+ "HTTP/1.1 500 Bad Voodoo"
+ "%s%s%s%s"
+ "",
+
+ RESP207 ""
+ "/foo/"
+ "HTTP/1.1 %s%s%s%s",
+
+ NULL
+ };
+ ne_session *sess;
+ int n;
+ static const ne_propname pn = { "DAV:", "foobar" };
+ ne_proppatch_operation pops[] = {
+ { &pn, ne_propset, "fish" },
+ { NULL, ne_propset, NULL }
+ };
+
+ for (n = 0; bodies[n] != NULL; n++) {
+ CALL(make_session(&sess, single_serve_string, (void *)bodies[n]));
+ ne_proppatch(sess, "/", pops);
+ ne_session_destroy(sess);
+ CALL(await_server());
+ }
+
+ return OK;
+}
+
static int pstat_count;
/* tos_*: set of 207 callbacks which serialize the data back into a
@@@@ -503,6 +545,7 @@@@
T(patch_simple),
T(pfind_simple),
T(regress),
+ T(patch_regress),
T(NULL)
};
@
1.1.6.2
log
@apply security fix (OpenPKG-SA-2004.024-neon, CAN-2004-0398)
@
text
@a0 2
Security Fix
a142 44
-----------------------------------------------------------------------------
Security Fix
OpenPKG-SA-2004.024-neon, CAN-2004-0398
Index: src/ne_dates.c
--- src/ne_dates.c 2 May 2004 16:00:35 -0000 1.28.2.1
+++ src/ne_dates.c 2 May 2004 18:21:53 -0000
@@@@ -47,7 +47,7 @@@@
/* RFC1123: Sun, 06 Nov 1994 08:49:37 GMT */
#define RFC1123_FORMAT "%3s, %02d %3s %4d %02d:%02d:%02d GMT"
/* RFC850: Sunday, 06-Nov-94 08:49:37 GMT */
-#define RFC1036_FORMAT "%s %2d-%3s-%2d %2d:%2d:%2d GMT"
+#define RFC1036_FORMAT "%10s %2d-%3s-%2d %2d:%2d:%2d GMT"
/* asctime: Wed Jun 30 21:49:08 1993 */
#define ASCTIME_FORMAT "%3s %3s %2d %2d:%2d:%2d %4d"
@@@@ -133,7 +133,7 @@@@
time_t ne_rfc1123_parse(const char *date)
{
struct tm gmt = {0};
- static char wkday[4], mon[4];
+ char wkday[4], mon[4];
int n;
/* it goes: Sun, 06 Nov 1994 08:49:37 GMT */
n = sscanf(date, RFC1123_FORMAT,
@@@@ -156,7 +156,7 @@@@
{
struct tm gmt = {0};
int n;
- static char wkday[10], mon[4];
+ char wkday[11], mon[4];
/* RFC850/1036 style dates: Sunday, 06-Nov-94 08:49:37 GMT */
n = sscanf(date, RFC1036_FORMAT,
wkday, &gmt.tm_mday, mon, &gmt.tm_year,
@@@@ -189,7 +189,7 @@@@
{
struct tm gmt = {0};
int n;
- static char wkday[4], mon[4];
+ char wkday[4], mon[4];
n = sscanf(date, ASCTIME_FORMAT,
wkday, mon, &gmt.tm_mday,
&gmt.tm_hour, &gmt.tm_min, &gmt.tm_sec,
@
1.1.4.1
log
@MFS: backport security-fix from neon-0.23.8
@
text
@a0 62
--- src/ne_utils.c.dist Thu Jul 18 00:19:46 2002
+++ src/ne_utils.c Wed Feb 26 00:15:33 2003
@@@@ -129,6 +129,17 @@@@
#endif
}
+/* Cleanse 'str' of non-printable characters. Duplicated in
+ * ne_session.c for the duration of neon 0.23.x to prevent ABI
+ * change. */
+static char *cleanse(char *str)
+{
+ char *pnt;
+ for (pnt = str; *pnt; pnt++)
+ if (iscntrl(*pnt) || !isprint(*pnt)) *pnt = ' ';
+ return str;
+}
+
int ne_parse_statusline(const char *status_line, ne_status *st)
{
const char *part;
@@@@ -177,7 +188,7 @@@@
/* Fill in the results */
st->major_version = major;
st->minor_version = minor;
- st->reason_phrase = ne_strdup(part);
+ st->reason_phrase = cleanse(ne_strdup(part));
st->code = status_code;
st->klass = klass;
return 0;
--- src/ne_session.c.dist Tue Sep 17 22:08:01 2002
+++ src/ne_session.c Wed Feb 26 00:15:33 2003
@@@@ -33,6 +33,8 @@@@
#include
#endif
+#include /* for cleanse() */
+
#ifdef NEON_SSL
#include
#include
@@@@ -242,9 +244,20 @@@@
uri->scheme = ne_strdup(sess->scheme);
}
+/* Cleanse 'str' of non-printable characters. Duplicated in
+ * ne_utils.c for the duration of neon 0.23.x to prevent ABI
+ * change. */
+static char *cleanse(char *str)
+{
+ char *pnt;
+ for (pnt = str; *pnt; pnt++)
+ if (iscntrl(*pnt) || !isprint(*pnt)) *pnt = ' ';
+ return str;
+}
+
const char *ne_get_error(ne_session *sess)
{
- return sess->error;
+ return cleanse(sess->error);
}
@
1.1.2.1
log
@backport security-fix from neon-0.23.8
@
text
@a0 62
--- src/ne_utils.c.dist Thu Jul 18 00:19:46 2002
+++ src/ne_utils.c Wed Feb 26 00:15:33 2003
@@@@ -129,6 +129,17 @@@@
#endif
}
+/* Cleanse 'str' of non-printable characters. Duplicated in
+ * ne_session.c for the duration of neon 0.23.x to prevent ABI
+ * change. */
+static char *cleanse(char *str)
+{
+ char *pnt;
+ for (pnt = str; *pnt; pnt++)
+ if (iscntrl(*pnt) || !isprint(*pnt)) *pnt = ' ';
+ return str;
+}
+
int ne_parse_statusline(const char *status_line, ne_status *st)
{
const char *part;
@@@@ -177,7 +188,7 @@@@
/* Fill in the results */
st->major_version = major;
st->minor_version = minor;
- st->reason_phrase = ne_strdup(part);
+ st->reason_phrase = cleanse(ne_strdup(part));
st->code = status_code;
st->klass = klass;
return 0;
--- src/ne_session.c.dist Tue Sep 17 22:08:01 2002
+++ src/ne_session.c Wed Feb 26 00:15:33 2003
@@@@ -33,6 +33,8 @@@@
#include
#endif
+#include /* for cleanse() */
+
#ifdef NEON_SSL
#include
#include
@@@@ -242,9 +244,20 @@@@
uri->scheme = ne_strdup(sess->scheme);
}
+/* Cleanse 'str' of non-printable characters. Duplicated in
+ * ne_utils.c for the duration of neon 0.23.x to prevent ABI
+ * change. */
+static char *cleanse(char *str)
+{
+ char *pnt;
+ for (pnt = str; *pnt; pnt++)
+ if (iscntrl(*pnt) || !isprint(*pnt)) *pnt = ' ';
+ return str;
+}
+
const char *ne_get_error(ne_session *sess)
{
- return sess->error;
+ return cleanse(sess->error);
}
@
1.1.2.2
log
@mass Merge-From-CURRENT (MFC) in preparation for OpenPKG 1.3 [class PLUS only]
@
text
@@
1.1.2.2.2.1
log
@add patchcode to remove vulnerabilities in format string handling as
described in OpenPKG-SA-2004.016 (CAN-2004-0179)
@
text
@d1 4
a4 72
diff -Nau src/ne_207.c.orig src/ne_207.c
--- src/ne_207.c.orig 2003-04-21 19:18:06.000000000 +0200
+++ src/ne_207.c 2004-04-16 14:36:07.000000000 +0200
@@@@ -320,12 +320,12 @@@@
if (ne_get_status(req)->code == 207) {
if (!ne_xml_valid(p)) {
/* The parse was invalid */
- ne_set_error(sess, ne_xml_get_error(p));
+ ne_set_error(sess, "%s", ne_xml_get_error(p));
ret = NE_ERROR;
} else if (ctx.is_error) {
/* If we've actually got any error information
* from the 207, then set that as the error */
- ne_set_error(sess, ctx.buf->data);
+ ne_set_error(sess, "%s", ctx.buf->data);
ret = NE_ERROR;
}
} else if (ne_get_status(req)->klass != 2) {
diff -Nau src/ne_auth.c.orig src/ne_auth.c
--- src/ne_auth.c.orig 2003-03-09 12:10:02.000000000 +0100
+++ src/ne_auth.c 2004-04-16 14:36:07.000000000 +0200
@@@@ -950,7 +950,7 @@@@
if (areq->auth_info_hdr != NULL &&
verify_response(areq, sess, areq->auth_info_hdr)) {
NE_DEBUG(NE_DBG_HTTPAUTH, "Response authentication invalid.\n");
- ne_set_error(sess->sess, _(sess->spec->fail_msg));
+ ne_set_error(sess->sess, "%s", _(sess->spec->fail_msg));
ret = NE_ERROR;
} else if (status->code == sess->spec->status_code &&
areq->auth_hdr != NULL) {
diff -Nau src/ne_locks.c.orig src/ne_locks.c
--- src/ne_locks.c.orig 2003-06-19 00:10:58.000000000 +0200
+++ src/ne_locks.c 2004-04-16 14:36:07.000000000 +0200
@@@@ -734,7 +734,7 @@@@
}
else if (parse_failed) {
ret = NE_ERROR;
- ne_set_error(sess, ne_xml_get_error(parser));
+ ne_set_error(sess, "%s", ne_xml_get_error(parser));
}
else if (ne_get_status(req)->code == 207) {
ret = NE_ERROR;
@@@@ -802,7 +802,7 @@@@
if (ret == NE_OK && ne_get_status(req)->klass == 2) {
if (parse_failed) {
ret = NE_ERROR;
- ne_set_error(sess, ne_xml_get_error(parser));
+ ne_set_error(sess, "%s", ne_xml_get_error(parser));
}
else if (ne_get_status(req)->code == 207) {
ret = NE_ERROR;
diff -Nau src/ne_props.c.orig src/ne_props.c
--- src/ne_props.c.orig 2003-06-19 00:10:58.000000000 +0200
+++ src/ne_props.c 2004-04-16 14:36:07.000000000 +0200
@@@@ -142,7 +142,7 @@@@
if (ret == NE_OK && ne_get_status(req)->klass != 2) {
ret = NE_ERROR;
} else if (!ne_xml_valid(handler->parser)) {
- ne_set_error(handler->sess, ne_xml_get_error(handler->parser));
+ ne_set_error(handler->sess, "%s", ne_xml_get_error(handler->parser));
ret = NE_ERROR;
}
diff -Nau src/ne_xml.c.orig src/ne_xml.c
--- src/ne_xml.c.orig 2003-05-10 18:05:59.000000000 +0200
+++ src/ne_xml.c 2004-04-16 14:36:07.000000000 +0200
@@@@ -538,7 +538,7 @@@@
void ne_xml_set_error(ne_xml_parser *p, const char *msg)
{
- ne_snprintf(p->error, ERR_SIZE, msg);
+ ne_snprintf(p->error, ERR_SIZE, "%s", msg);
d7 10
a16 8
#ifdef HAVE_LIBXML
diff -Nau test/props.c.orig test/props.c
--- test/props.c.orig 2003-04-22 16:13:56.000000000 +0200
+++ test/props.c 2004-04-16 14:37:48.000000000 +0200
@@@@ -81,6 +81,14 @@@@
""
"HTTP/1.1 404 Not Found"
"",
d18 25
a42 12
+ /* format string handling with neon <= 0.24.4 */
+ RESP207 ""
+ "/foo/"
+ ""
+ "%s%s%s%s"
+ "",
+
NULL,
};
ne_session *sess;
@@@@ -96,6 +104,40 @@@@
return OK;
d45 4
a48 1
+static int patch_regress(void)
d50 4
a53 30
+ static const char *bodies[] = {
+ /* format string handling bugs with neon <= 0.24.4 */
+ RESP207 ""
+ "/foo/"
+ "HTTP/1.1 500 Bad Voodoo"
+ "%s%s%s%s"
+ "",
+
+ RESP207 ""
+ "/foo/"
+ "HTTP/1.1 %s%s%s%s",
+
+ NULL
+ };
+ ne_session *sess;
+ int n;
+ static const ne_propname pn = { "DAV:", "foobar" };
+ ne_proppatch_operation pops[] = {
+ { &pn, ne_propset, "fish" },
+ { NULL, ne_propset, NULL }
+ };
+
+ for (n = 0; bodies[n] != NULL; n++) {
+ CALL(make_session(&sess, single_serve_string, (void *)bodies[n]));
+ ne_proppatch(sess, "/", pops);
+ ne_session_destroy(sess);
+ CALL(await_server());
+ }
+
+ return OK;
d56 5
a60 10
static int pstat_count;
/* tos_*: set of 207 callbacks which serialize the data back into a
@@@@ -503,6 +545,7 @@@@
T(patch_simple),
T(pfind_simple),
T(regress),
+ T(patch_regress),
T(NULL)
};
d62 1
@
1.1.2.2.2.2
log
@apply security fix (OpenPKG-SA-2004.024-neon, CAN-2004-0398)
@
text
@a0 2
Security Fix
a142 45
-----------------------------------------------------------------------------
Security Fix
OpenPKG-SA-2004.024-neon, CAN-2004-0398
Index: src/ne_dates.c
--- src/ne_dates.c 2 May 2004 16:00:35 -0000 1.28.2.1
+++ src/ne_dates.c 2 May 2004 18:21:53 -0000
@@@@ -47,7 +47,7 @@@@
/* RFC1123: Sun, 06 Nov 1994 08:49:37 GMT */
#define RFC1123_FORMAT "%3s, %02d %3s %4d %02d:%02d:%02d GMT"
/* RFC850: Sunday, 06-Nov-94 08:49:37 GMT */
-#define RFC1036_FORMAT "%s %2d-%3s-%2d %2d:%2d:%2d GMT"
+#define RFC1036_FORMAT "%10s %2d-%3s-%2d %2d:%2d:%2d GMT"
/* asctime: Wed Jun 30 21:49:08 1993 */
#define ASCTIME_FORMAT "%3s %3s %2d %2d:%2d:%2d %4d"
@@@@ -133,7 +133,7 @@@@
time_t ne_rfc1123_parse(const char *date)
{
struct tm gmt = {0};
- static char wkday[4], mon[4];
+ char wkday[4], mon[4];
int n;
/* it goes: Sun, 06 Nov 1994 08:49:37 GMT */
n = sscanf(date, RFC1123_FORMAT,
@@@@ -156,7 +156,7 @@@@
{
struct tm gmt = {0};
int n;
- static char wkday[10], mon[4];
+ char wkday[11], mon[4];
/* RFC850/1036 style dates: Sunday, 06-Nov-94 08:49:37 GMT */
n = sscanf(date, RFC1036_FORMAT,
wkday, &gmt.tm_mday, mon, &gmt.tm_year,
@@@@ -189,7 +189,7 @@@@
{
struct tm gmt = {0};
int n;
- static char wkday[4], mon[4];
+ char wkday[4], mon[4];
n = sscanf(date, ASCTIME_FORMAT,
wkday, mon, &gmt.tm_mday,
&gmt.tm_hour, &gmt.tm_min, &gmt.tm_sec,
@