- Fix insecure temporary file usage and arbitrary command execution

PR: 129981 (based on) Submitted by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Approved by: maintainer
svn path=/head/; revision=225762
2009-01-11 19:42:13 +00:00 · 2009-01-11 19:42:13 +00:00 · 02870e7f94 · 2021-03-31 03:12:20 +00:00
commit 02870e7f94
parent 633df53255
2 changed files with 84 additions and 3 deletions
--- a/net-p2p/verlihub/Makefile
+++ b/net-p2p/verlihub/Makefile
@ -7,11 +7,10 @@

 PORTNAME=	verlihub
 DISTVERSION=	0.9.8d-RC2
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	net-p2p
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
-MASTER_SITE_SUBDIR=	${PORTNAME}
+MASTER_SITES=	SF

 MAINTAINER=	skylord@vt.net.ru
 COMMENT=	A Direct Connect protocol server (Hub)
--- a/net-p2p/verlihub/files/patch-CVE-2008-5706
+++ b/net-p2p/verlihub/files/patch-CVE-2008-5706
@ -0,0 +1,82 @@
+--- src/ctrigger.cpp.orig	2005-04-11 19:18:38.000000000 +0400
+++ src/ctrigger.cpp	2008-12-27 23:28:14.000000000 +0300
+@@ -7,6 +7,9 @@
+  *   the Free Software Foundation; either version 2 of the License, or     *
+  *   (at your option) any later version.                                   *
+  ***************************************************************************/
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+ #include "cserverdc.h"
+ #include "ctrigger.h"
+ #include "cconndc.h"
+@@ -44,16 +47,33 @@
+ {
+ 	string buf, filename, sender;
+ 	string par1, end1, parall;
+	string cmdl;
+
+ 	if (conn && conn->mpUser)
+ 	{
+		cmd_line >> cmdl;
+		/* Sanitise user input if we're going to exec anything */
+		if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+			string cleaned = string();
+			const string toclean = string(";\"'\\`:!${}[]&><|~/");
+
+			for (string::iterator i = cmdl.begin();
+			    i < cmdl.end();
+			    i++) {
+				if (toclean.find(*i) == string::npos)
+					cleaned.append(1, *i);
+			}
+			cmdl = cleaned;
+		}
+
+ 		int uclass = conn->mpUser->mClass;
+ 		if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) {
+ 
+-			if(cmd_line.str().size() > mCommand.size()) {
+-				parall.assign(cmd_line.str(),mCommand.size()+1,string::npos);
+			if(cmdl.size() > mCommand.size()) {
+				parall.assign(cmdl,mCommand.size()+1,string::npos);
+ 			}
+-			cmd_line >> par1;
+-			end1 = cmd_line.str();
+			par1 = cmdl;
+			end1 = cmdl;
+ 
+ 			sender = server.mC.hub_security;
+ 			if (mSendAs.size()) sender = mSendAs;
+@@ -104,14 +124,25 @@
+ 
+ 			if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+ 				string command(buf);
+-				filename = server.mConfigBaseDir;
+-				filename.append("/tmp/trigger.tmp");
+-				command.append(" > ");
+-				command.append(filename);
+				char buffer[1024];
+				FILE *stream;
+
+ 				cout << command << endl;
+-				system(command.c_str());
+ 				buf = "";
+-				if (!LoadFileInString(filename,buf)) return 0;
+				stream = popen(command.c_str(), "r");
+				if (stream == NULL) {
+					cout << strerror(errno) << std::endl;
+					return 0;
+				} else {
+					while (fgets(buffer, sizeof(buffer),
+					  stream) != NULL)
+                				buf.append(buffer);
+					if (pclose(stream) == -1) {
+						cout << strerror(errno) <<
+						  std::endl;
+						return 0;
+					}
+				}
+ 			}
+ 
+ 			// @CHANGED by dReiska +BEGINS+