INN developers report that version 2.5.3 fixes the plaintext command injection after the channel was TLSized, http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html Fix: I had extracted the minimal patch from the full one that does upgrade from 2.5.2 to 2.5.3: http://codelabs.ru/fbsd/ports/inn/inn-2.5.2-fix-cve-2012-3523.diff I had checked only buildability of the patched port: see no problems. Have no INN setup at hand to test the functionality, sorry. If you'll take the route of adding this minimal patch, VuXML version specification in a7975581-ee26-11e1-8bd8-0022156e8794 must be changed from "2.5.3" to "2.5.2_2". How-To-Repeat: Look at - http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html - https://www.isc.org/software/inn/2.5.3article
Responsible Changed From-To: freebsd-ports-bugs->fluffy Over to maintainer (via the GNATS Auto Assign Tool)
Author: rea Date: Sun Aug 26 17:33:12 2012 New Revision: 303194 URL: http://svn.freebsd.org/changeset/ports/303194 Log: news/inn: fix plaintext command injection, CVE-2012-3523 Relevant only for INN installations that are using encryption. PR: 171013 Approved by: fluffy@FreeBSD.org (maintainer) Security: http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html Added: head/news/inn/files/patch-cve-2012-3523-minimal (contents, props changed) Modified: head/news/inn/Makefile head/security/vuxml/vuln.xml Modified: head/news/inn/Makefile ============================================================================== --- head/news/inn/Makefile Sun Aug 26 17:09:37 2012 (r303193) +++ head/news/inn/Makefile Sun Aug 26 17:33:12 2012 (r303194) @@ -7,7 +7,7 @@ PORTNAME?= inn PORTVERSION?= 2.5.2 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= news ipv6 # Master distribution broken #MASTER_SITES?= ${MASTER_SITE_ISC} Added: head/news/inn/files/patch-cve-2012-3523-minimal ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/news/inn/files/patch-cve-2012-3523-minimal Sun Aug 26 17:33:12 2012 (r303194) @@ -0,0 +1,61 @@ +Fixes CVE-2012-3523. This is a stripped down version of 2.5.2 -> 2.5.3 +patch that adds line_reset() to the relevant places. + +Obtained-from: ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz +diff -Nurp inn-2.5.2/nnrpd/line.c inn-2.5.3/nnrpd/line.c +--- nnrpd/line.c 2010-03-24 13:10:36.000000000 -0700 ++++ nnrpd/line.c 2012-06-15 11:25:36.000000000 -0700 +@@ -66,6 +66,17 @@ line_init(struct line *line) + line->remaining = 0; + } + ++/* ++** Reset a line structure. ++*/ ++void ++line_reset(struct line *line) ++{ ++ assert(line); ++ line->where = line->start; ++ line->remaining = 0; ++} ++ + /* + ** Timeout is used only if HAVE_SSL is defined. + */ +diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c +--- nnrpd/misc.c 2010-03-24 13:10:36.000000000 -0700 ++++ nnrpd/misc.c 2012-06-15 11:25:36.000000000 -0700 +@@ -518,5 +518,8 @@ CMDstarttls(int ac UNUSED, char *av[] UN + GRPcount = 0; + PERMgroupmadeinvalid = false; + } ++ ++ /* Reset our read buffer so as to prevent plaintext command injection. */ ++ line_reset(&NNTPline); + } + #endif /* HAVE_SSL */ +diff -Nurp inn-2.5.2/nnrpd/nnrpd.h inn-2.5.3/nnrpd/nnrpd.h +--- nnrpd/nnrpd.h 2010-03-24 13:10:36.000000000 -0700 ++++ nnrpd/nnrpd.h 2012-06-15 11:25:36.000000000 -0700 +@@ -292,6 +292,7 @@ void PY_dynamic_init (char* file); + + void line_free(struct line *); + void line_init(struct line *); ++void line_reset(struct line *); + READTYPE line_read(struct line *, int, const char **, size_t *, size_t *); + + #ifdef HAVE_SASL +diff -Nurp inn-2.5.2/nnrpd/sasl.c inn-2.5.3/nnrpd/sasl.c +--- nnrpd/sasl.c 2010-03-24 13:10:36.000000000 -0700 ++++ nnrpd/sasl.c 2012-06-15 11:25:36.000000000 -0700 +@@ -326,6 +326,9 @@ SASLauth(int ac, char *av[]) + GRPcount = 0; + PERMgroupmadeinvalid = false; + } ++ ++ /* Reset our read buffer so as to prevent plaintext command injection. */ ++ line_reset(&NNTPline); + } + } else { + /* Failure. */ Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Aug 26 17:09:37 2012 (r303193) +++ head/security/vuxml/vuln.xml Sun Aug 26 17:33:12 2012 (r303194) @@ -163,7 +163,7 @@ Note: Please add new entries to the beg <affects> <package> <name>inn</name> - <range><lt>2.5.3</lt></range> + <range><lt>2.5.2_2</lt></range> </package> </affects> <description> _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Fixed after private approval from Dima Panov, maintainer.