From 6a2f7e7db26acdcd7b9128d6e1df66569c762370 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sat, 1 Sep 2012 22:18:18 +0400 Subject: [PATCH] net/gatekeeper: fix CVE-2012-3534 Add configuration knob "MaxStatusClients" to limit the number of status connections to prevent DoS attack on gatekeeper. Signed-off-by: Eygene Ryabinkin --- net/gatekeeper/Makefile | 2 +- net/gatekeeper/files/patch-cve-2012-3534 | 92 ++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 net/gatekeeper/files/patch-cve-2012-3534 diff --git a/net/gatekeeper/Makefile b/net/gatekeeper/Makefile index 966333c..61bdb9d 100644 --- a/net/gatekeeper/Makefile +++ b/net/gatekeeper/Makefile @@ -8,7 +8,7 @@ PORTNAME= gatekeeper #PORTVERSION= 2.2.8 DISTVERSION= 2.2.8 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= net MASTER_SITES= SF/openh323gk/Sources/${PORTVERSION} DISTNAME= gnugk-${DISTVERSION} diff --git a/net/gatekeeper/files/patch-cve-2012-3534 b/net/gatekeeper/files/patch-cve-2012-3534 new file mode 100644 index 0000000..ea933c8 --- /dev/null +++ b/net/gatekeeper/files/patch-cve-2012-3534 @@ -0,0 +1,92 @@ +Fix DoS for status port connections + +Modified for GNU Gatekeeper 2.8.8: this version contains no SSH support, +so the second patch from 15.08.2012 wasn't used. + +Obtained from: http://sourceforge.net/mailarchive/forum.php?thread_name=From_willamowius%40users.sourceforge.net_Wed_Aug_15_07%3A08%3A15_2012&forum_name=openh323gk-cvs + +--- GkStatus.h.orig 2008-05-08 12:22:40.000000000 +0400 ++++ GkStatus.h 2012-09-01 23:24:30.190588884 +0400 +@@ -77,6 +77,11 @@ + StatusClient* requestingClient + ); + ++ ++ /** Notification form the status client that it has been deleted ++ */ ++ void StatusClientDeleted() { --m_statusClients; } ++ + /** Print a list of all connected status interface users + to the requesting client. + */ +@@ -160,7 +165,7 @@ + PStringArray& args + ); + +-private: ++protected: + // override from class RegularJob + virtual void OnStart(); + +@@ -170,6 +175,9 @@ + + /// map for fast (and easy) 'parsing' the commands from the user + std::map m_commands; ++ ++ unsigned m_statusClients; ++ unsigned m_maxStatusClients; + }; + + /** Listen for incoming connections to the status interface port +--- GkStatus.cxx.orig 2012-09-01 23:24:13.597590143 +0400 ++++ GkStatus.cxx 2012-09-01 23:25:39.681590989 +0400 +@@ -100,6 +100,8 @@ + int instanceNo + ); + ++ virtual ~StatusClient(); ++ + bool ReadCommand( + /// command that has been read (if ReadCommand succeeded) + PString& cmd, +@@ -495,6 +497,8 @@ + #endif + + SetName("GkStatus"); ++ m_statusClients = 0; ++ m_maxStatusClients = GkConfig()->GetInteger("MaxStatusClients", 20); + Execute(); + } + +@@ -502,7 +506,7 @@ + StatusClient* newClient + ) + { +- if (newClient->Authenticate()) { ++ if ((m_statusClients++ < m_maxStatusClients) && (newClient->Authenticate())) { + newClient->SetTraceLevel(GkConfig()->GetInteger("StatusTraceLevel", MAX_STATUS_TRACE_LEVEL)); + PTRACE(1, "STATUS\tNew client authenticated successfully: " << newClient->WhoAmI() + << ", login: " << newClient->GetUser() +@@ -512,9 +516,7 @@ + newClient->Flush(); + AddSocket(newClient); + } else { +- PTRACE(3, "STATUS\tNew client rejected: " << newClient->WhoAmI() +- << ", login: " << newClient->GetUser() +- ); ++ PTRACE(3, "STATUS\tNew client rejected: " << newClient->WhoAmI() << ", login: " << newClient->GetUser()); + newClient->WriteString("\r\nAccess forbidden!\r\n"); + newClient->Flush(); + delete newClient; +@@ -803,6 +805,11 @@ + } + } + ++StatusClient::~StatusClient() ++{ ++ GkStatus::Instance()->StatusClientDeleted(); ++} ++ + bool StatusClient::ReadCommand( + /// command that has been read (if ReadCommand succeeded) + PString& cmd, -- 1.7.11.3