- Fix IPv4-mapped IPv6 connections not matched properly against IP

glob ACLs. - Bump portrevision. Submitted by: TJ Saunders <tj@castaglia.org> (vendor) Approved by: linimon (mentor)
author: Beech Rintoul <beech@FreeBSD.org> 2008-01-17 03:53:19 +0000
committer: Beech Rintoul <beech@FreeBSD.org> 2008-01-17 03:53:19 +0000
commit: e137e57269a1e181c14a220b2e54be529d219800 (patch)
tree: f05bec4deeb9145b71dff6e43a177d3b63fcfb20 /ftp
parent: Update to 2.4.2. This fixes a security issue where checksumming of the gpg (diff)
4 files changed, 178 insertions, 2 deletions
diff --git a/ftp/proftpd-devel/Makefile b/ftp/proftpd-devel/Makefile
index 819a5754ab62..36beb6eff415 100644
--- a/ftp/proftpd-devel/Makefile
+++ b/ftp/proftpd-devel/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	proftpd
 DISTVERSION=	1.3.1
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	ftp
 MASTER_SITES=	ftp://ftp.proftpd.org/distrib/source/ \
 		ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
diff --git a/ftp/proftpd-devel/files/patch-src_netaddr.c b/ftp/proftpd-devel/files/patch-src_netaddr.c
new file mode 100644
index 000000000000..00ff140df8f9
--- /dev/null
+++ b/ftp/proftpd-devel/files/patch-src_netaddr.c
@@ -0,0 +1,88 @@
+Index: src/netaddr.c
+===================================================================
+RCS file: /cvsroot/proftp/proftpd/src/netaddr.c,v
+retrieving revision 1.61
+diff -u -r1.61 netaddr.c
+--- src/netaddr.c	9 Oct 2007 21:56:23 -0000	1.61
++++ src/netaddr.c	17 Jan 2008 01:34:45 -0000
+@@ -816,6 +816,9 @@
+     if (pr_netaddr_is_v4mappedv6(na1) == TRUE) {
+       tmp_pool = make_sub_pool(permanent_pool);
+ 
++      pr_trace_msg(trace_channel, 5, "addr '%s' is an IPv4-mapped IPv6 address",
++        pr_netaddr_get_ipstr((pr_netaddr_t *) na1));
++
+       /* This case means that na1 is an IPv4-mapped IPv6 address, and
+        * na2 is an IPv4 address.
+        */
+@@ -834,6 +837,9 @@
+     } else if (pr_netaddr_is_v4mappedv6(na2) == TRUE) {
+       tmp_pool = make_sub_pool(permanent_pool);
+ 
++      pr_trace_msg(trace_channel, 5, "addr '%s' is an IPv4-mapped IPv6 address",
++        pr_netaddr_get_ipstr((pr_netaddr_t *) na2));
++
+       /* This case means that na is an IPv4 address, and na2 is an
+        * IPv4-mapped IPv6 address.
+        */
+@@ -1105,6 +1111,36 @@
+         ipstr, pattern);
+       return TRUE;
+     }
++
++    /* If the address is an IPv4-mapped IPv6 address, get the IPv4 address
++     * and try to match that against the configured glob pattern.
++     */
++    if (pr_netaddr_is_v4mappedv6(na) == TRUE) {
++      pool *tmp_pool;
++      pr_netaddr_t *a;
++
++      pr_trace_msg(trace_channel, 5, "addr '%s' is an IPv4-mapped IPv6 address",
++        ipstr);
++
++      tmp_pool = make_sub_pool(permanent_pool);
++      a = pr_netaddr_alloc(tmp_pool);
++      pr_netaddr_set_family(a, AF_INET);
++      pr_netaddr_set_port(a, pr_netaddr_get_port(na));
++      memcpy(&a->na_addr.v4.sin_addr, get_v4inaddr(na),
++        sizeof(struct in_addr));
++
++      ipstr = pr_netaddr_get_ipstr(a);
++
++      if (pr_fnmatch(pattern, ipstr, match_flags) == 0) {
++        pr_trace_msg(trace_channel, 6, "DNS name '%s' matches pattern '%s'",
++          ipstr, pattern);
++
++        destroy_pool(tmp_pool);
++        return TRUE;
++      }
++
++      destroy_pool(tmp_pool);
++    }
+   }
+ 
+   pr_trace_msg(trace_channel, 4, "addr %s does not match pattern '%s'",
+@@ -1424,18 +1460,21 @@
+ 
+ #ifdef PR_USE_IPV6
+     case AF_INET6: {
++      int res;
++
+       if (!use_ipv6) {
+         errno = EINVAL;
+         return -1;
+       }
+ 
+ # ifndef LINUX
+-      return IN6_IS_ADDR_V4MAPPED(
++      res = IN6_IS_ADDR_V4MAPPED(
+         (struct in6_addr *) pr_netaddr_get_inaddr(na));
+ # else
+-      return IN6_IS_ADDR_V4MAPPED(
++      res = IN6_IS_ADDR_V4MAPPED(
+         ((struct in6_addr *) pr_netaddr_get_inaddr(na))->s6_addr32);
+ # endif
++      return res;
+     }
+ #endif /* PR_USE_IPV6 */
+   }
diff --git a/ftp/proftpd/Makefile b/ftp/proftpd/Makefile
index 819a5754ab62..36beb6eff415 100644
--- a/ftp/proftpd/Makefile
+++ b/ftp/proftpd/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	proftpd
 DISTVERSION=	1.3.1
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	ftp
 MASTER_SITES=	ftp://ftp.proftpd.org/distrib/source/ \
 		ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \
diff --git a/ftp/proftpd/files/patch-src_netaddr.c b/ftp/proftpd/files/patch-src_netaddr.c
new file mode 100644
index 000000000000..00ff140df8f9
--- /dev/null
+++ b/ftp/proftpd/files/patch-src_netaddr.c
@@ -0,0 +1,88 @@
+Index: src/netaddr.c
+===================================================================
+RCS file: /cvsroot/proftp/proftpd/src/netaddr.c,v
+retrieving revision 1.61
+diff -u -r1.61 netaddr.c
+--- src/netaddr.c	9 Oct 2007 21:56:23 -0000	1.61
++++ src/netaddr.c	17 Jan 2008 01:34:45 -0000
+@@ -816,6 +816,9 @@
+     if (pr_netaddr_is_v4mappedv6(na1) == TRUE) {
+       tmp_pool = make_sub_pool(permanent_pool);
+ 
++      pr_trace_msg(trace_channel, 5, "addr '%s' is an IPv4-mapped IPv6 address",
++        pr_netaddr_get_ipstr((pr_netaddr_t *) na1));
++
+       /* This case means that na1 is an IPv4-mapped IPv6 address, and
+        * na2 is an IPv4 address.
+        */
+@@ -834,6 +837,9 @@
+     } else if (pr_netaddr_is_v4mappedv6(na2) == TRUE) {
+       tmp_pool = make_sub_pool(permanent_pool);
+ 
++      pr_trace_msg(trace_channel, 5, "addr '%s' is an IPv4-mapped IPv6 address",
++        pr_netaddr_get_ipstr((pr_netaddr_t *) na2));
++
+       /* This case means that na is an IPv4 address, and na2 is an
+        * IPv4-mapped IPv6 address.
+        */
+@@ -1105,6 +1111,36 @@
+         ipstr, pattern);
+       return TRUE;
+     }
++
++    /* If the address is an IPv4-mapped IPv6 address, get the IPv4 address
++     * and try to match that against the configured glob pattern.
++     */
++    if (pr_netaddr_is_v4mappedv6(na) == TRUE) {
++      pool *tmp_pool;
++      pr_netaddr_t *a;
++
++      pr_trace_msg(trace_channel, 5, "addr '%s' is an IPv4-mapped IPv6 address",
++        ipstr);
++
++      tmp_pool = make_sub_pool(permanent_pool);
++      a = pr_netaddr_alloc(tmp_pool);
++      pr_netaddr_set_family(a, AF_INET);
++      pr_netaddr_set_port(a, pr_netaddr_get_port(na));
++      memcpy(&a->na_addr.v4.sin_addr, get_v4inaddr(na),
++        sizeof(struct in_addr));
++
++      ipstr = pr_netaddr_get_ipstr(a);
++
++      if (pr_fnmatch(pattern, ipstr, match_flags) == 0) {
++        pr_trace_msg(trace_channel, 6, "DNS name '%s' matches pattern '%s'",
++          ipstr, pattern);
++
++        destroy_pool(tmp_pool);
++        return TRUE;
++      }
++
++      destroy_pool(tmp_pool);
++    }
+   }
+ 
+   pr_trace_msg(trace_channel, 4, "addr %s does not match pattern '%s'",
+@@ -1424,18 +1460,21 @@
+ 
+ #ifdef PR_USE_IPV6
+     case AF_INET6: {
++      int res;
++
+       if (!use_ipv6) {
+         errno = EINVAL;
+         return -1;
+       }
+ 
+ # ifndef LINUX
+-      return IN6_IS_ADDR_V4MAPPED(
++      res = IN6_IS_ADDR_V4MAPPED(
+         (struct in6_addr *) pr_netaddr_get_inaddr(na));
+ # else
+-      return IN6_IS_ADDR_V4MAPPED(
++      res = IN6_IS_ADDR_V4MAPPED(
+         ((struct in6_addr *) pr_netaddr_get_inaddr(na))->s6_addr32);
+ # endif
++      return res;
+     }
+ #endif /* PR_USE_IPV6 */
+   }
author	Beech Rintoul <beech@FreeBSD.org>	2008-01-17 03:53:19 +0000
committer	Beech Rintoul <beech@FreeBSD.org>	2008-01-17 03:53:19 +0000
commit	e137e57269a1e181c14a220b2e54be529d219800 (patch)
tree	f05bec4deeb9145b71dff6e43a177d3b63fcfb20 /ftp
parent	Update to 2.4.2. This fixes a security issue where checksumming of the gpg (diff)