head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2012Q2:1.1.0.72
	pkgsrc-2012Q2-base:1.1
	pkgsrc-2012Q1:1.1.0.70
	pkgsrc-2012Q1-base:1.1
	pkgsrc-2011Q4:1.1.0.68
	pkgsrc-2011Q4-base:1.1
	pkgsrc-2011Q3:1.1.0.66
	pkgsrc-2011Q3-base:1.1
	pkgsrc-2011Q2:1.1.0.64
	pkgsrc-2011Q2-base:1.1
	pkgsrc-2011Q1:1.1.0.62
	pkgsrc-2011Q1-base:1.1
	pkgsrc-2010Q4:1.1.0.60
	pkgsrc-2010Q4-base:1.1
	pkgsrc-2010Q3:1.1.0.58
	pkgsrc-2010Q3-base:1.1
	pkgsrc-2010Q2:1.1.0.56
	pkgsrc-2010Q2-base:1.1
	pkgsrc-2010Q1:1.1.0.54
	pkgsrc-2010Q1-base:1.1
	pkgsrc-2009Q4:1.1.0.52
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2009Q3:1.1.0.50
	pkgsrc-2009Q3-base:1.1
	pkgsrc-2009Q2:1.1.0.48
	pkgsrc-2009Q2-base:1.1
	pkgsrc-2009Q1:1.1.0.46
	pkgsrc-2009Q1-base:1.1
	pkgsrc-2008Q4:1.1.0.44
	pkgsrc-2008Q4-base:1.1
	pkgsrc-2008Q3:1.1.0.42
	pkgsrc-2008Q3-base:1.1
	cube-native-xorg:1.1.0.40
	cube-native-xorg-base:1.1
	pkgsrc-2008Q2:1.1.0.38
	pkgsrc-2008Q2-base:1.1
	cwrapper:1.1.0.36
	pkgsrc-2008Q1:1.1.0.34
	pkgsrc-2008Q1-base:1.1
	pkgsrc-2007Q4:1.1.0.32
	pkgsrc-2007Q4-base:1.1
	pkgsrc-2007Q3:1.1.0.30
	pkgsrc-2007Q3-base:1.1
	pkgsrc-2007Q2:1.1.0.28
	pkgsrc-2007Q2-base:1.1
	pkgsrc-2007Q1:1.1.0.26
	pkgsrc-2007Q1-base:1.1
	pkgsrc-2006Q4:1.1.0.24
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.22
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.20
	pkgsrc-2006Q2-base:1.1
	pkgsrc-2006Q1:1.1.0.18
	pkgsrc-2006Q1-base:1.1
	pkgsrc-2005Q4:1.1.0.16
	pkgsrc-2005Q4-base:1.1
	pkgsrc-2005Q3:1.1.0.14
	pkgsrc-2005Q3-base:1.1
	pkgsrc-2005Q2:1.1.0.12
	pkgsrc-2005Q2-base:1.1
	pkgsrc-2005Q1:1.1.0.10
	pkgsrc-2005Q1-base:1.1
	pkgsrc-2004Q4:1.1.0.8
	pkgsrc-2004Q4-base:1.1
	pkgsrc-2004Q3:1.1.0.6
	pkgsrc-2004Q3-base:1.1
	pkgsrc-2004Q2:1.1.0.4
	pkgsrc-2004Q2-base:1.1
	pkgsrc-2004Q1:1.1.0.2
	pkgsrc-2004Q1-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2012.07.14.22.21.32;	author dholland;	state dead;
branches;
next	1.1;

1.1
date	2004.02.09.09.17.50;	author wennmach;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Remove misc/jitterbug as promised. Has been unbuildable for a long time,
and is dead upstream.
@
text
@$NetBSD: patch-ab,v 1.1 2004/02/09 09:17:50 wennmach Exp $

Security patches for jitterbug (taken from Debian GNU/Linux).
See http://www.debian.org/security/2004/dsa-420

--- jitterbug.c.orig	Wed Nov 11 13:30:17 1998
+++ jitterbug.c	Wed Jan 14 17:34:04 2004
@@@@ -57,7 +57,7 @@@@
 static int case_sensitive;
 static int messagetype = MTYPE_ALL;
 static int numquotelines;
-static int addsignature;
+static int addsignature = 1;
 static int fullheaders;
 
 /* these are the user preferences -- reflect changes in dump_globals() */
@@@@ -118,7 +118,7 @@@@
 	}
 	
 
-	if (getuid() == 0) return 0;
+	if (strchr(fname, '/') && geteuid() == 0) return 0;
 
 	data = load_file(fname, NULL, 0);
 	if (!data) {
@@@@ -727,6 +727,11 @@@@
 	}
 }
 
+/* return true when the text doesn't have a trailing newline */
+static unsigned nolastnl(char *txt)
+{	return *txt && '\n'!=strchr(txt,'\0')[-1];
+}
+
 
 /* free up an info structure loaded by get_info */
 static void free_info(struct message_info *info)
@@@@ -971,6 +976,7 @@@@
 	FILE *f;
 	char *name = cgi_variable("auditid");
 	char *source = cgi_variable("sources");
+	char *p;
 	char buf[1000];
 	int len;
 	struct message_info info = zero_info;
@@@@ -989,6 +995,14 @@@@
 
 	sprintf(buf,"%s %s %s", lp_autopatch(), source, name);
 
+	p = buf;
+
+	while (*p) {
+		if (!isalnum(*p) && !strchr(";_|=+ &^#@@!(){}[].",*p))
+			fatal("invalid character in expression");
+		p++;
+	}
+
 	printf("<hr>\n");
 
 	f = popen(buf,"r");
@@@@ -1012,6 +1026,7 @@@@
 {
 	FILE *f;
 	char *name = cgi_variable("decodeview");
+	char *p;
 	char buf[1000];
 	int len;
 	struct message_info info = zero_info;
@@@@ -1028,6 +1043,13 @@@@
 
 	sprintf(buf,"%s %s", lp_decoder(), name);
 
+	p = buf;
+	while (*p) {
+		if (!isalnum(*p) && !strchr(";_|=+ &^#@@!(){}[].",*p))
+			fatal("invalid character in expression");
+		p++;
+	}
+
 	printf("<hr>\n");
 
 	f = popen(buf,"r");
@@@@ -1271,8 +1293,13 @@@@
 	}
 	
 	smtp_write_data(fd, body);
-	if (sig)
+	if(nolastnl(body))
+		smtp_write(fd, "\n");
+	if (sig) {
 		smtp_write_data(fd, sig);
+		if(nolastnl(sig))
+			smtp_write(fd, "\n");
+	}
 	if (smtp_end_mail(fd) == -1)
 		fatal(smtp_error());
 }
@@@@ -1392,8 +1419,13 @@@@
 		if (cc && *cc)
 			fprintf(f,"CC: %s\n", cc);
 		fprintf(f,"\n%s", body);
-		if (addsignature && signature)
+ 		if(nolastnl(body))
+ 			fprintf(f, "\n");
+		if (addsignature && signature) {
 			fprintf(f,"%s", signature);
+			if(nolastnl(signature))
+				fprintf(f, "\n");
+		}
 		fclose(f);
 		close(fd);
 
@@@@ -2179,6 +2211,7 @@@@
 	int len;
 	char buf[1000];
 	char *decode = cgi_variable("decode");
+	char *p;
 
 	if (guest && !lp_guest_download()) {
 		fatal("guest download has been disabled\n");
@@@@ -2199,6 +2232,13 @@@@
 	if (decode) {
 		sprintf(buf,"%s %s", lp_decoder(), fname);
 		
+		p = buf;
+		while (*p) {
+		  if (!isalnum(*p) && !strchr(";_|=+ &^#@@!(){}[].",*p))
+		    fatal("invalid character in expression");
+		  p++;
+		}
+
 		f = popen(buf,"r");
 	} else {
 		f = fopen(fname,"r");
@@@@ -2208,7 +2248,7 @@@@
 		fatal("unable to open file");
 	}
 
-	printf("Content-Type: application/octet-stream\n");
+	printf("Content-Type: message/rfc822\n");
 	if (gzip_encoding || lp_gzip_download()) {
 		printf("\n");
 		cgi_start_gzip();
@


1.1
log
@Add security fix for CAN-2004-0028 based on the patches provided
by the Debian project.
@
text
@d1 1
a1 1
$NetBSD$
@