23 лет назад · 30fb2d5985
--- a/proftpd/proftpd.patch
+++ b/proftpd/proftpd.patch
@@ -0,0 +1,42 @@
 
				+http://www.debian.org/security/2003/dsa-338
			
 
				+DSA-338-1 proftpd -- SQL injection, Date Reported: 29 Jun 2003
			
 
				+
			
 
				+    runlevel [runlevel@raregazz.org] reported that ProFTPD's PostgreSQL
			
 
				+    authentication module is vulnerable to a SQL injection attack. This
			
 
				+    vulnerability could be exploited by a remote, unauthenticated
			
 
				+    attacker to execute arbitrary SQL statements, potentially exposing
			
 
				+    the passwords of other users, or to connect to ProFTPD as an
			
 
				+    arbitrary user without supplying the correct password.
			
 
				+
			
 
				+patch AE.mod_sql_postgres.c.diff extracted from 
			
 
				+http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2.tar.gz
			
 
				+
			
 
				+--- contrib/mod_sql_postgres.c.orig	Wed Jul  2 16:49:26 2003
			
 
				++++ contrib/mod_sql_postgres.c	Wed Jul  2 16:56:35 2003
			
 
				+@@ -1082,6 +1082,8 @@
			
 
				+ {
			
 
				+   conn_entry_t *entry = NULL;
			
 
				+   db_conn_t *conn = NULL;
			
 
				++  char *unescaped = NULL;
			
 
				++  char *escaped = NULL;
			
 
				+ 
			
 
				+   sql_log(DEBUG_FUNC, "%s", "entering \tpostgres cmd_escapestring");
			
 
				+ 
			
 
				+@@ -1102,9 +1104,16 @@
			
 
				+   conn = (db_conn_t *) entry->data;
			
 
				+ 
			
 
				+   /* PostgreSQL has no way to escape strings internally */
			
 
				++  /* Note: the PQescapeString() function appeared in the C API as of
			
 
				++   * Postgres-7.2.
			
 
				++   */
			
 
				++  unescaped = cmd->argv[1];
			
 
				++  escaped = (char *) pcalloc(cmd->tmp_pool, sizeof(char) *
			
 
				++    (strlen(unescaped) * 2) + 1);
			
 
				+ 
			
 
				++  PQescapeString(escaped, unescaped, strlen(unescaped));
			
 
				+   sql_log(DEBUG_FUNC, "%s", "exiting \tpostgres cmd_escapestring");
			
 
				+-  return mod_create_data(cmd, (void *) cmd->argv[1]);
			
 
				++  return mod_create_data(cmd, (void *) escaped );
			
 
				+ }
			
 
				+ 
			
 
				+ /*
			
--- a/proftpd/proftpd.spec
+++ b/proftpd/proftpd.spec
@@ -52,6 +52,7 @@ Source1:      proftpd.conf
 
				 Source2:      proftpd.msg.goaway
			
 
				 Source3:      proftpd.msg.login
			
 
				 Source4:      rc.proftpd
			
 
				+Patch0:       proftpd.patch
			
 
				 
			
 
				 #   build information
			
 
				 Prefix:       %{l_prefix}
			
@@ -93,6 +94,7 @@ AutoReqProv:  no
 
				 
			
 
				 %prep
			
 
				     %setup -q
			
 
				+    %patch -p0
			
 
				     #   utils also require link with getopt
			
 
				     %{l_shtool} subst \
			
 
				         -e 's;\(\$(BUILD_FTPCOUNT_OBJS).*\);\1 %{l_ldflags} -lgetopt;g' \