From owner-svn-ports-head@FreeBSD.ORG  Sun Aug 26 17:33:13 2012
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0A881106564A;
	Sun, 26 Aug 2012 17:33:13 +0000 (UTC) (envelope-from rea@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id E939F8FC08;
	Sun, 26 Aug 2012 17:33:12 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q7QHXCq6057872;
	Sun, 26 Aug 2012 17:33:12 GMT (envelope-from rea@svn.freebsd.org)
Received: (from rea@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q7QHXCRq057868;
	Sun, 26 Aug 2012 17:33:12 GMT (envelope-from rea@svn.freebsd.org)
Message-Id: <201208261733.q7QHXCRq057868@svn.freebsd.org>
From: Eygene Ryabinkin <rea@FreeBSD.org>
Date: Sun, 26 Aug 2012 17:33:12 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
	svn-ports-head@freebsd.org
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r303194 - in head: news/inn news/inn/files
	security/vuxml
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: SVN commit messages for the ports tree for head
	<svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>, 
	<mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
	<mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Aug 2012 17:33:13 -0000

Author: rea
Date: Sun Aug 26 17:33:12 2012
New Revision: 303194
URL: http://svn.freebsd.org/changeset/ports/303194

Log:
  news/inn: fix plaintext command injection, CVE-2012-3523
  
  Relevant only for INN installations that are using encryption.
  
  PR:		171013
  Approved by:	fluffy@FreeBSD.org (maintainer)
  Security:	http://www.vuxml.org/freebsd/a7975581-ee26-11e1-8bd8-0022156e8794.html

Added:
  head/news/inn/files/patch-cve-2012-3523-minimal   (contents, props changed)
Modified:
  head/news/inn/Makefile
  head/security/vuxml/vuln.xml

Modified: head/news/inn/Makefile
==============================================================================
--- head/news/inn/Makefile	Sun Aug 26 17:09:37 2012	(r303193)
+++ head/news/inn/Makefile	Sun Aug 26 17:33:12 2012	(r303194)
@@ -7,7 +7,7 @@
 
 PORTNAME?=	inn
 PORTVERSION?=	2.5.2
-PORTREVISION?=	1
+PORTREVISION?=	2
 CATEGORIES=	news ipv6
 # Master distribution broken
 #MASTER_SITES?=	${MASTER_SITE_ISC}

Added: head/news/inn/files/patch-cve-2012-3523-minimal
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/news/inn/files/patch-cve-2012-3523-minimal	Sun Aug 26 17:33:12 2012	(r303194)
@@ -0,0 +1,61 @@
+Fixes CVE-2012-3523.  This is a stripped down version of 2.5.2 -> 2.5.3
+patch that adds line_reset() to the relevant places.
+
+Obtained-from: ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz
+diff -Nurp inn-2.5.2/nnrpd/line.c inn-2.5.3/nnrpd/line.c
+--- nnrpd/line.c	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/line.c	2012-06-15 11:25:36.000000000 -0700
+@@ -66,6 +66,17 @@ line_init(struct line *line)
+     line->remaining = 0;
+ }
+ 
++/*
++**  Reset a line structure.
++*/
++void
++line_reset(struct line *line)
++{
++    assert(line);
++    line->where = line->start;
++    line->remaining = 0;
++}
++
+ /*
+ **  Timeout is used only if HAVE_SSL is defined.
+ */
+diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c
+--- nnrpd/misc.c	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/misc.c	2012-06-15 11:25:36.000000000 -0700
+@@ -518,5 +518,8 @@ CMDstarttls(int ac UNUSED, char *av[] UN
+         GRPcount = 0;
+         PERMgroupmadeinvalid = false;
+     }
++
++    /* Reset our read buffer so as to prevent plaintext command injection. */
++    line_reset(&NNTPline);
+ }
+ #endif /* HAVE_SSL */
+diff -Nurp inn-2.5.2/nnrpd/nnrpd.h inn-2.5.3/nnrpd/nnrpd.h
+--- nnrpd/nnrpd.h	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/nnrpd.h	2012-06-15 11:25:36.000000000 -0700
+@@ -292,6 +292,7 @@ void PY_dynamic_init (char* file);
+ 
+ void line_free(struct line *);
+ void line_init(struct line *);
++void line_reset(struct line *);
+ READTYPE line_read(struct line *, int, const char **, size_t *, size_t *);
+ 
+ #ifdef HAVE_SASL
+diff -Nurp inn-2.5.2/nnrpd/sasl.c inn-2.5.3/nnrpd/sasl.c
+--- nnrpd/sasl.c	2010-03-24 13:10:36.000000000 -0700
++++ nnrpd/sasl.c	2012-06-15 11:25:36.000000000 -0700
+@@ -326,6 +326,9 @@ SASLauth(int ac, char *av[])
+                 GRPcount = 0;
+                 PERMgroupmadeinvalid = false;
+             }
++
++            /* Reset our read buffer so as to prevent plaintext command injection. */
++            line_reset(&NNTPline);
+         }
+     } else {
+ 	/* Failure. */

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Aug 26 17:09:37 2012	(r303193)
+++ head/security/vuxml/vuln.xml	Sun Aug 26 17:33:12 2012	(r303194)
@@ -163,7 +163,7 @@ Note:  Please add new entries to the beg
     <affects>
       <package>
         <name>inn</name>
-        <range><lt>2.5.3</lt></range>
+        <range><lt>2.5.2_2</lt></range>
       </package>
     </affects>
     <description>