[gentoo-commits] repo/gentoo:master commit in: net-ftp/proftpd/files/, net-ftp/proftpd/ - gentoo-commits

From:	Sergei Trofimovich <slyfox@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-ftp/proftpd/files/, net-ftp/proftpd/
Date:	Tue, 01 Dec 2015 22:23:26
Message-Id:	`1449008592.0701a27f2fb7e5d820b9da4317ee99b655cfd468.slyfox@gentoo`

1

commit:     0701a27f2fb7e5d820b9da4317ee99b655cfd468

2

Author:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>

3

AuthorDate: Tue Dec  1 22:22:50 2015 +0000

4

Commit:     Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>

5

CommitDate: Tue Dec  1 22:23:12 2015 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0701a27f

7

8

net-ftp/proftpd: fix size limit of SFTP handshake, bug #567252

9

10

Reported-by: Agostino Sarubbo

11

Bug: https://bugs.gentoo.org/567252

12

Bug: http://bugs.proftpd.org/4210

13

14

Package-Manager: portage-2.2.25

15

16

 .../files/proftpd-1.3.5a-unbound-sftp-p1.patch     |  70 ++++++

17

 .../files/proftpd-1.3.5a-unbound-sftp-p2.patch     |  61 ++++++

18

 net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild           | 240 +++++++++++++++++++++

19

 3 files changed, 371 insertions(+)

20

21

diff --git a/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p1.patch b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p1.patch

22

new file mode 100644

23

index 0000000..03dd1d8

24

--- /dev/null

25

+++ b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p1.patch

26

@@ -0,0 +1,70 @@

27

+commit a24db7f9864240a4ebb236a6615ec649138fef0e

28

+Author: TJ Saunders <tj@×××××××××.org>

29

+Date:   Sat Nov 28 17:08:03 2015 -0800

30

+

31

+    Bug#4210 - Avoid unbounded SFTP extension key/values.

32

+

33

+diff --git a/contrib/mod_sftp/fxp.c b/contrib/mod_sftp/fxp.c

34

+index 5d9ae17..03c7eb5 100644

35

+--- a/contrib/mod_sftp/fxp.c

36

++++ b/contrib/mod_sftp/fxp.c

37

+@@ -241,6 +241,9 @@ struct fxp_extpair {

38

+   unsigned char *ext_data;

39

+ };

40

+

41

++/* Maximum length of SFTP extension name, AND of the extension value. */

42

++#define SFTP_EXT_MAX_LEN			1024

43

++

44

+ static pool *fxp_pool = NULL;

45

+ static int fxp_use_gmt = TRUE;

46

+

47

+@@ -1240,6 +1243,14 @@ static struct fxp_extpair *fxp_msg_read_extpair(pool *p, unsigned char **buf,

48

+     SFTP_DISCONNECT_CONN(SFTP_SSH2_DISCONNECT_BY_APPLICATION, NULL);

49

+   }

50

+

51

++  if (namelen > SFTP_EXT_MAX_LEN) {

52

++    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,

53

++      "received too-long SFTP extension name (%lu > max %lu), ignoring",

54

++      (unsigned long) namelen, (unsigned long) SFTP_EXT_MAX_LEN);

55

++    errno = EINVAL;

56

++    return NULL;

57

++  }

58

++

59

+   name = palloc(p, namelen + 1);

60

+   memcpy(name, *buf, namelen);

61

+   (*buf) += namelen;

62

+@@ -1248,6 +1259,14 @@ static struct fxp_extpair *fxp_msg_read_extpair(pool *p, unsigned char **buf,

63

+

64

+   datalen = sftp_msg_read_int(p, buf, buflen);

65

+   if (datalen > 0) {

66

++    if (datalen > SFTP_EXT_MAX_LEN) {

67

++      (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,

68

++        "received too-long SFTP extension '%s' data (%lu > max %lu), ignoring",

69

++        name, (unsigned long) datalen, (unsigned long) SFTP_EXT_MAX_LEN);

70

++      errno = EINVAL;

71

++      return NULL;

72

++    }

73

++

74

+     data = sftp_msg_read_data(p, buf, buflen, datalen);

75

+

76

+   } else {

77

+@@ -2210,11 +2229,13 @@ static struct stat *fxp_attrs_read(struct fxp_packet *fxp, unsigned char **buf,

78

+         struct fxp_extpair *ext;

79

+

80

+         ext = fxp_msg_read_extpair(fxp->pool, buf, buflen);

81

+-        pr_trace_msg(trace_channel, 15,

82

+-          "protocol version %lu: read EXTENDED attribute: "

83

+-          "extension '%s' (%lu bytes of data)",

84

+-          (unsigned long) fxp_session->client_version, ext->ext_name,

85

+-          (unsigned long) ext->ext_datalen);

86

++        if (ext != NULL) {

87

++          pr_trace_msg(trace_channel, 15,

88

++            "protocol version %lu: read EXTENDED attribute: "

89

++            "extension '%s' (%lu bytes of data)",

90

++            (unsigned long) fxp_session->client_version, ext->ext_name,

91

++            (unsigned long) ext->ext_datalen);

92

++        }

93

+       }

94

+     }

95

+

96

+

97

98

diff --git a/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p2.patch b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p2.patch

99

new file mode 100644

100

index 0000000..c7d0a02

101

--- /dev/null

102

+++ b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p2.patch

103

@@ -0,0 +1,61 @@

104

+commit f30ac3cc1a58ec7522de6aeeaa09314a45dbc690

105

+Author: TJ Saunders <tj@×××××××××.org>

106

+Date:   Sat Nov 28 17:13:55 2015 -0800

107

+

108

+    Correct the parameters to talk of "extended attributes", not SFTP extensions.

109

+

110

+diff --git a/contrib/mod_sftp/fxp.c b/contrib/mod_sftp/fxp.c

111

+index 03c7eb5..e7161d5 100644

112

+--- a/contrib/mod_sftp/fxp.c

113

++++ b/contrib/mod_sftp/fxp.c

114

+@@ -235,15 +235,18 @@ static size_t fxp_packet_data_allocsz = 0;

115

+ #define FXP_PACKET_DATA_DEFAULT_SZ		(1024 * 16)

116

+ #define FXP_RESPONSE_DATA_DEFAULT_SZ		512

117

+

118

++#define FXP_MAX_PACKET_LEN			(1024 * 512)

119

++#define FXP_MAX_EXTENDED_ATTRIBUTES		100

120

++

121

++/* Maximum length of SFTP extended attribute name OR value. */

122

++#define FXP_MAX_EXTENDED_ATTR_LEN		1024

123

++

124

+ struct fxp_extpair {

125

+   char *ext_name;

126

+   uint32_t ext_datalen;

127

+   unsigned char *ext_data;

128

+ };

129

+

130

+-/* Maximum length of SFTP extension name, AND of the extension value. */

131

+-#define SFTP_EXT_MAX_LEN			1024

132

+-

133

+ static pool *fxp_pool = NULL;

134

+ static int fxp_use_gmt = TRUE;

135

+

136

+@@ -1243,10 +1246,10 @@ static struct fxp_extpair *fxp_msg_read_extpair(pool *p, unsigned char **buf,

137

+     SFTP_DISCONNECT_CONN(SFTP_SSH2_DISCONNECT_BY_APPLICATION, NULL);

138

+   }

139

+

140

+-  if (namelen > SFTP_EXT_MAX_LEN) {

141

++  if (namelen > FXP_MAX_EXTENDED_ATTR_LEN) {

142

+     (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,

143

+-      "received too-long SFTP extension name (%lu > max %lu), ignoring",

144

+-      (unsigned long) namelen, (unsigned long) SFTP_EXT_MAX_LEN);

145

++      "received too-long extended attribute name (%lu > max %lu), ignoring",

146

++      (unsigned long) namelen, (unsigned long) FXP_MAX_EXTENDED_ATTR_LEN);

147

+     errno = EINVAL;

148

+     return NULL;

149

+   }

150

+@@ -1259,10 +1262,11 @@ static struct fxp_extpair *fxp_msg_read_extpair(pool *p, unsigned char **buf,

151

+

152

+   datalen = sftp_msg_read_int(p, buf, buflen);

153

+   if (datalen > 0) {

154

+-    if (datalen > SFTP_EXT_MAX_LEN) {

155

++    if (datalen > FXP_MAX_EXTENDED_ATTR_LEN) {

156

+       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,

157

+-        "received too-long SFTP extension '%s' data (%lu > max %lu), ignoring",

158

+-        name, (unsigned long) datalen, (unsigned long) SFTP_EXT_MAX_LEN);

159

++        "received too-long extended attribute '%s' value (%lu > max %lu), "

160

++        "ignoring", name, (unsigned long) datalen,

161

++        (unsigned long) FXP_MAX_EXTENDED_ATTR_LEN);

162

+       errno = EINVAL;

163

+       return NULL;

164

+     }

165

166

diff --git a/net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild b/net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild

167

new file mode 100644

168

index 0000000..18d7c8e

169

--- /dev/null

170

+++ b/net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild

171

@@ -0,0 +1,240 @@

172

+# Copyright 1999-2015 Gentoo Foundation

173

+# Distributed under the terms of the GNU General Public License v2

174

+# $Id$

175

+

176

+EAPI=5

177

+inherit eutils multilib systemd

178

+

179

+MOD_CASE="0.7"

180

+MOD_CLAMAV="0.11rc"

181

+MOD_DISKUSE="0.9"

182

+MOD_GSS="1.3.3"

183

+MOD_MSG="0.4.1"

184

+MOD_VROOT="0.9.3"

185

+

186

+DESCRIPTION="An advanced and very configurable FTP server"

187

+HOMEPAGE="http://www.proftpd.org/

188

+	http://www.castaglia.org/proftpd/

189

+	http://www.thrallingpenguin.com/resources/mod_clamav.htm

190

+	http://gssmod.sourceforge.net/"

191

+SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/}.tar.gz

192

+	case? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-case-${MOD_CASE}.tar.gz )

193

+	clamav? ( https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-${MOD_CLAMAV}.tar.gz )

194

+	diskuse? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-diskuse-${MOD_DISKUSE}.tar.gz )

195

+	kerberos? ( mirror://sourceforge/gssmod/mod_gss-${MOD_GSS}.tar.gz )

196

+	msg? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-msg-${MOD_MSG}.tar.gz )

197

+	vroot? ( https://github.com/Castaglia/${PN}-mod_vroot/archive/mod_vroot-${MOD_VROOT}.tar.gz )"

198

+LICENSE="GPL-2"

199

+

200

+SLOT="0"

201

+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"

202

+IUSE="acl authfile ban +caps case clamav copy ctrls deflate diskuse doc dso dynmasq exec ifsession ifversion ident ipv6

203

+	kerberos ldap libressl linguas_bg_BG linguas_en_US linguas_fr_FR linguas_it_IT linguas_ja_JP linguas_ko_KR

204

+	linguas_ru_RU linguas_zh_CN linguas_zh_TW log_forensic memcache msg mysql ncurses nls pam +pcre postgres qos radius

205

+	ratio readme rewrite selinux sftp shaper sitemisc snmp softquota sqlite ssl tcpd test trace unique_id vroot xinetd"

206

+# TODO: geoip

207

+REQUIRED_USE="ban? ( ctrls )

208

+	msg? ( ctrls )

209

+	sftp? ( ssl )

210

+	shaper? ( ctrls )"

211

+

212

+CDEPEND="acl? ( virtual/acl )

213

+	caps? ( sys-libs/libcap )

214

+	clamav? ( app-antivirus/clamav )

215

+	kerberos? ( virtual/krb5 )

216

+	ldap? ( net-nds/openldap )

217

+	memcache? ( >=dev-libs/libmemcached-0.41 )

218

+	mysql? ( virtual/mysql )

219

+	nls? ( virtual/libiconv )

220

+	ncurses? ( sys-libs/ncurses:0= )

221

+	ssl? (

222

+		!libressl? ( dev-libs/openssl:0= )

223

+		libressl? ( dev-libs/libressl:= )

224

+	)

225

+	pam? ( virtual/pam )

226

+	pcre? ( dev-libs/libpcre )

227

+	postgres? ( dev-db/postgresql:= )

228

+	sqlite? ( dev-db/sqlite:3 )

229

+	xinetd? ( virtual/inetd )"

230

+DEPEND="${CDEPEND}

231

+	test? ( dev-libs/check )"

232

+RDEPEND="${CDEPEND}

233

+	net-ftp/ftpbase

234

+	selinux? ( sec-policy/selinux-ftp )"

235

+

236

+S="${WORKDIR}/${P/_/}"

237

+

238

+__prepare_module() {

239

+	local mod_name=$1

240

+	local mod_topdir=${WORKDIR}/${2:-${mod_name}}

241

+

242

+	mv "${mod_topdir}/${mod_name}.c" contrib || die

243

+	mv "${mod_topdir}/${mod_name}.html" doc/contrib || die

244

+	rm -r "${mod_topdir}" || die

245

+}

246

+

247

+src_prepare() {

248

+	epatch -p1 "${FILESDIR}"/${P}-unbound-sftp-{p1,p2}.patch

249

+

250

+	# Skip 'install-conf' / Support LINGUAS

251

+	sed -i -e "/install-all/s/ install-conf//" Makefile.in

252

+	sed -i -e "s/^LANGS=.*$/LANGS=${LINGUAS}/" locale/Makefile.in

253

+

254

+	# Prepare external modules

255

+	use case && __prepare_module mod_case

256

+	if use clamav ; then

257

+		mv "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}/mod_clamav.{c,h} contrib

258

+		epatch "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}/${PN}.patch

259

+		rm -r "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}

260

+	fi

261

+	use msg && __prepare_module mod_msg

262

+	use vroot && __prepare_module mod_vroot ${PN}-mod_vroot-mod_vroot-${MOD_VROOT}

263

+

264

+	# Prepare external kerberos module

265

+	if use kerberos ; then

266

+		cd "${WORKDIR}"/mod_gss-${MOD_GSS}

267

+

268

+		# Support app-crypt/heimdal / Gentoo Bug #284853

269

+		sed -i -e "s/krb5_principal2principalname/_\0/" mod_auth_gss.c.in

270

+

271

+		# Remove obsolete DES / Gentoo Bug #324903

272

+		# Replace 'rpm' lookups / Gentoo Bug #391021

273

+		sed -i -e "/ac_gss_libs/s/ -ldes425//" \

274

+			-e "s/ac_libdir=\`rpm -q -l.*$/ac_libdir=\/usr\/$(get_libdir)\//" \

275

+			-e "s/ac_includedir=\`rpm -q -l.*$/ac_includedir=\/usr\/include\//" configure{,.in}

276

+	fi

277

+}

278

+

279

+src_configure() {

280

+	local c m

281

+

282

+	use acl && m="${m}:mod_facl"

283

+	use ban && m="${m}:mod_ban"

284

+	use case && m="${m}:mod_case"

285

+	use clamav && m="${m}:mod_clamav"

286

+	use copy && m="${m}:mod_copy"

287

+	use ctrls && m="${m}:mod_ctrls_admin"

288

+	use deflate && m="${m}:mod_deflate"

289

+	if use diskuse ; then

290

+		cd "${WORKDIR}"/mod_diskuse

291

+		econf

292

+		mv mod_diskuse.{c,h} "${S}"/contrib

293

+		mv mod_diskuse.html "${S}"/doc/contrib

294

+		cd "${S}"

295

+		rm -r "${WORKDIR}"/mod_diskuse

296

+		m="${m}:mod_diskuse"

297

+	fi

298

+	use dynmasq && m="${m}:mod_dynmasq"

299

+	use exec && m="${m}:mod_exec"

300

+	use ifsession && m="${m}:mod_ifsession"

301

+	use ifversion && m="${m}:mod_ifversion"

302

+	if use kerberos ; then

303

+		cd "${WORKDIR}"/mod_gss-${MOD_GSS}

304

+		if has_version app-crypt/mit-krb5 ; then

305

+			econf --enable-mit

306

+		else

307

+			econf --enable-heimdal

308

+		fi

309

+		mv mod_{auth_gss,gss}.c "${S}"/contrib

310

+		mv mod_gss.h "${S}"/include

311

+		mv README.mod_{auth_gss,gss} "${S}"

312

+		mv mod_gss.html "${S}"/doc/contrib

313

+		mv rfc{1509,2228}.txt "${S}"/doc/rfc

314

+		cd "${S}"

315

+		rm -r "${WORKDIR}"/mod_gss-${MOD_GSS}

316

+		m="${m}:mod_gss:mod_auth_gss"

317

+	fi

318

+	use ldap && m="${m}:mod_ldap"

319

+	use log_forensic && m="${m}:mod_log_forensic"

320

+	use msg && m="${m}:mod_msg"

321

+	if use mysql || use postgres || use sqlite ; then

322

+		m="${m}:mod_sql:mod_sql_passwd"

323

+		use mysql && m="${m}:mod_sql_mysql"

324

+		use postgres && m="${m}:mod_sql_postgres"

325

+		use sqlite && m="${m}:mod_sql_sqlite"

326

+	fi

327

+	use qos && m="${m}:mod_qos"

328

+	use radius && m="${m}:mod_radius"

329

+	use ratio && m="${m}:mod_ratio"

330

+	use readme && m="${m}:mod_readme"

331

+	use rewrite && m="${m}:mod_rewrite"

332

+	if use sftp ; then

333

+		m="${m}:mod_sftp"

334

+		use pam && m="${m}:mod_sftp_pam"

335

+		use mysql || use postgres || use sqlite && m="${m}:mod_sftp_sql"

336

+	fi

337

+	use shaper && m="${m}:mod_shaper"

338

+	use sitemisc && m="${m}:mod_site_misc"

339

+	use snmp && m="${m}:mod_snmp"

340

+	if use softquota ; then

341

+		m="${m}:mod_quotatab:mod_quotatab_file"

342

+		use ldap && m="${m}:mod_quotatab_ldap"

343

+		use radius && m="${m}:mod_quotatab_radius"

344

+		use mysql || use postgres || use sqlite && m="${m}:mod_quotatab_sql"

345

+	fi

346

+	if use ssl ; then

347

+		m="${m}:mod_tls:mod_tls_shmcache"

348

+		use memcache && m="${m}:mod_tls_memcache"

349

+	fi

350

+	if use tcpd ; then

351

+		m="${m}:mod_wrap2:mod_wrap2_file"

352

+		use mysql || use postgres || use sqlite && m="${m}:mod_wrap2_sql"

353

+	fi

354

+	use unique_id && m="${m}:mod_unique_id"

355

+	use vroot && m="${m}:mod_vroot"

356

+

357

+	if [[ -n ${PROFTP_CUSTOM_MODULES} ]]; then

358

+		einfo "Adding user-specified extra modules: '${PROFTP_CUSTOM_MODULES}'"

359

+		m="${m}:${PROFTP_CUSTOM_MODULES}"

360

+	fi

361

+

362

+	[[ -z ${m} ]] || c="${c} --with-modules=${m:1}"

363

+	econf --localstatedir=/var/run/proftpd --sysconfdir=/etc/proftpd --disable-strip \

364

+		$(use_enable acl facl) \

365

+		$(use_enable authfile auth-file) \

366

+		$(use_enable caps cap) \

367

+		$(use_enable ctrls) \

368

+		$(use_enable dso) \

369

+		$(use_enable ident) \

370

+		$(use_enable ipv6) \

371

+		$(use_enable memcache) \

372

+		$(use_enable ncurses) \

373

+		$(use_enable nls) \

374

+		$(use_enable ssl openssl) \

375

+		$(use_enable pam auth-pam) \

376

+		$(use_enable pcre) \

377

+		$(use_enable test tests) \

378

+		$(use_enable trace) \

379

+		$(use_enable userland_GNU shadow) \

380

+		$(use_enable userland_GNU autoshadow) \

381

+		${c:1}

382

+}

383

+

384

+src_test() {

385

+	emake api-tests -C tests

386

+}

387

+

388

+src_install() {

389

+	default

390

+	[[ -z ${LINGUAS} ]] && rm -r "${ED}"/usr/share/locale

391

+	rm -rf "${ED}"/var/run

392

+

393

+	newinitd "${FILESDIR}"/proftpd.initd proftpd

394

+	insinto /etc/proftpd

395

+	doins "${FILESDIR}"/proftpd.conf.sample

396

+

397

+	if use xinetd ; then

398

+		insinto /etc/xinetd.d

399

+		newins "${FILESDIR}"/proftpd.xinetd proftpd

400

+	fi

401

+

402

+	dodoc ChangeLog CREDITS INSTALL NEWS README* RELEASE_NOTES

403

+	if use doc ; then

404

+		dohtml doc/*.html doc/contrib/*.html doc/howto/*.html doc/modules/*.html

405

+		docinto rfc

406

+		dodoc doc/rfc/*.txt

407

+	fi

408

+

409

+	systemd_dounit       "${FILESDIR}"/${PN}.service

410

+	systemd_newtmpfilesd "${FILESDIR}"/${PN}-tmpfiles.d.conf ${PN}.conf

411

+}

1	commit: 0701a27f2fb7e5d820b9da4317ee99b655cfd468
2	Author: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
3	AuthorDate: Tue Dec 1 22:22:50 2015 +0000
4	Commit: Sergei Trofimovich <slyfox <AT> gentoo <DOT> org>
5	CommitDate: Tue Dec 1 22:23:12 2015 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0701a27f
7
8	net-ftp/proftpd: fix size limit of SFTP handshake, bug #567252
9
10	Reported-by: Agostino Sarubbo
11	Bug: https://bugs.gentoo.org/567252
12	Bug: http://bugs.proftpd.org/4210
13
14	Package-Manager: portage-2.2.25
15
16	.../files/proftpd-1.3.5a-unbound-sftp-p1.patch \| 70 ++++++
17	.../files/proftpd-1.3.5a-unbound-sftp-p2.patch \| 61 ++++++
18	net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild \| 240 +++++++++++++++++++++
19	3 files changed, 371 insertions(+)
20
21	diff --git a/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p1.patch b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p1.patch
22	new file mode 100644
23	index 0000000..03dd1d8
24	--- /dev/null
25	+++ b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p1.patch
26	@@ -0,0 +1,70 @@
27	+commit a24db7f9864240a4ebb236a6615ec649138fef0e
28	+Author: TJ Saunders <tj@×××××××××.org>
29	+Date: Sat Nov 28 17:08:03 2015 -0800
30	+
31	+ Bug#4210 - Avoid unbounded SFTP extension key/values.
32	+
33	+diff --git a/contrib/mod_sftp/fxp.c b/contrib/mod_sftp/fxp.c
34	+index 5d9ae17..03c7eb5 100644
35	+--- a/contrib/mod_sftp/fxp.c
36	++++ b/contrib/mod_sftp/fxp.c
37	+@@ -241,6 +241,9 @@ struct fxp_extpair {
38	+ unsigned char *ext_data;
39	+ };
40	+
41	++/* Maximum length of SFTP extension name, AND of the extension value. */
42	++#define SFTP_EXT_MAX_LEN 1024
43	++
44	+ static pool *fxp_pool = NULL;
45	+ static int fxp_use_gmt = TRUE;
46	+
47	+@@ -1240,6 +1243,14 @@ static struct fxp_extpair fxp_msg_read_extpair(pool p, unsigned char **buf,
48	+ SFTP_DISCONNECT_CONN(SFTP_SSH2_DISCONNECT_BY_APPLICATION, NULL);
49	+ }
50	+
51	++ if (namelen > SFTP_EXT_MAX_LEN) {
52	++ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
53	++ "received too-long SFTP extension name (%lu > max %lu), ignoring",
54	++ (unsigned long) namelen, (unsigned long) SFTP_EXT_MAX_LEN);
55	++ errno = EINVAL;
56	++ return NULL;
57	++ }
58	++
59	+ name = palloc(p, namelen + 1);
60	+ memcpy(name, *buf, namelen);
61	+ (*buf) += namelen;
62	+@@ -1248,6 +1259,14 @@ static struct fxp_extpair fxp_msg_read_extpair(pool p, unsigned char **buf,
63	+
64	+ datalen = sftp_msg_read_int(p, buf, buflen);
65	+ if (datalen > 0) {
66	++ if (datalen > SFTP_EXT_MAX_LEN) {
67	++ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
68	++ "received too-long SFTP extension '%s' data (%lu > max %lu), ignoring",
69	++ name, (unsigned long) datalen, (unsigned long) SFTP_EXT_MAX_LEN);
70	++ errno = EINVAL;
71	++ return NULL;
72	++ }
73	++
74	+ data = sftp_msg_read_data(p, buf, buflen, datalen);
75	+
76	+ } else {
77	+@@ -2210,11 +2229,13 @@ static struct stat fxp_attrs_read(struct fxp_packet fxp, unsigned char **buf,
78	+ struct fxp_extpair *ext;
79	+
80	+ ext = fxp_msg_read_extpair(fxp->pool, buf, buflen);
81	+- pr_trace_msg(trace_channel, 15,
82	+- "protocol version %lu: read EXTENDED attribute: "
83	+- "extension '%s' (%lu bytes of data)",
84	+- (unsigned long) fxp_session->client_version, ext->ext_name,
85	+- (unsigned long) ext->ext_datalen);
86	++ if (ext != NULL) {
87	++ pr_trace_msg(trace_channel, 15,
88	++ "protocol version %lu: read EXTENDED attribute: "
89	++ "extension '%s' (%lu bytes of data)",
90	++ (unsigned long) fxp_session->client_version, ext->ext_name,
91	++ (unsigned long) ext->ext_datalen);
92	++ }
93	+ }
94	+ }
95	+
96	+
97
98	diff --git a/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p2.patch b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p2.patch
99	new file mode 100644
100	index 0000000..c7d0a02
101	--- /dev/null
102	+++ b/net-ftp/proftpd/files/proftpd-1.3.5a-unbound-sftp-p2.patch
103	@@ -0,0 +1,61 @@
104	+commit f30ac3cc1a58ec7522de6aeeaa09314a45dbc690
105	+Author: TJ Saunders <tj@×××××××××.org>
106	+Date: Sat Nov 28 17:13:55 2015 -0800
107	+
108	+ Correct the parameters to talk of "extended attributes", not SFTP extensions.
109	+
110	+diff --git a/contrib/mod_sftp/fxp.c b/contrib/mod_sftp/fxp.c
111	+index 03c7eb5..e7161d5 100644
112	+--- a/contrib/mod_sftp/fxp.c
113	++++ b/contrib/mod_sftp/fxp.c
114	+@@ -235,15 +235,18 @@ static size_t fxp_packet_data_allocsz = 0;
115	+ #define FXP_PACKET_DATA_DEFAULT_SZ (1024 * 16)
116	+ #define FXP_RESPONSE_DATA_DEFAULT_SZ 512
117	+
118	++#define FXP_MAX_PACKET_LEN (1024 * 512)
119	++#define FXP_MAX_EXTENDED_ATTRIBUTES 100
120	++
121	++/* Maximum length of SFTP extended attribute name OR value. */
122	++#define FXP_MAX_EXTENDED_ATTR_LEN 1024
123	++
124	+ struct fxp_extpair {
125	+ char *ext_name;
126	+ uint32_t ext_datalen;
127	+ unsigned char *ext_data;
128	+ };
129	+
130	+-/* Maximum length of SFTP extension name, AND of the extension value. */
131	+-#define SFTP_EXT_MAX_LEN 1024
132	+-
133	+ static pool *fxp_pool = NULL;
134	+ static int fxp_use_gmt = TRUE;
135	+
136	+@@ -1243,10 +1246,10 @@ static struct fxp_extpair fxp_msg_read_extpair(pool p, unsigned char **buf,
137	+ SFTP_DISCONNECT_CONN(SFTP_SSH2_DISCONNECT_BY_APPLICATION, NULL);
138	+ }
139	+
140	+- if (namelen > SFTP_EXT_MAX_LEN) {
141	++ if (namelen > FXP_MAX_EXTENDED_ATTR_LEN) {
142	+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
143	+- "received too-long SFTP extension name (%lu > max %lu), ignoring",
144	+- (unsigned long) namelen, (unsigned long) SFTP_EXT_MAX_LEN);
145	++ "received too-long extended attribute name (%lu > max %lu), ignoring",
146	++ (unsigned long) namelen, (unsigned long) FXP_MAX_EXTENDED_ATTR_LEN);
147	+ errno = EINVAL;
148	+ return NULL;
149	+ }
150	+@@ -1259,10 +1262,11 @@ static struct fxp_extpair fxp_msg_read_extpair(pool p, unsigned char **buf,
151	+
152	+ datalen = sftp_msg_read_int(p, buf, buflen);
153	+ if (datalen > 0) {
154	+- if (datalen > SFTP_EXT_MAX_LEN) {
155	++ if (datalen > FXP_MAX_EXTENDED_ATTR_LEN) {
156	+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
157	+- "received too-long SFTP extension '%s' data (%lu > max %lu), ignoring",
158	+- name, (unsigned long) datalen, (unsigned long) SFTP_EXT_MAX_LEN);
159	++ "received too-long extended attribute '%s' value (%lu > max %lu), "
160	++ "ignoring", name, (unsigned long) datalen,
161	++ (unsigned long) FXP_MAX_EXTENDED_ATTR_LEN);
162	+ errno = EINVAL;
163	+ return NULL;
164	+ }
165
166	diff --git a/net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild b/net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild
167	new file mode 100644
168	index 0000000..18d7c8e
169	--- /dev/null
170	+++ b/net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild
171	@@ -0,0 +1,240 @@
172	+# Copyright 1999-2015 Gentoo Foundation
173	+# Distributed under the terms of the GNU General Public License v2
174	+# $Id$
175	+
176	+EAPI=5
177	+inherit eutils multilib systemd
178	+
179	+MOD_CASE="0.7"
180	+MOD_CLAMAV="0.11rc"
181	+MOD_DISKUSE="0.9"
182	+MOD_GSS="1.3.3"
183	+MOD_MSG="0.4.1"
184	+MOD_VROOT="0.9.3"
185	+
186	+DESCRIPTION="An advanced and very configurable FTP server"
187	+HOMEPAGE="http://www.proftpd.org/
188	+ http://www.castaglia.org/proftpd/
189	+ http://www.thrallingpenguin.com/resources/mod_clamav.htm
190	+ http://gssmod.sourceforge.net/"
191	+SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/}.tar.gz
192	+ case? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-case-${MOD_CASE}.tar.gz )
193	+ clamav? ( https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-${MOD_CLAMAV}.tar.gz )
194	+ diskuse? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-diskuse-${MOD_DISKUSE}.tar.gz )
195	+ kerberos? ( mirror://sourceforge/gssmod/mod_gss-${MOD_GSS}.tar.gz )
196	+ msg? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-msg-${MOD_MSG}.tar.gz )
197	+ vroot? ( https://github.com/Castaglia/${PN}-mod_vroot/archive/mod_vroot-${MOD_VROOT}.tar.gz )"
198	+LICENSE="GPL-2"
199	+
200	+SLOT="0"
201	+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
202	+IUSE="acl authfile ban +caps case clamav copy ctrls deflate diskuse doc dso dynmasq exec ifsession ifversion ident ipv6
203	+ kerberos ldap libressl linguas_bg_BG linguas_en_US linguas_fr_FR linguas_it_IT linguas_ja_JP linguas_ko_KR
204	+ linguas_ru_RU linguas_zh_CN linguas_zh_TW log_forensic memcache msg mysql ncurses nls pam +pcre postgres qos radius
205	+ ratio readme rewrite selinux sftp shaper sitemisc snmp softquota sqlite ssl tcpd test trace unique_id vroot xinetd"
206	+# TODO: geoip
207	+REQUIRED_USE="ban? ( ctrls )
208	+ msg? ( ctrls )
209	+ sftp? ( ssl )
210	+ shaper? ( ctrls )"
211	+
212	+CDEPEND="acl? ( virtual/acl )
213	+ caps? ( sys-libs/libcap )
214	+ clamav? ( app-antivirus/clamav )
215	+ kerberos? ( virtual/krb5 )
216	+ ldap? ( net-nds/openldap )
217	+ memcache? ( >=dev-libs/libmemcached-0.41 )
218	+ mysql? ( virtual/mysql )
219	+ nls? ( virtual/libiconv )
220	+ ncurses? ( sys-libs/ncurses:0= )
221	+ ssl? (
222	+ !libressl? ( dev-libs/openssl:0= )
223	+ libressl? ( dev-libs/libressl:= )
224	+ )
225	+ pam? ( virtual/pam )
226	+ pcre? ( dev-libs/libpcre )
227	+ postgres? ( dev-db/postgresql:= )
228	+ sqlite? ( dev-db/sqlite:3 )
229	+ xinetd? ( virtual/inetd )"
230	+DEPEND="${CDEPEND}
231	+ test? ( dev-libs/check )"
232	+RDEPEND="${CDEPEND}
233	+ net-ftp/ftpbase
234	+ selinux? ( sec-policy/selinux-ftp )"
235	+
236	+S="${WORKDIR}/${P/_/}"
237	+
238	+__prepare_module() {
239	+ local mod_name=$1
240	+ local mod_topdir=${WORKDIR}/${2:-${mod_name}}
241	+
242	+ mv "${mod_topdir}/${mod_name}.c" contrib \|\| die
243	+ mv "${mod_topdir}/${mod_name}.html" doc/contrib \|\| die
244	+ rm -r "${mod_topdir}" \|\| die
245	+}
246	+
247	+src_prepare() {
248	+ epatch -p1 "${FILESDIR}"/${P}-unbound-sftp-{p1,p2}.patch
249	+
250	+ # Skip 'install-conf' / Support LINGUAS
251	+ sed -i -e "/install-all/s/ install-conf//" Makefile.in
252	+ sed -i -e "s/^LANGS=.*$/LANGS=${LINGUAS}/" locale/Makefile.in
253	+
254	+ # Prepare external modules
255	+ use case && __prepare_module mod_case
256	+ if use clamav ; then
257	+ mv "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}/mod_clamav.{c,h} contrib
258	+ epatch "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}/${PN}.patch
259	+ rm -r "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}
260	+ fi
261	+ use msg && __prepare_module mod_msg
262	+ use vroot && __prepare_module mod_vroot ${PN}-mod_vroot-mod_vroot-${MOD_VROOT}
263	+
264	+ # Prepare external kerberos module
265	+ if use kerberos ; then
266	+ cd "${WORKDIR}"/mod_gss-${MOD_GSS}
267	+
268	+ # Support app-crypt/heimdal / Gentoo Bug #284853
269	+ sed -i -e "s/krb5_principal2principalname/_\0/" mod_auth_gss.c.in
270	+
271	+ # Remove obsolete DES / Gentoo Bug #324903
272	+ # Replace 'rpm' lookups / Gentoo Bug #391021
273	+ sed -i -e "/ac_gss_libs/s/ -ldes425//" \
274	+ -e "s/ac_libdir=\`rpm -q -l.*$/ac_libdir=\/usr\/$(get_libdir)\//" \
275	+ -e "s/ac_includedir=\`rpm -q -l.*$/ac_includedir=\/usr\/include\//" configure{,.in}
276	+ fi
277	+}
278	+
279	+src_configure() {
280	+ local c m
281	+
282	+ use acl && m="${m}:mod_facl"
283	+ use ban && m="${m}:mod_ban"
284	+ use case && m="${m}:mod_case"
285	+ use clamav && m="${m}:mod_clamav"
286	+ use copy && m="${m}:mod_copy"
287	+ use ctrls && m="${m}:mod_ctrls_admin"
288	+ use deflate && m="${m}:mod_deflate"
289	+ if use diskuse ; then
290	+ cd "${WORKDIR}"/mod_diskuse
291	+ econf
292	+ mv mod_diskuse.{c,h} "${S}"/contrib
293	+ mv mod_diskuse.html "${S}"/doc/contrib
294	+ cd "${S}"
295	+ rm -r "${WORKDIR}"/mod_diskuse
296	+ m="${m}:mod_diskuse"
297	+ fi
298	+ use dynmasq && m="${m}:mod_dynmasq"
299	+ use exec && m="${m}:mod_exec"
300	+ use ifsession && m="${m}:mod_ifsession"
301	+ use ifversion && m="${m}:mod_ifversion"
302	+ if use kerberos ; then
303	+ cd "${WORKDIR}"/mod_gss-${MOD_GSS}
304	+ if has_version app-crypt/mit-krb5 ; then
305	+ econf --enable-mit
306	+ else
307	+ econf --enable-heimdal
308	+ fi
309	+ mv mod_{auth_gss,gss}.c "${S}"/contrib
310	+ mv mod_gss.h "${S}"/include
311	+ mv README.mod_{auth_gss,gss} "${S}"
312	+ mv mod_gss.html "${S}"/doc/contrib
313	+ mv rfc{1509,2228}.txt "${S}"/doc/rfc
314	+ cd "${S}"
315	+ rm -r "${WORKDIR}"/mod_gss-${MOD_GSS}
316	+ m="${m}:mod_gss:mod_auth_gss"
317	+ fi
318	+ use ldap && m="${m}:mod_ldap"
319	+ use log_forensic && m="${m}:mod_log_forensic"
320	+ use msg && m="${m}:mod_msg"
321	+ if use mysql \|\| use postgres \|\| use sqlite ; then
322	+ m="${m}:mod_sql:mod_sql_passwd"
323	+ use mysql && m="${m}:mod_sql_mysql"
324	+ use postgres && m="${m}:mod_sql_postgres"
325	+ use sqlite && m="${m}:mod_sql_sqlite"
326	+ fi
327	+ use qos && m="${m}:mod_qos"
328	+ use radius && m="${m}:mod_radius"
329	+ use ratio && m="${m}:mod_ratio"
330	+ use readme && m="${m}:mod_readme"
331	+ use rewrite && m="${m}:mod_rewrite"
332	+ if use sftp ; then
333	+ m="${m}:mod_sftp"
334	+ use pam && m="${m}:mod_sftp_pam"
335	+ use mysql \|\| use postgres \|\| use sqlite && m="${m}:mod_sftp_sql"
336	+ fi
337	+ use shaper && m="${m}:mod_shaper"
338	+ use sitemisc && m="${m}:mod_site_misc"
339	+ use snmp && m="${m}:mod_snmp"
340	+ if use softquota ; then
341	+ m="${m}:mod_quotatab:mod_quotatab_file"
342	+ use ldap && m="${m}:mod_quotatab_ldap"
343	+ use radius && m="${m}:mod_quotatab_radius"
344	+ use mysql \|\| use postgres \|\| use sqlite && m="${m}:mod_quotatab_sql"
345	+ fi
346	+ if use ssl ; then
347	+ m="${m}:mod_tls:mod_tls_shmcache"
348	+ use memcache && m="${m}:mod_tls_memcache"
349	+ fi
350	+ if use tcpd ; then
351	+ m="${m}:mod_wrap2:mod_wrap2_file"
352	+ use mysql \|\| use postgres \|\| use sqlite && m="${m}:mod_wrap2_sql"
353	+ fi
354	+ use unique_id && m="${m}:mod_unique_id"
355	+ use vroot && m="${m}:mod_vroot"
356	+
357	+ if [[ -n ${PROFTP_CUSTOM_MODULES} ]]; then
358	+ einfo "Adding user-specified extra modules: '${PROFTP_CUSTOM_MODULES}'"
359	+ m="${m}:${PROFTP_CUSTOM_MODULES}"
360	+ fi
361	+
362	+ [[ -z ${m} ]] \|\| c="${c} --with-modules=${m:1}"
363	+ econf --localstatedir=/var/run/proftpd --sysconfdir=/etc/proftpd --disable-strip \
364	+ $(use_enable acl facl) \
365	+ $(use_enable authfile auth-file) \
366	+ $(use_enable caps cap) \
367	+ $(use_enable ctrls) \
368	+ $(use_enable dso) \
369	+ $(use_enable ident) \
370	+ $(use_enable ipv6) \
371	+ $(use_enable memcache) \
372	+ $(use_enable ncurses) \
373	+ $(use_enable nls) \
374	+ $(use_enable ssl openssl) \
375	+ $(use_enable pam auth-pam) \
376	+ $(use_enable pcre) \
377	+ $(use_enable test tests) \
378	+ $(use_enable trace) \
379	+ $(use_enable userland_GNU shadow) \
380	+ $(use_enable userland_GNU autoshadow) \
381	+ ${c:1}
382	+}
383	+
384	+src_test() {
385	+ emake api-tests -C tests
386	+}
387	+
388	+src_install() {
389	+ default
390	+ [[ -z ${LINGUAS} ]] && rm -r "${ED}"/usr/share/locale
391	+ rm -rf "${ED}"/var/run
392	+
393	+ newinitd "${FILESDIR}"/proftpd.initd proftpd
394	+ insinto /etc/proftpd
395	+ doins "${FILESDIR}"/proftpd.conf.sample
396	+
397	+ if use xinetd ; then
398	+ insinto /etc/xinetd.d
399	+ newins "${FILESDIR}"/proftpd.xinetd proftpd
400	+ fi
401	+
402	+ dodoc ChangeLog CREDITS INSTALL NEWS README* RELEASE_NOTES
403	+ if use doc ; then
404	+ dohtml doc/.html doc/contrib/.html doc/howto/.html doc/modules/.html
405	+ docinto rfc
406	+ dodoc doc/rfc/*.txt
407	+ fi
408	+
409	+ systemd_dounit "${FILESDIR}"/${PN}.service
410	+ systemd_newtmpfilesd "${FILESDIR}"/${PN}-tmpfiles.d.conf ${PN}.conf
411	+}

Gentoo Archives: gentoo-commits