From 35e0b0bc9ea3b20faa7bc9dd7a995124dccf1c34 Mon Sep 17 00:00:00 2001
From: Matthias Saou <thias@fedoraproject.org>
Date: Feb 06 2007 11:02:09 +0000
Subject: Patch to fix local user buffer overflow in controls request handling

    (#219938).

---

diff --git a/proftpd-1.3.0a-ctrls-bug2867.patch b/proftpd-1.3.0a-ctrls-bug2867.patch
new file mode 100644
index 0000000..9ee5923
--- /dev/null
+++ b/proftpd-1.3.0a-ctrls-bug2867.patch
@@ -0,0 +1,44 @@
+--- src/ctrls.c	2006/10/24 16:13:31	1.14
++++ src/ctrls.c	2006/12/12 16:34:43	1.15
+@@ -534,11 +534,20 @@
+     return -1;
+   }
+ 
++  if (reqarglen >= sizeof(reqaction)) {
++    pr_signals_unblock();
++    errno = ENOMEM;
++    return -1;
++  }
++
++  memset(reqaction, '\0', sizeof(reqaction));
++
+   if (read(cl->cl_fd, reqaction, reqarglen) < 0) {
+     pr_signals_unblock();
+     return -1;
+   }
+ 
++  reqaction[sizeof(reqaction)-1] = '\0';
+   nreqargs--;
+ 
+   /* Find a matching action object, and use it to populate a ctrl object,
+@@ -657,17 +666,16 @@
+       return -1;
+     }
+ 
+-    memset(response, '\0', sizeof(response));
+-
+     /* Make sure resparglen is not too big */
+-    if (resparglen > sizeof(response)) {
++    if (resparglen >= sizeof(response)) {
+       pr_signals_unblock();
+       errno = ENOMEM;
+       return -1;
+     }
+ 
+-    bread = read(ctrls_sockfd, response, resparglen);
++    memset(response, '\0', sizeof(response));
+ 
++    bread = read(ctrls_sockfd, response, resparglen);
+     while (bread != resparglen) {
+       if (bread < 0) {
+         pr_signals_unblock(); 
diff --git a/proftpd.spec b/proftpd.spec
index c7cdccc..603158d 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -1,7 +1,7 @@
 Summary: Flexible, stable and highly-configurable FTP server
 Name: proftpd
 Version: 1.3.0a
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: GPL
 Group: System Environment/Daemons
 URL: http://www.proftpd.org/
@@ -16,6 +16,7 @@ Patch0: proftpd-1.3.0-rpath.patch
 Patch1: proftpd-1.3.0-ctrls-restart.patch
 Patch2: proftpd-1.3.0-cmdbufsize.patch
 Patch3: proftpd-1.3.0-mod_tls.patch
+Patch4: proftpd-1.3.0a-ctrls-bug2867.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 Requires: pam >= 0.59
 Requires(post): /sbin/chkconfig
@@ -70,6 +71,7 @@ Module to add PostgreSQL support to the ProFTPD FTP server.
 %patch1 -p0 -b .ctrls-restart
 %patch2 -p1 -b .cmdbufsize
 %patch3 -p0 -b .mod_tls
+%patch4 -p0 -b .ctrls-bug2867
 
 
 %build
@@ -190,6 +192,13 @@ fi
 
 
 %changelog
+* Tue Feb  6 2007 Matthias Saou <http://freshrpms.net/> 1.3.0a-3
+- Patch to fix local user buffer overflow in controls request handling, rhbz
+  bug #219938, proftpd bug #2867.
+
+* Mon Dec 11 2006 Matthias Saou <http://freshrpms.net/> 1.3.0a-2
+- Rebuild against new PostgreSQL.
+
 * Mon Nov 27 2006 Matthias Saou <http://freshrpms.net/> 1.3.0a-1
 - Update to 1.3.0a, which actually fixes CVE-2006-5815... yes, #214820!).