[Git][debian-proftpd-team/proftpd][master] Patch for Bug#952557
Hilmar Preuße
gitlab at salsa.debian.org
Thu Feb 27 19:17:55 GMT 2020
Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd
Commits:
7987e2c6 by Hilmar Preusse at 2020-02-27T20:17:36+01:00
Patch for Bug#952557
- - - - -
28 changed files:
- Make.rules.in
- Makefile.in
- contrib/ftpasswd
- contrib/ftpmail
- contrib/ftpquota
- contrib/mod_dnsbl/Makefile.in
- contrib/mod_ldap.c
- contrib/mod_load/Makefile.in
- contrib/mod_sftp/Makefile.in
- contrib/mod_sftp/date.c
- contrib/mod_sftp/keys.c
- contrib/mod_snmp/Makefile.in
- contrib/mod_sql_mysql.c
- contrib/mod_sql_odbc.c
- contrib/mod_tls.c
- contrib/mod_wrap.c
- contrib/mod_wrap2/Makefile.in
- contrib/xferstats.holger-preiss
- debian/changelog
- + debian/patches/cd9036f4ef7a05c107f0ffcb19a018b20267c531.patch
- debian/patches/series
- doc/utils/ftpwho.html
- lib/libcap/Makefile
- modules/mod_auth_pam.c
- modules/mod_cap.c
- src/data.c
- src/prxs.in
- utils/ftpwho.1.in
Changes:
=====================================
Make.rules.in
=====================================
@@ -16,7 +16,7 @@ mandir=@mandir@
AR=@AR@
CC=@CC@
PLATFORM=@OSREL@ @OSTYPE@
-LDFLAGS=@LDFLAGS@ @LIBDIRS@
+LDFLAGS=@LDFLAGS@ @LIBDIRS@ $(shell dpkg-buildflags --get LDFLAGS)
LIBEXECDIR=@LIBEXECDIR@
LIBS=@LIBS@ @LIBRARIES@ @LIBADD_DL@
LIBTOOL=@LIBTOOL@
@@ -50,12 +50,12 @@ INCLUDES=-I.. -I$(top_srcdir)/include @INCLUDES@
# Preprocessor compilation flags.
#
-CPPFLAGS=@CPPFLAGS@ -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES)
+CPPFLAGS=@CPPFLAGS@ -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES) $(shell dpkg-buildflags --get CPPFLAGS)
ADDL_CPPFLAGS=@ADDL_CPPFLAGS@
# Our compiler flags.
#
-CFLAGS=@CFLAGS@
+CFLAGS=@CFLAGS@ $(shell dpkg-buildflags --get CFLAGS)
DEFINES=$(PLATFORM)
# Module-specific libraries to link against. These libraries may be
=====================================
Makefile.in
=====================================
@@ -21,11 +21,17 @@ BUILD_PROFTPD_OBJS=$(BUILD_OBJS) $(BUILD_STATIC_MODULE_OBJS)
BUILD_PROFTPD_ARCHIVES=$(BUILD_STATIC_MODULE_ARCHIVES)
BUILD_BIN=proftpd$(EXEEXT) ftpcount$(EXEEXT) ftpdctl$(EXEEXT) ftpscrub$(EXEEXT) ftpshut$(EXEEXT) ftptop$(EXEEXT) ftpwho$(EXEEXT)
+DATE_FMT = %a %b %e %Y %H:%M:%S %Z
+ifdef SOURCE_DATE_EPOCH
+ BUILD_STAMP ?= $(shell LC_ALL=C date --utc --date="@$(SOURCE_DATE_EPOCH)" "+$(DATE_FMT)")
+else
+ BUILD_STAMP ?= $(shell date "+$(DATE_FMT)")
+endif
all: $(BUILD_BIN)
include/buildstamp.h:
- echo \#define BUILD_STAMP \"`date +"%a %b %e %Y %H:%M:%S %Z"`\" > include/buildstamp.h
+ echo \#define BUILD_STAMP \"$(BUILD_STAMP)\" > include/buildstamp.h
dummy:
@@ -235,10 +241,10 @@ dist: depend distclean spec
chmod a+x configure config.sub install-sh modules/glue.sh
# autoheader might not change config.h.in, so touch a stamp file.
-${srcdir}/config.h.in: stamp-h.in
-${srcdir}/stamp-h.in: configure.in acconfig.h
- cd ${srcdir} && autoheader
- echo timestamp > ${srcdir}/stamp-h.in
+#${srcdir}/config.h.in: stamp-h.in
+#${srcdir}/stamp-h.in: configure.in acconfig.h
+# cd ${srcdir} && autoheader
+# echo timestamp > ${srcdir}/stamp-h.in
config.h: stamp-h
stamp-h: config.h.in config.status
=====================================
contrib/ftpasswd
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
# ---------------------------------------------------------------------------
# Copyright (C) 2000-2020 TJ Saunders <tj at castaglia.org>
#
@@ -35,7 +35,8 @@ my $program = basename($0);
my $default_passwd_file = "./ftpd.passwd";
my $default_group_file = "./ftpd.group";
my $shell_file = "/etc/shells";
-my $default_cracklib_dict = "/usr/lib/cracklib_dict";
+#my $default_cracklib_dict = "/usr/lib/cracklib_dict";
+my $default_cracklib_dict = "/var/cache/cracklib";
my $cracklib_dict;
my $output_file;
my $version = "1.3.0";
=====================================
contrib/ftpmail
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
# ---------------------------------------------------------------------------
# Copyright (C) 2008-2013 TJ Saunders <tj at castaglia.org>
#
=====================================
contrib/ftpquota
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
# -------------------------------------------------------------------------
# Copyright (C) 2000-2017 TJ Saunders <tj at castaglia.org>
#
=====================================
contrib/mod_dnsbl/Makefile.in
=====================================
@@ -18,8 +18,9 @@ MODULE_LIBS=@MODULE_LIBS@
# Necessary redefinitions
INCLUDES=-I. -I../.. -I../../include @INCLUDES@
-CPPFLAGS= $(ADDL_CPPFLAGS) -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES)
-LDFLAGS=-L../../lib @LDFLAGS@
+CPPFLAGS= $(ADDL_CPPFLAGS) -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES) $(shell dpkg-buildflags --get CPPFLAGS)
+
+LDFLAGS=-L../../lib @LDFLAGS@ $(shell dpkg-buildflags --get LDFLAGS)
.c.o:
$(CC) $(CPPFLAGS) $(CFLAGS) -c $<
=====================================
contrib/mod_ldap.c
=====================================
@@ -930,7 +930,7 @@ static void parse_quota(pool *p, const char *replace, char *str) {
cached_quota->nelts = 1;
(void) pr_log_writefile(ldap_logfd, MOD_LDAP_VERSION,
- "parsing ftpQuota atribute value '%s'", str);
+ "parsing ftpQuota attribute value '%s'", str);
while ((token = strsep(&str, ","))) {
pr_signals_handle();
=====================================
contrib/mod_load/Makefile.in
=====================================
@@ -15,8 +15,8 @@ MODULE_INCLUDES=-I$(srcdir) -I$(top_srcdir) $(INCLUDES)
MODULE_LIBS=@MODULE_LIBS@
# Necessary redefinitions
-CPPFLAGS= -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(MODULE_INCLUDES)
-LDFLAGS=-L../../lib @LDFLAGS@
+CPPFLAGS= -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(MODULE_INCLUDES) $(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS=-L../../lib @LDFLAGS@ $(shell dpkg-buildflags --get LDFLAGS)
.c.o:
$(CC) $(CPPFLAGS) $(CFLAGS) -c $<
=====================================
contrib/mod_sftp/Makefile.in
=====================================
@@ -27,8 +27,8 @@ SHARED_MODULE_OBJS=mod_sftp.lo msg.lo packet.lo cipher.lo mac.lo umac.lo \
# Necessary redefinitions
INCLUDES=-I. -I../.. -I../../include @INCLUDES@
-CPPFLAGS= $(ADDL_CPPFLAGS) -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES)
-LDFLAGS=-L../../lib @LDFLAGS@
+CPPFLAGS= $(ADDL_CPPFLAGS) -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES) $(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS=-L../../lib @LDFLAGS@ $(shell dpkg-buildflags --get LDFLAGS)
# We special-case the building of umac128.o in order to use preprocessor
# tricks to get the implementation, rather than making it be all in runtime.
=====================================
contrib/mod_sftp/date.c
=====================================
@@ -124,7 +124,7 @@ int sftp_date_set_params(pool *p, uint32_t channel_id, array_header *req) {
case '?':
/* Ignore unsupported options */
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
- "ingoring supported date(1) option '%c'", (char) optopt);
+ "ignoring supported date(1) option '%c'", (char) optopt);
break;
}
}
=====================================
contrib/mod_sftp/keys.c
=====================================
@@ -1121,7 +1121,7 @@ static EVP_PKEY *get_pkey_from_data(pool *p, unsigned char *pkey_data,
if (sftp_keys_validate_ecdsa_params(curve, point) < 0) {
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
- "erorr validating EC public key: %s", strerror(errno));
+ "error validating EC public key: %s", strerror(errno));
EC_POINT_free(point);
EC_KEY_free(ec);
return NULL;
@@ -2101,7 +2101,7 @@ static int handle_hostkey(pool *p, EVP_PKEY *pkey,
if (sftp_keys_validate_ecdsa_params(EC_KEY_get0_group(ec),
EC_KEY_get0_public_key(ec)) < 0) {
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
- "erorr validating EC public key: %s", strerror(errno));
+ "error validating EC public key: %s", strerror(errno));
EC_KEY_free(ec);
EVP_PKEY_free(pkey);
return -1;
@@ -2109,7 +2109,7 @@ static int handle_hostkey(pool *p, EVP_PKEY *pkey,
if (validate_ecdsa_private_key(ec)) {
(void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
- "erorr validating EC private key: %s", strerror(errno));
+ "error validating EC private key: %s", strerror(errno));
EC_KEY_free(ec);
EVP_PKEY_free(pkey);
return -1;
=====================================
contrib/mod_snmp/Makefile.in
=====================================
@@ -18,8 +18,8 @@ SHARED_MODULE_OBJS=mod_snmp.lo asn1.lo smi.lo pdu.lo msg.lo db.lo mib.lo \
# Necessary redefinitions
INCLUDES=-I. -I../.. -I../../include @INCLUDES@
-CPPFLAGS= $(ADDL_CPPFLAGS) -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES)
-LDFLAGS=-L../../lib @LDFLAGS@
+CPPFLAGS= $(ADDL_CPPFLAGS) -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(INCLUDES) $(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS=-L../../lib @LDFLAGS@ $(shell dpkg-buildflags --get LDFLAGS)
.c.o:
$(CC) $(CPPFLAGS) $(CFLAGS) -c $<
=====================================
contrib/mod_sql_mysql.c
=====================================
@@ -131,7 +131,7 @@
#include "conf.h"
#include "../contrib/mod_sql.h"
-#include <mysql.h>
+#include <mysql/mysql.h>
#include <stdbool.h>
/* The my_make_scrambled_password{,_323} functions are not part of the public
=====================================
contrib/mod_sql_odbc.c
=====================================
@@ -19,6 +19,7 @@
* As a special exemption, TJ Saunders gives permission to link this program
* with OpenSSL, and distribute the resulting executable, without including
* the source code for OpenSSL in the source distribution.
+ * $Libraries: -lodbc $
*/
#include "conf.h"
=====================================
contrib/mod_tls.c
=====================================
@@ -2172,7 +2172,7 @@ static int tls_cert_match_cn(pool *p, X509 *cert, const char *name,
if (idx < 0) {
pr_trace_msg(trace_channel, 12,
"unable to check certificate CommonName against '%s': "
- "no CommoName atribute found", name);
+ "no CommoName attribute found", name);
return 0;
}
@@ -2180,7 +2180,7 @@ static int tls_cert_match_cn(pool *p, X509 *cert, const char *name,
if (cn_entry == NULL) {
pr_trace_msg(trace_channel, 12,
"unable to check certificate CommonName against '%s': "
- "error obtaining CommoName atribute found: %s", name, tls_get_errors());
+ "error obtaining CommoName attribute found: %s", name, tls_get_errors());
return 0;
}
@@ -2189,7 +2189,7 @@ static int tls_cert_match_cn(pool *p, X509 *cert, const char *name,
if (cn_asn1 == NULL) {
pr_trace_msg(trace_channel, 12,
"unable to check certificate CommonName against '%s': "
- "error converting CommoName atribute to ASN.1: %s", name,
+ "error converting CommoName attribute to ASN.1: %s", name,
tls_get_errors());
return 0;
}
=====================================
contrib/mod_wrap.c
=====================================
@@ -949,8 +949,7 @@ MODRET wrap_handle_request(cmd_rec *cmd) {
fromhost(&request);
- if (STR_EQ(eval_hostname(request.client), paranoid) ||
- !hosts_access(&request)) {
+ if (!hosts_access(&request)) {
char *denymsg = NULL;
/* log the denied connection */
=====================================
contrib/mod_wrap2/Makefile.in
=====================================
@@ -15,8 +15,8 @@ MODULE_INCLUDES=-I$(srcdir) -I$(top_srcdir) $(INCLUDES)
MODULE_LIBS=@MODULE_LIBS@
# Necessary redefinitions
-CPPFLAGS= -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(MODULE_INCLUDES)
-LDFLAGS=-L../../lib @LDFLAGS@
+CPPFLAGS= -DHAVE_CONFIG_H $(DEFAULT_PATHS) $(PLATFORM) $(MODULE_INCLUDES) $(shell dpkg-buildflags --get CPPFLAGS)
+LDFLAGS=-L../../lib @LDFLAGS@ $(shell dpkg-buildflags --get LDFLAGS)
.c.o:
$(CC) $(CPPFLAGS) $(CFLAGS) -c $<
=====================================
contrib/xferstats.holger-preiss
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
# ---------------------------------------------------------------------------
#
# USAGE: xferstats <options>
@@ -56,7 +56,7 @@ $mydom1 = pop(@mydom);
# $mydom2 = "org";
# edit the next line to customize for your default log file
-$usage_file = "/var/log/xferlog";
+$usage_file = "/var/log/proftpd/xferlog";
# Edit the following lines for default report settings.
# Entries defined here will be over-ridden by the command line.
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+proftpd-dfsg (1.3.6c-2) UNRELEASED; urgency=medium
+
+ * Add patch from upstream as follow up for CVE-2020-9273
+ cd9036f4ef7a05c107f0ffcb19a018b20267c531.patch
+ (Closes: #952557)
+
+ -- Hilmar Preusse <hille42 at web.de> Thu, 27 Feb 2020 20:15:25 +0100
+
proftpd-dfsg (1.3.6c-1) unstable; urgency=medium
* New upstream version.
=====================================
debian/patches/cd9036f4ef7a05c107f0ffcb19a018b20267c531.patch
=====================================
@@ -0,0 +1,24 @@
+From cd9036f4ef7a05c107f0ffcb19a018b20267c531 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sat, 22 Feb 2020 09:40:32 -0800
+Subject: [PATCH] Issue #903: We want to remove the data transfer command pool,
+ but we _do_ want some memory pool, lest we regress the %{transfer-status}
+ LogFormat functionality.
+
+---
+ src/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/data.c b/src/data.c
+index 6ef6d420e..e7b03e231 100644
+--- a/src/data.c
++++ b/src/data.c
+@@ -897,7 +897,7 @@ void pr_data_abort(int err, int quiet) {
+ /* Forcibly clear the data-transfer instigating command pool from the
+ * Response API.
+ */
+- pr_response_set_pool(NULL);
++ pr_response_set_pool(session.pool);
+ }
+
+ if (true_abort) {
=====================================
debian/patches/series
=====================================
@@ -22,3 +22,4 @@ wrong-path-for-interpreter_perl.diff
# issue_846_CVE-2019-18217.diff
# upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
# upstream_4385
+cd9036f4ef7a05c107f0ffcb19a018b20267c531.patch
=====================================
doc/utils/ftpwho.html
=====================================
@@ -14,7 +14,7 @@ ftpwho - show current process information for each ftp user
The <B>ftpwho</B> command shows process information for all active proftpd
connections, and a count of all connected users off of each server. Proftpd
-sesssions spawned from inetd are counted seperately from those created by a
+sessions spawned from inetd are counted seperately from those created by a
master proftpd <I>standalone</I> server.
<H2>OPTIONS</H2>
=====================================
lib/libcap/Makefile
=====================================
@@ -25,7 +25,7 @@ FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_file
INCLS=libcap.h cap_names.h $(INCS)
OBJS=$(addsuffix .o, $(FILES))
-all: $(STALIBNAME)
+all:
_makenames: _makenames.c cap_names.list.h
$(CC) $(CFLAGS) $< -o $@
=====================================
modules/mod_auth_pam.c
=====================================
@@ -66,7 +66,7 @@ module auth_pam_module;
static authtable auth_pam_authtab[2];
static pam_handle_t * pamh = NULL;
-static char * pamconfig = "ftp";
+static char * pamconfig = "proftpd";
static char * pam_user = NULL;
static char * pam_pass = NULL;
static size_t pam_user_len = 0;
=====================================
modules/mod_cap.c
=====================================
@@ -42,10 +42,8 @@
# define _LINUX_BYTEORDER_GENERIC_H
# endif
-# ifdef HAVE_LINUX_CAPABILITY_H
-# include <linux/capability.h>
-# endif /* HAVE_LINUX_CAPABILITY_H */
-# include "../lib/libcap/include/sys/capability.h"
+#include <linux/capability.h>
+#include <sys/capability.h>
/* What are these for? */
# undef WNOHANG
=====================================
src/data.c
=====================================
@@ -897,7 +897,7 @@ void pr_data_abort(int err, int quiet) {
/* Forcibly clear the data-transfer instigating command pool from the
* Response API.
*/
- pr_response_set_pool(NULL);
+ pr_response_set_pool(session.pool);
}
if (true_abort) {
=====================================
src/prxs.in
=====================================
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
# ---------------------------------------------------------------------------
# Copyright (C) 2008-2012 TJ Saunders <tj at castaglia.org>
=====================================
utils/ftpwho.1.in
=====================================
@@ -10,7 +10,7 @@ ftpwho \- show current process information for each FTP session
The
.BI ftpwho
command shows process information for all active proftpd connections,
-and a count of all connected users off of each server. Proftpd sesssions
+and a count of all connected users off of each server. Proftpd sessions
spawned from inetd are counted separately from those created by a
master proftpd
.I standalone
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/7987e2c606efa2150ceafafcde67c35f80dc10be
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/7987e2c606efa2150ceafafcde67c35f80dc10be
You're receiving this email because of your account on salsa.debian.org.
More information about the Pkg-proftpd-maintainers
mailing list