openpkg
/
openpkg-packages
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

bump to rc1 cause of ifsession module

master
Christoph Schug 23 years ago committed by Ralf S. Engelschall
parent
b4224efd78
commit
397822ecb3
2 changed files with 9 additions and 49 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 42
      proftpd/proftpd.patch
  2. 16
      proftpd/proftpd.spec

42
proftpd/proftpd.patch
Unescape View File

@ -1,42 +0,0 @@
http://www.debian.org/security/2003/dsa-338
DSA-338-1 proftpd -- SQL injection, Date Reported: 29 Jun 2003
runlevel [runlevel@raregazz.org] reported that ProFTPD's PostgreSQL
authentication module is vulnerable to a SQL injection attack. This
vulnerability could be exploited by a remote, unauthenticated
attacker to execute arbitrary SQL statements, potentially exposing
the passwords of other users, or to connect to ProFTPD as an
arbitrary user without supplying the correct password.
patch AE.mod_sql_postgres.c.diff extracted from
http://security.debian.org/pool/updates/main/p/proftpd/proftpd_1.2.4+1.2.5rc1-5woody2.tar.gz
--- contrib/mod_sql_postgres.c.orig Wed Jul 2 16:49:26 2003
+++ contrib/mod_sql_postgres.c Wed Jul 2 16:56:35 2003
@@ -1082,6 +1082,8 @@
{
conn_entry_t *entry = NULL;
db_conn_t *conn = NULL;
+ char *unescaped = NULL;
+ char *escaped = NULL;
sql_log(DEBUG_FUNC, "%s", "entering \tpostgres cmd_escapestring");
@@ -1102,9 +1104,16 @@
conn = (db_conn_t *) entry->data;
/* PostgreSQL has no way to escape strings internally */
+ /* Note: the PQescapeString() function appeared in the C API as of
+ * Postgres-7.2.
+ */
+ unescaped = cmd->argv[1];
+ escaped = (char *) pcalloc(cmd->tmp_pool, sizeof(char) *
+ (strlen(unescaped) * 2) + 1);
+ PQescapeString(escaped, unescaped, strlen(unescaped));
sql_log(DEBUG_FUNC, "%s", "exiting \tpostgres cmd_escapestring");
- return mod_create_data(cmd, (void *) cmd->argv[1]);
+ return mod_create_data(cmd, (void *) escaped );
}
/*

16
proftpd/proftpd.spec
Unescape View File

@ -32,14 +32,15 @@ Packager: The OpenPKG Project
Distribution: OpenPKG [BASE]
Group: FTP
License: GPL
Version: 1.2.8
Version: 1.2.9rc1
Release: 20030729
# package options
%option with_mysql no
%option with_pam no
%option with_pgsql no
%option with_ldap no
%option with_ifsession no
%option with_mysql no
%option with_pam no
%option with_pgsql no
%option with_ldap no
# checking option conflicts
%if "%{with_mysql}" == "yes" && "%{with_pgsql}" == "yes"
@ -52,7 +53,6 @@ Source1: proftpd.conf
Source2: proftpd.msg.goaway
Source3: proftpd.msg.login
Source4: rc.proftpd
Patch0: proftpd.patch
# build information
Prefix: %{l_prefix}
@ -99,7 +99,6 @@ AutoReqProv: no
%prep
%setup -q
%patch -p0
# utils also require link with getopt
%{l_shtool} subst \
-e 's;\(\$(BUILD_FTPCOUNT_OBJS).*\);\1 %{l_ldflags} -lgetopt;g' \
@ -140,6 +139,9 @@ AutoReqProv: no
MOD="mod_ratio:mod_readme"
MOD_INC="%{l_prefix}/include"
MOD_LIB="%{l_prefix}/lib"
%if "%{with_ifsession}" == "yes"
MOD="$MOD:mod_ifsession"
%endif
%if "%{with_mysql}" == "yes" || "%{with_pgsql}" == "yes"
MOD="$MOD:mod_sql"
%if "%{with_mysql}" == "yes"

Write Preview
Loading…
Cancel
Save