Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-ftp/pure-ftpd/files/, net-ftp/pure-ftpd/
Date: Mon, 02 Mar 2020 14:00:02
Message-Id: 1583157586.4501b5f9f001794ca87849f240d4af149b6f1b15.polynomial-c@gentoo
1 commit: 4501b5f9f001794ca87849f240d4af149b6f1b15
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Mon Mar 2 13:59:31 2020 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Mon Mar 2 13:59:46 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4501b5f9
7
8 net-ftp/pure-ftpd: Security revbump for CVE-2020-9365
9
10 Bug: https://bugs.gentoo.org/711124
11 Package-Manager: Portage-2.3.91, Repoman-2.3.20
12 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
13
14 ...d-1.0.49-diraliases_uninitialized_pointer.patch | 31 +++++
15 .../pure-ftpd-1.0.49-pure_strcmp_OOB_read.patch | 27 ++++
16 net-ftp/pure-ftpd/pure-ftpd-1.0.49-r2.ebuild | 152 +++++++++++++++++++++
17 3 files changed, 210 insertions(+)
18
19 diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.49-diraliases_uninitialized_pointer.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.49-diraliases_uninitialized_pointer.patch
20 new file mode 100644
21 index 00000000000..7e29934caf5
22 --- /dev/null
23 +++ b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.49-diraliases_uninitialized_pointer.patch
24 @@ -0,0 +1,31 @@
25 +From 8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa Mon Sep 17 00:00:00 2001
26 +From: Frank Denis <github@××××××××.org>
27 +Date: Tue, 18 Feb 2020 18:36:58 +0100
28 +Subject: [PATCH] diraliases: always set the tail of the list to NULL
29 +
30 +Spotted and reported by Antonio Norales from GitHub Security Labs.
31 +Thanks!
32 +---
33 + src/diraliases.c | 2 +-
34 + 1 file changed, 1 insertion(+), 1 deletion(-)
35 +
36 +diff --git a/src/diraliases.c b/src/diraliases.c
37 +index 4002a36..fb70273 100644
38 +--- a/src/diraliases.c
39 ++++ b/src/diraliases.c
40 +@@ -93,7 +93,6 @@ int init_aliases(void)
41 + (tail->dir = strdup(dir)) == NULL) {
42 + die_mem();
43 + }
44 +- tail->next = NULL;
45 + } else {
46 + DirAlias *curr;
47 +
48 +@@ -105,6 +104,7 @@ int init_aliases(void)
49 + tail->next = curr;
50 + tail = curr;
51 + }
52 ++ tail->next = NULL;
53 + }
54 + fclose(fp);
55 + aliases_up++;
56
57 diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.49-pure_strcmp_OOB_read.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.49-pure_strcmp_OOB_read.patch
58 new file mode 100644
59 index 00000000000..4ed197e46d3
60 --- /dev/null
61 +++ b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.49-pure_strcmp_OOB_read.patch
62 @@ -0,0 +1,27 @@
63 +From 36c6d268cb190282a2c17106acfd31863121b58e Mon Sep 17 00:00:00 2001
64 +From: Frank Denis <github@××××××××.org>
65 +Date: Mon, 24 Feb 2020 15:19:43 +0100
66 +Subject: [PATCH] pure_strcmp(): len(s2) can be > len(s1)
67 +
68 +Reported by Antonio Morales from GitHub Security Labs, thanks!
69 +---
70 + src/utils.c | 8 +++++++-
71 + 1 file changed, 7 insertions(+), 1 deletion(-)
72 +
73 +diff --git a/src/utils.c b/src/utils.c
74 +index f41492d..a7f0381 100644
75 +--- a/src/utils.c
76 ++++ b/src/utils.c
77 +@@ -45,5 +45,11 @@ int pure_memcmp(const void * const b1_, const void * const b2_, size_t len)
78 +
79 + int pure_strcmp(const char * const s1, const char * const s2)
80 + {
81 +- return pure_memcmp(s1, s2, strlen(s1) + 1U);
82 ++ const size_t s1_len = strlen(s1);
83 ++ const size_t s2_len = strlen(s2);
84 ++
85 ++ if (s1_len != s2_len) {
86 ++ return -1;
87 ++ }
88 ++ return pure_memcmp(s1, s2, s1_len);
89 + }
90
91 diff --git a/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r2.ebuild b/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r2.ebuild
92 new file mode 100644
93 index 00000000000..9ca535572cf
94 --- /dev/null
95 +++ b/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r2.ebuild
96 @@ -0,0 +1,152 @@
97 +# Copyright 1999-2020 Gentoo Authors
98 +# Distributed under the terms of the GNU General Public License v2
99 +
100 +EAPI=7
101 +
102 +inherit flag-o-matic
103 +
104 +DESCRIPTION="Fast, production-quality, standard-conformant FTP server"
105 +HOMEPAGE="http://www.pureftpd.org/"
106 +if [[ "${PV}" == 9999 ]] ; then
107 + inherit autotools git-r3
108 + EGIT_REPO_URI="https://github.com/jedisct1/pure-ftpd.git"
109 +else
110 + SRC_URI="ftp://ftp.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2
111 + http://download.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2"
112 + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
113 +fi
114 +
115 +LICENSE="BSD"
116 +SLOT="0"
117 +
118 +IUSE="anondel anonperm anonren anonres caps implicittls ldap libressl mysql noiplog pam paranoidmsg postgres resolveids selinux ssl sysquota vchroot xinetd"
119 +
120 +REQUIRED_USE="implicittls? ( ssl )"
121 +
122 +DEPEND="caps? ( sys-libs/libcap )
123 + ldap? ( >=net-nds/openldap-2.0.25 )
124 + mysql? ( || (
125 + dev-db/mariadb-connector-c
126 + dev-db/mysql-connector-c
127 + ) )
128 + pam? ( sys-libs/pam )
129 + postgres? ( dev-db/postgresql:= )
130 + ssl? (
131 + !libressl? ( >=dev-libs/openssl-0.9.6g:0=[-bindist] )
132 + libressl? ( dev-libs/libressl:= )
133 + )
134 + sysquota? ( sys-fs/quota[-rpc] )
135 + xinetd? ( virtual/inetd )"
136 +
137 +RDEPEND="${DEPEND}
138 + dev-libs/libsodium:=
139 + net-ftp/ftpbase
140 + selinux? ( sec-policy/selinux-ftp )"
141 +
142 +PATCHES=(
143 + "${FILESDIR}/${PN}-1.0.28-pam.patch"
144 +
145 + # https://bugs.gentoo.org/711124
146 + "${FILESDIR}/${P}-diraliases_uninitialized_pointer.patch"
147 + "${FILESDIR}/${P}-pure_strcmp_OOB_read.patch"
148 +)
149 +
150 +src_prepare() {
151 + default
152 + [[ "${PV}" == 9999 ]] && eautoreconf
153 +}
154 +
155 +src_configure() {
156 + # adjust max user length to something more appropriate
157 + # for virtual hosts. See bug #62472 for details.
158 + sed -e "s:# define MAX_USER_LENGTH 32U:# define MAX_USER_LENGTH 127U:" \
159 + -i "${S}/src/ftpd.h" || die "sed failed"
160 +
161 + # Those features are only configurable like this, see bug #179375.
162 + use anondel && append-cppflags -DANON_CAN_DELETE
163 + use anonperm && append-cppflags -DANON_CAN_CHANGE_PERMS
164 + use anonren && append-cppflags -DANON_CAN_RENAME
165 + use anonres && append-cppflags -DANON_CAN_RESUME
166 + use resolveids && append-cppflags -DALWAYS_RESOLVE_IDS
167 +
168 + # Do not auto-use SSP -- let the user select this.
169 + export ax_cv_check_cflags___fstack_protector_all=no
170 +
171 + local myeconfargs=(
172 + --enable-largefile
173 + # Required for correct pid file location.
174 + # pure-ftpd appends "/run/pure-ftpd.pid" to the localstatedir
175 + # path, and tries to write to that file even when being
176 + # started in foreground. So we need to pin this to /
177 + --localstatedir="${EPREFIX}"/
178 + --with-altlog
179 + --with-cookie
180 + --with-diraliases
181 + --with-extauth
182 + --with-ftpwho
183 + --with-language=${PUREFTPD_LANG:=english}
184 + --with-peruserlimits
185 + --with-privsep
186 + --with-puredb
187 + --with-quotas
188 + --with-ratios
189 + --with-throttling
190 + --with-uploadscript
191 + --with-virtualhosts
192 + $(use_with ldap)
193 + $(use_with mysql)
194 + $(use_with pam)
195 + $(use_with paranoidmsg)
196 + $(use_with postgres pgsql)
197 + $(use_with ssl tls)
198 + $(use_with implicittls)
199 + $(use_with vchroot virtualchroot)
200 + $(use_with sysquota sysquotas)
201 + $(usex caps '' '--without-capabilities')
202 + $(usex noiplog '--without-iplogging' '')
203 + $(usex xinetd '' '--without-inetd')
204 + )
205 + econf "${myeconfargs[@]}"
206 +}
207 +
208 +src_install() {
209 + local DOCS=( AUTHORS ChangeLog FAQ HISTORY README* NEWS )
210 +
211 + default
212 +
213 + newinitd "${FILESDIR}/pure-ftpd.rc11" ${PN}
214 + newconfd "${FILESDIR}/pure-ftpd.conf_d-3" ${PN}
215 +
216 + if use implicittls ; then
217 + sed -i '/^SERVER/s@21@990@' "${ED}"/etc/conf.d/${PN} \
218 + || die "Adjusting default server port for implicittls usage failed!"
219 + fi
220 +
221 + keepdir /var/lib/run/${PN}
222 +
223 + if use xinetd ; then
224 + insinto /etc/xinetd.d
225 + newins "${FILESDIR}/pure-ftpd.xinetd" ${PN}
226 + fi
227 +
228 + if use ldap ; then
229 + insinto /etc/openldap/schema
230 + doins pureftpd.schema
231 + insinto /etc/openldap
232 + insopts -m 0600
233 + doins pureftpd-ldap.conf
234 + fi
235 +}
236 +
237 +pkg_postinst() {
238 + if [[ -z "${REPLACING_VERSIONS}" ]]; then
239 + # This is a new installation
240 + elog
241 + elog "Before starting Pure-FTPd, you have to edit the /etc/conf.d/pure-ftpd file!"
242 + elog
243 + ewarn "It's *really* important to read the README provided with Pure-FTPd!"
244 + ewarn "Check out http://download.pureftpd.org/pub/pure-ftpd/doc/README for general info"
245 + ewarn "and http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for SSL/TLS info."
246 + ewarn
247 + fi
248 +}