From 01d405b9a5a6469eea053c62509cf76038cb11eb Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Aug 19 2007 16:18:30 +0000 Subject: Update to 1.3.1rc3, an RC but it fixes all known vulnerabilities at last. --- diff --git a/.cvsignore b/.cvsignore index 6f67717..36633fb 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -proftpd-1.3.0a.tar.bz2 +proftpd-1.3.1rc3.tar.bz2 diff --git a/proftpd-1.3.0-cmdbufsize.patch b/proftpd-1.3.0-cmdbufsize.patch deleted file mode 100644 index a361f02..0000000 --- a/proftpd-1.3.0-cmdbufsize.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- proftpd-1.3.0/src/main.c.cmdbufsize 2006-03-15 19:41:01.000000000 +0000 -+++ proftpd-1.3.0/src/main.c 2006-11-17 16:53:35.000000000 +0000 -@@ -116,6 +116,8 @@ - - static char sbuf[PR_TUNABLE_BUFFER_SIZE] = {'\0'}; - -+#define PR_DEFAULT_CMD_BUFSZ 512 -+ - static char **Argv = NULL; - static char *LastArgv = NULL; - static const char *PidPath = PR_PID_FILE_PATH; -@@ -823,13 +825,26 @@ - long *buf_size = get_param_ptr(main_server->conf, - "CommandBufferSize", FALSE); - -- if (buf_size == NULL || *buf_size <= 0) -- cmd_buf_size = 512; -+ if (buf_size == NULL) { -+ pr_log_debug(DEBUG1, "no CommandBufferSize size given, " -+ "using default buffer size (%u)", (unsigned int) PR_DEFAULT_CMD_BUFSZ); -+ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; -+ -+ } else if (*buf_size <= 0) { -+ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%ld) " -+ "given, resetting to default buffer size (%u)", -+ *buf_size, (unsigned int) PR_DEFAULT_CMD_BUFSZ); -+ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; -+ -+ } else if (*buf_size + 1 > sizeof(buf)) { -+ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%ld) " -+ "given, resetting to default buffer size (%u)", -+ *buf_size, (unsigned int) PR_DEFAULT_CMD_BUFSZ); -+ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; - -- else if (*buf_size + 1 > sizeof(buf)) { -- pr_log_pri(PR_LOG_WARNING, "Invalid CommandBufferSize size given. " -- "Resetting to 512."); -- cmd_buf_size = 512; -+ } else { -+ pr_log_debug(DEBUG1, "setting CommandBufferSize to %ld", *buf_size); -+ cmd_buf_size = (long) *buf_size; - } - } - diff --git a/proftpd-1.3.0-ctrls-restart.patch b/proftpd-1.3.0-ctrls-restart.patch deleted file mode 100644 index e898923..0000000 --- a/proftpd-1.3.0-ctrls-restart.patch +++ /dev/null @@ -1,104 +0,0 @@ -Index: modules/mod_ctrls.c -=================================================================== -RCS file: /cvsroot/proftp/proftpd/modules/mod_ctrls.c,v -retrieving revision 1.30 -diff -u -r1.30 mod_ctrls.c ---- modules/mod_ctrls.c 11 Nov 2005 21:05:32 -0000 1.30 -+++ modules/mod_ctrls.c 23 May 2006 17:31:51 -0000 -@@ -3,7 +3,7 @@ - * server, as well as several utility functions for other Controls - * modules - * -- * Copyright (c) 2000-2005 TJ Saunders -+ * Copyright (c) 2000-2006 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -34,7 +34,7 @@ - #include "privs.h" - #include "mod_ctrls.h" - --#define MOD_CTRLS_VERSION "mod_ctrls/0.9.3" -+#define MOD_CTRLS_VERSION "mod_ctrls/0.9.4" - - /* Master daemon in standalone mode? (from src/main.c) */ - extern unsigned char is_master; -@@ -518,7 +518,7 @@ - } else if (res == PR_LOG_WRITABLE_DIR) { - pr_log_pri(PR_LOG_NOTICE, MOD_CTRLS_VERSION - ": unable to open ControlsLog '%s': " -- "containing directory is world writeable", ctrls_logname); -+ "containing directory is world writable", ctrls_logname); - - } else if (res == PR_LOG_SYMLINK) { - pr_log_pri(PR_LOG_NOTICE, MOD_CTRLS_VERSION -@@ -1476,7 +1476,7 @@ - - if (res == -2) - CONF_ERROR(cmd, pstrcat(cmd->tmp_pool, -- "unable to log to a world-writeable directory", NULL)); -+ "unable to log to a world-writable directory", NULL)); - } - - return HANDLED(cmd); -@@ -1506,10 +1506,12 @@ - CONF_ERROR(cmd, "must be an absolute path"); - - /* Close the socket. */ -- pr_log_debug(DEBUG3, MOD_CTRLS_VERSION ": closing ctrls socket '%s'", -- ctrls_sock_file); -- close(ctrls_sockfd); -- ctrls_sockfd = -1; -+ if (ctrls_sockfd >= 0) { -+ pr_log_debug(DEBUG3, MOD_CTRLS_VERSION ": closing ctrls socket '%s' (%d)", -+ ctrls_sock_file, ctrls_sockfd); -+ close(ctrls_sockfd); -+ ctrls_sockfd = -1; -+ } - - /* Change the path. */ - if (strcmp(cmd->argv[1], ctrls_sock_file) != 0) -@@ -1608,9 +1610,28 @@ - PRIVS_ROOT - ctrls_sockfd = ctrls_listen(ctrls_sock_file); - PRIVS_RELINQUISH -- if (ctrls_sockfd < 0) -+ if (ctrls_sockfd < 0) { - pr_log_pri(PR_LOG_NOTICE, "notice: unable to listen to local socket: %s", - strerror(errno)); -+ -+ } else { -+ /* Ensure that the listen socket used is not one of the major three -+ * (stdin, stdout, or stderr). -+ */ -+ if (ctrls_sockfd < 3) { -+ if (dup2(ctrls_sockfd, 3) < 0) { -+ pr_log_pri(PR_LOG_NOTICE, MOD_CTRLS_VERSION -+ ": error duplicating listen socket: %s", strerror(errno)); -+ (void) close(ctrls_sockfd); -+ ctrls_sockfd = -1; -+ -+ } else { -+ (void) close(ctrls_sockfd); -+ ctrls_sockfd = 3; -+ } -+ } -+ } -+ - } - - static void ctrls_restart_ev(const void *event_data, void *user_data) { -@@ -1633,10 +1654,11 @@ - cl_list = NULL; - cl_listlen = 0; - -- pr_log_debug(DEBUG3, MOD_CTRLS_VERSION ": closing ctrls socket '%s'", -- ctrls_sock_file); -+ pr_log_debug(DEBUG3, MOD_CTRLS_VERSION ": closing ctrls socket '%s' (%d)", -+ ctrls_sock_file, ctrls_sockfd); - close(ctrls_sockfd); - ctrls_sockfd = -1; -+ - ctrls_closelog(); - - /* Clear the existing pool */ diff --git a/proftpd-1.3.0-mod_tls.patch b/proftpd-1.3.0-mod_tls.patch deleted file mode 100644 index de5bd94..0000000 --- a/proftpd-1.3.0-mod_tls.patch +++ /dev/null @@ -1,15 +0,0 @@ -This is a possible fix Ralf S. Engelschall -has made myself for the X.509 issue of mod_tls.c - -Index: contrib/mod_tls.c ---- contrib/mod_tls.c.orig 2005-11-08 18:59:49 +0100 -+++ contrib/mod_tls.c 2006-11-15 17:54:43 +0100 -@@ -2421,6 +2421,8 @@ - datalen = BIO_get_mem_data(mem, &data); - - if (data) { -+ if (datalen > sizeof(buf)-1) -+ datalen = sizeof(buf)-1; - memset(&buf, '\0', sizeof(buf)); - memcpy(buf, data, datalen); - buf[datalen] = '\0'; diff --git a/proftpd-1.3.0-rpath.patch b/proftpd-1.3.0-rpath.patch deleted file mode 100644 index a3967cc..0000000 --- a/proftpd-1.3.0-rpath.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -Naupr proftpd-1.3.0.orig/configure proftpd-1.3.0/configure ---- proftpd-1.3.0.orig/configure 2006-03-09 19:20:04.000000000 +0100 -+++ proftpd-1.3.0.orig/configure 2006-03-09 19:20:04.000000000 +0100 -@@ -19660,7 +19660,7 @@ if test "${enable_dso+set}" = set; then - ac_build_core_modules="$ac_build_core_modules modules/mod_dso.o" - ac_build_addl_includes="$INCLTDL $ac_build_addl_includes" - -- MAIN_LDFLAGS="-L\$(top_srcdir)/lib/libltdl -dlopen self -export-dynamic -rpath \$(DESTDIR)\$(sbindir)" -+ MAIN_LDFLAGS="-L\$(top_srcdir)/lib/libltdl -dlopen self -export-dynamic" - MAIN_LIBS="\$(LIBLTDL)" - - MODULE_LDFLAGS="-avoid-version -export-dynamic -module" -diff -Naupr proftpd-1.3.0.orig/configure.in proftpd-1.3.0/configure.in ---- proftpd-1.3.0.orig/configure.in 2006-03-09 19:12:35.000000000 +0100 -+++ proftpd-1.3.0.orig/configure.in 2006-03-09 19:12:35.000000000 +0100 -@@ -372,7 +372,7 @@ AC_ARG_ENABLE(dso, - ac_build_core_modules="$ac_build_core_modules modules/mod_dso.o" - ac_build_addl_includes="$INCLTDL $ac_build_addl_includes" - -- MAIN_LDFLAGS="-L\$(top_srcdir)/lib/libltdl -dlopen self -export-dynamic -rpath \$(DESTDIR)\$(sbindir)" -+ MAIN_LDFLAGS="-L\$(top_srcdir)/lib/libltdl -dlopen self -export-dynamic" - MAIN_LIBS="\$(LIBLTDL)" - - MODULE_LDFLAGS="-avoid-version -export-dynamic -module" diff --git a/proftpd-1.3.0a-ctrls-bug2867.patch b/proftpd-1.3.0a-ctrls-bug2867.patch deleted file mode 100644 index 9ee5923..0000000 --- a/proftpd-1.3.0a-ctrls-bug2867.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- src/ctrls.c 2006/10/24 16:13:31 1.14 -+++ src/ctrls.c 2006/12/12 16:34:43 1.15 -@@ -534,11 +534,20 @@ - return -1; - } - -+ if (reqarglen >= sizeof(reqaction)) { -+ pr_signals_unblock(); -+ errno = ENOMEM; -+ return -1; -+ } -+ -+ memset(reqaction, '\0', sizeof(reqaction)); -+ - if (read(cl->cl_fd, reqaction, reqarglen) < 0) { - pr_signals_unblock(); - return -1; - } - -+ reqaction[sizeof(reqaction)-1] = '\0'; - nreqargs--; - - /* Find a matching action object, and use it to populate a ctrl object, -@@ -657,17 +666,16 @@ - return -1; - } - -- memset(response, '\0', sizeof(response)); -- - /* Make sure resparglen is not too big */ -- if (resparglen > sizeof(response)) { -+ if (resparglen >= sizeof(response)) { - pr_signals_unblock(); - errno = ENOMEM; - return -1; - } - -- bread = read(ctrls_sockfd, response, resparglen); -+ memset(response, '\0', sizeof(response)); - -+ bread = read(ctrls_sockfd, response, resparglen); - while (bread != resparglen) { - if (bread < 0) { - pr_signals_unblock(); diff --git a/proftpd-1.3.0a-open.patch b/proftpd-1.3.0a-open.patch deleted file mode 100644 index efb2185..0000000 --- a/proftpd-1.3.0a-open.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -Naupr proftpd-1.3.0a.orig/src/fsio.c proftpd-1.3.0a/src/fsio.c ---- proftpd-1.3.0a.orig/src/fsio.c 2006-03-22 23:10:34.000000000 +0100 -+++ proftpd-1.3.0a/src/fsio.c 2007-08-08 19:23:39.000000000 +0200 -@@ -2450,7 +2450,7 @@ pr_fh_t *pr_fsio_open_canon(const char * - fs = fs->fs_next; - - pr_log_debug(DEBUG9, "FS: using %s open()", fs->fs_name); -- fh->fh_fd = fs->open(fh, deref, flags); -+ fh->fh_fd = (fs->open)(fh, deref, flags); - - if (fh->fh_fd == -1) { - destroy_pool(fh->fh_pool); -@@ -2490,7 +2490,7 @@ pr_fh_t *pr_fsio_open(const char *name, - fs = fs->fs_next; - - pr_log_debug(DEBUG9, "FS: using %s open()", fs->fs_name); -- fh->fh_fd = fs->open(fh, name, flags); -+ fh->fh_fd = (fs->open)(fh, name, flags); - - if (fh->fh_fd == -1) { - destroy_pool(fh->fh_pool); -diff -Naupr proftpd-1.3.0a.orig/src/netio.c proftpd-1.3.0a/src/netio.c ---- proftpd-1.3.0a.orig/src/netio.c 2004-10-09 22:46:22.000000000 +0200 -+++ proftpd-1.3.0a/src/netio.c 2007-08-08 19:20:36.000000000 +0200 -@@ -367,22 +367,22 @@ pr_netio_stream_t *pr_netio_open(pool *p - if (strm_type == PR_NETIO_STRM_CTRL) { - nstrm->strm_type = PR_NETIO_STRM_CTRL; - nstrm->strm_mode = mode; -- return ctrl_netio ? ctrl_netio->open(nstrm, fd, mode) : -- core_ctrl_netio->open(nstrm, fd, mode); -+ return ctrl_netio ? (ctrl_netio->open)(nstrm, fd, mode) : -+ (core_ctrl_netio->open)(nstrm, fd, mode); - } - - if (strm_type == PR_NETIO_STRM_DATA) { - nstrm->strm_type = PR_NETIO_STRM_DATA; - nstrm->strm_mode = mode; -- return data_netio ? data_netio->open(nstrm, fd, mode) : -- core_data_netio->open(nstrm, fd, mode); -+ return data_netio ? (data_netio->open)(nstrm, fd, mode) : -+ (core_data_netio->open)(nstrm, fd, mode); - } - - if (strm_type == PR_NETIO_STRM_OTHR) { - nstrm->strm_type = PR_NETIO_STRM_OTHR; - nstrm->strm_mode = mode; -- return othr_netio ? othr_netio->open(nstrm, fd, mode) : -- core_othr_netio->open(nstrm, fd, mode); -+ return othr_netio ? (othr_netio->open)(nstrm, fd, mode) : -+ (core_othr_netio->open)(nstrm, fd, mode); - } - - destroy_pool(nstrm->strm_pool); diff --git a/proftpd-1.3.1rc3-configh.patch b/proftpd-1.3.1rc3-configh.patch new file mode 100644 index 0000000..78e43dc --- /dev/null +++ b/proftpd-1.3.1rc3-configh.patch @@ -0,0 +1,14 @@ +diff -Naupr proftpd-1.3.1rc3.orig/lib/sstrncpy.c proftpd-1.3.1rc3/lib/sstrncpy.c +--- proftpd-1.3.1rc3.orig/lib/sstrncpy.c 2006-12-06 05:05:31.000000000 +0100 ++++ proftpd-1.3.1rc3/lib/sstrncpy.c 2007-08-19 17:45:27.000000000 +0200 +@@ -24,6 +24,10 @@ + * the source code for OpenSSL in the source distribution. + */ + ++#ifdef HAVE_CONFIG_H ++# include ++#endif ++ + #include + #include + #include diff --git a/proftpd-1.3.1rc3-mod_sql_mysql-fix.patch b/proftpd-1.3.1rc3-mod_sql_mysql-fix.patch new file mode 100644 index 0000000..afa6d45 --- /dev/null +++ b/proftpd-1.3.1rc3-mod_sql_mysql-fix.patch @@ -0,0 +1,12 @@ +diff -Naupr proftpd-1.3.1rc3.orig/contrib/mod_sql_mysql.c proftpd-1.3.1rc3/contrib/mod_sql_mysql.c +--- proftpd-1.3.1rc3.orig/contrib/mod_sql_mysql.c 2007-05-09 19:15:18.000000000 +0200 ++++ proftpd-1.3.1rc3/contrib/mod_sql_mysql.c 2007-08-19 17:48:39.000000000 +0200 +@@ -595,7 +595,7 @@ MODRET cmd_defineconnection(cmd_rec *cmd + } + + if (!conn_pool) { +- pr_log_pri(PR_LOG_WARNING, "warning: the mod_sql_mysql module has not been ++ pr_log_pri(PR_LOG_WARNING, "warning: the mod_sql_mysql module has not been " + "properly intialized. Please make sure your --with-modules configure " + "option lists mod_sql *before* mod_sql_mysql, and recompile."); + diff --git a/proftpd-xinetd b/proftpd-xinetd index d99532e..fa24aee 100644 --- a/proftpd-xinetd +++ b/proftpd-xinetd @@ -1,5 +1,4 @@ # default: off -# $Id: proftpd-xinetd,v 1.2 2002/06/10 15:35:47 dude Exp $ # description: The ProFTPD FTP server serves FTP connections. It uses \ # normal, unencrypted usernames and passwords for authentication. service ftp diff --git a/proftpd.conf b/proftpd.conf index f2fb10d..65e4bd2 100644 --- a/proftpd.conf +++ b/proftpd.conf @@ -1,5 +1,4 @@ # This is the ProFTPD configuration file -# $Id: proftpd.conf,v 1.1 2004/02/26 17:54:30 thias Exp $ ServerName "ProFTPD server" ServerIdent on "FTP Server ready." diff --git a/proftpd.init b/proftpd.init index 6838127..9bd3a50 100755 --- a/proftpd.init +++ b/proftpd.init @@ -1,11 +1,10 @@ #!/bin/sh -# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $ # # proftpd This shell script takes care of starting and stopping # proftpd. # # chkconfig: - 80 30 -# description: ProFTPD is an enhanced FTP server with a focus towards \ +# description: ProFTPd is an enhanced FTP server with a focus towards \ # simplicity, security, and ease of configuration. \ # It features a very Apache-like configuration syntax, \ # and a highly customizable server infrastructure, \ @@ -15,6 +14,19 @@ # config: /etc/proftp.conf # pidfile: /var/run/proftpd.pid +### BEGIN INIT INFO +# Provides: proftpd ftpserver +# Required-Start: $local_fs $network $named $remote_fs +# Required-Stop: $local_fs $network $named $remote_fs +# Short-Description: ProFTPd FTP Server +# Description: ProFTPd is an enhanced FTP server with a focus towards +# simplicity, security, and ease of configuration. +# It features a very Apache-like configuration syntax, +# and a highly customizable server infrastructure, +# including support for multiple 'virtual' FTP servers, +# anonymous FTP, and permission-based directory visibility. +### END INIT INFO + # Source function library. . /etc/rc.d/init.d/functions @@ -62,21 +74,21 @@ case "$1" in stop start ;; - condrestart) + try-restart|condrestart) if [ -f /var/lock/subsys/proftpd ]; then stop start fi ;; - reload) + reload|force-reload) echo -n $"Re-reading $prog configuration: " killproc proftpd -HUP RETVAL=$? echo ;; *) - echo "Usage: $prog {start|stop|restart|reload|condrestart|status}" - exit 1 + echo "Usage: $prog {start|stop|restart|try-restart|reload|status}" + exit 2 esac exit $RETVAL diff --git a/proftpd.spec b/proftpd.spec index 6bda950..e99ae57 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -1,23 +1,21 @@ +%define prever rc3 + Summary: Flexible, stable and highly-configurable FTP server Name: proftpd -Version: 1.3.0a -Release: 8%{?dist} +Version: 1.3.1 +Release: 0.1.%{prever}%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://www.proftpd.org/ -Source0: ftp://ftp.proftpd.org/distrib/source/proftpd-%{version}.tar.bz2 +Source0: ftp://ftp.proftpd.org/distrib/source/proftpd-%{version}%{prever}.tar.bz2 Source1: proftpd.conf Source2: proftpd.init Source3: proftpd-xinetd Source4: proftpd.logrotate Source5: welcome.msg Source6: proftpd.pam -Patch0: proftpd-1.3.0-rpath.patch -Patch1: proftpd-1.3.0-ctrls-restart.patch -Patch2: proftpd-1.3.0-cmdbufsize.patch -Patch3: proftpd-1.3.0-mod_tls.patch -Patch4: proftpd-1.3.0a-ctrls-bug2867.patch -Patch5: proftpd-1.3.0a-open.patch +Patch0: proftpd-1.3.1rc3-configh.patch +Patch1: proftpd-1.3.1rc3-mod_sql_mysql-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires: pam >= 0.59 Requires(post): /sbin/chkconfig @@ -67,13 +65,9 @@ Module to add PostgreSQL support to the ProFTPD FTP server. %prep -%setup -q -%patch0 -p1 -b .rpath -%patch1 -p0 -b .ctrls-restart -%patch2 -p1 -b .cmdbufsize -%patch3 -p0 -b .mod_tls -%patch4 -p0 -b .ctrls-bug2867 -%patch5 -p1 -b .open +%setup -q -n %{name}-%{version}%{prever} +%patch0 -p1 -b .configh +%patch1 -p1 -b .mod_sql_mysql-fix %build @@ -87,6 +81,7 @@ Module to add PostgreSQL support to the ProFTPD FTP server. --enable-facl \ --enable-dso \ --enable-ipv6 \ + --enable-openssl \ --with-libraries="%{_libdir}/mysql" \ --with-includes="%{_includedir}/mysql" \ --with-modules=mod_readme:mod_auth_pam:mod_tls \ @@ -163,6 +158,7 @@ fi %{_sysconfdir}/rc.d/init.d/proftpd %{_mandir}/man?/* %{_bindir}/* +%exclude %{_includedir}/proftpd/ %dir %{_libexecdir}/proftpd/ %{_libexecdir}/proftpd/mod_quotatab.so %{_libexecdir}/proftpd/mod_quotatab_file.so @@ -196,6 +192,16 @@ fi %changelog +* Sun Aug 19 2007 Matthias Saou 1.3.1-0.1.rc3 +- Update to 1.3.1rc3 (the only version to fix #237533 aka CVE-2007-2165). +- Remove all patches, none are useful anymore. +- Patch sstrncpy.c for config.h not being included (reported upstream #2964). +- Patch mod_sql_mysql.c to fix a typo (already fixed in CVS upstream). +- Exclude new headers, at least until some first 3rd party module shows up. +- Clean up old leftover CVS strings from our extra files. +- LSB-ize the init script (#247033). +- Explicitly pass --enable-openssl since configure tells us "(default=no)". + * Sun Aug 12 2007 Matthias Saou 1.3.0a-8 - Fix logrotate entry to silence error when proftpd isn't running (#246392). diff --git a/sources b/sources index 0a6a32b..66bcf58 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -cc2e99f38a810982f91d5cbe1f4091f0 proftpd-1.3.0a.tar.bz2 +485af3aee9ecebfeae1ae2003250a3a9 proftpd-1.3.1rc3.tar.bz2