From: Mike Frysinger Date: Sun, 21 Jan 2007 18:54:47 +0000 (+0000) Subject: rename from "ftpd" and update for security #155317 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ff1920949c392ddcf670a6e787ecba4b8250e90c;p=gentoo.git rename from "ftpd" and update for security #155317 Package-Manager: portage-2.1.2-r1 --- diff --git a/net-ftp/netkit-ftpd/ChangeLog b/net-ftp/netkit-ftpd/ChangeLog new file mode 100644 index 000000000000..0207ab2e8479 --- /dev/null +++ b/net-ftp/netkit-ftpd/ChangeLog @@ -0,0 +1,130 @@ +# ChangeLog for net-ftp/netkit-ftpd +# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-ftp/netkit-ftpd/ChangeLog,v 1.1 2007/01/21 18:54:47 vapier Exp $ + +*ftpd-0.17-r5 (21 Jan 2007) + + 21 Jan 2007; Mike Frysinger +ftpd-0.17-r5.ebuild, + +netkit-ftpd-0.17-build.patch, +netkit-ftpd-0.17-cleanup.patch, + +netkit-ftpd-0.17-cleanup-ssl.patch, netkit-ftpd-0.17-setguid.patch: + Version bump to fix security issues #155317. + + 08 Jan 2007; Danny van Dyk -ftpd-0.17-r3.ebuild: + QA: Removed unused versions. + + 17 Oct 2006; Gustavo Zacarias ftpd-0.17-r4.ebuild: + sparc stable for real + + 15 Oct 2006; Jason Wever ChangeLog: + Stable on SPARC wrt security bug #150292. + + 14 Oct 2006; Aron Griffis ftpd-0.17-r4.ebuild: + Mark 0.17-r4 ~ia64 + + 14 Oct 2006; Thomas Cort ftpd-0.17-r4.ebuild: + Stable on alpha and amd64 wrt security Bug #150292. + + 12 Oct 2006; Paul Varner ftpd-0.17-r4.ebuild: + Stable on x86 - Bug #150292 + + 11 Oct 2006; Tobias Scherbaum ftpd-0.17-r4.ebuild: + ppc stable, bug #150292 + +*ftpd-0.17-r4 (11 Oct 2006) + + 11 Oct 2006; Chris White + +files/ftpd-0.17-setguid.patch, +ftpd-0.17-r4.ebuild: + Security bump for bug #384454. + + 05 Aug 2006; Chris White -ftpd-0.17.ebuild, + -ftpd-0.17-r1.ebuild, -ftpd-0.17-r2.ebuild: + Security punts for bug #140498. + + 20 Jun 2006; Stefan Schweizer + +files/ftpd-0.17-gcc41.patch, +metadata.xml, ftpd-0.17-r3.ebuild: + Gcc41 patch thanks to Piotr Jaroszynski in bug 135713 + thanks to Frank T. Lofaro Jr. , add maintainer-needed + metadata.xml + + 28 Jan 2006; Simon Stelling ftpd-0.17.ebuild, + ftpd-0.17-r1.ebuild, ftpd-0.17-r2.ebuild: + move binary files to mirrors + + 11 Nov 2005; Simon Stelling ftpd-0.17-r3.ebuild: + stable on amd64 wrt bug 111573 + + 10 Nov 2005; Jose Luis Rivero ftpd-0.17-r3.ebuild: + Stable on alpha wrt security bug #111573 + + 10 Nov 2005; Jason Wever ftpd-0.17-r3.ebuild: + Stable on SPARC wrt bug #111573. + + 10 Nov 2005; Mark Loeser ftpd-0.17-r3.ebuild: + Stable on x86; bug #111573 + +*ftpd-0.17-r3 (09 Nov 2005) + + 09 Nov 2005; Daniel Black + +ftpd-0.17-r3.ebuild: + bumped with a better patch from solar + +*ftpd-0.17-r2 (06 Nov 2005) + + 06 Nov 2005; Daniel Black + +files/ftpd-0.17+ssl-0.3-overflowpatch.diff, +ftpd-0.17-r2.ebuild: + fix remote hole in linux-ftpd-ssl - security bug #111573 - patch thanks to + James Longstreet, bug thanks to Wernfried Haas + + 26 Jul 2005; David Holm ftpd-0.17-r1.ebuild: + Added to ~ppc. + + 19 Oct 2004; Dylan Carlson ftpd-0.17-r1.ebuild: + Stable on amd64. + + 14 Aug 2004; Sven Wegener files/ftp.xinetd: + Fixed CVS Header. + + 19 Jun 2004; Jason Wever ftpd-0.17-r1.ebuild: + Stable on sparc. + + 09 Jun 2004; Aron Griffis ftpd-0.17-r1.ebuild, + ftpd-0.17.ebuild: + Fix use invocation + + 13 Aug 2003; Aron Griffis ftpd-0.17-r1.ebuild: + Mark stable on alpha for LiveCD + + 08 Jun 2003; Seemant Kulleen ftpd-0.17-r1.ebuild: + shadow fix patch is not ssl specific, moved out of ssl USE check. Thanks again + to: Frank Straetz + +*ftpd-0.17-r1 (07 Jun 2003) + + 07 Jun 2003; Seemant Kulleen ftpd-0.17-r1.ebuild, + files/ftpd-0.17-shadowfix.patch: + fix for shadow passwords, to close bug #12353 opened by Adam Bolte + . Fix provided by Frank Straetz + +*ftpd-0.17 (25 Nov 2002) + + 29 Apr 2003; Jason Wever ftpd-0.17.ebuild: + Added ~sparc to keywords. + + 19 Apr 2003; Martin Holzer ftpd-0.17.ebuild: + Changed to virtual/inetd depend. + + 09 Feb 2003; Seemant Kulleen ftpd-0.17.ebuild : + + Sed expression delimiter from / to :, closing bug #15006 by Blu3 + + + 15 Jan 2003; Nick Hadaway ftpd-0.17.ebuild : + Fixed a typo in postinst and added xinetd as an RDEPEND and now + installing an /etc/xinetd.d/ftp. Also changed to epatch. + + 05 Dec 2002; Nick Hadaway ftpd-0.17.ebuild : + Marked stable. + + 25 Nov 2002; Nick Hadaway ftpd-0.17.ebuild, + files/digest-ftpd-0.17.ebuild, files/ssl.diff.gz : + New ebuild. Your basic netkit linux-ftpd patched for ssl support. diff --git a/net-ftp/netkit-ftpd/files/digest-netkit-ftpd-0.17-r4 b/net-ftp/netkit-ftpd/files/digest-netkit-ftpd-0.17-r4 new file mode 100644 index 000000000000..9c0de1ba222e --- /dev/null +++ b/net-ftp/netkit-ftpd/files/digest-netkit-ftpd-0.17-r4 @@ -0,0 +1,6 @@ +MD5 0b9185d5144904798b721354ea9ff156 linux-ftpd-0.17-ssl.patch 36459 +RMD160 5a0d7301f69b4c1714f36419f98134f9aa0ce874 linux-ftpd-0.17-ssl.patch 36459 +SHA256 0082ee6a71fdd83f61e63166f7bbba97c204cdc67f9e1bf10f2df31590fba780 linux-ftpd-0.17-ssl.patch 36459 +MD5 f5f491564812db5d8783daa538c49186 linux-ftpd-0.17.tar.gz 46763 +RMD160 869e410d8f063c764c04f1d3b41b625a9d679d22 linux-ftpd-0.17.tar.gz 46763 +SHA256 65a0b249e38bf3c3a16dbd4d3edd2657683ca8f47b307e92007f378b21d2fa65 linux-ftpd-0.17.tar.gz 46763 diff --git a/net-ftp/netkit-ftpd/files/digest-netkit-ftpd-0.17-r5 b/net-ftp/netkit-ftpd/files/digest-netkit-ftpd-0.17-r5 new file mode 100644 index 000000000000..9c0de1ba222e --- /dev/null +++ b/net-ftp/netkit-ftpd/files/digest-netkit-ftpd-0.17-r5 @@ -0,0 +1,6 @@ +MD5 0b9185d5144904798b721354ea9ff156 linux-ftpd-0.17-ssl.patch 36459 +RMD160 5a0d7301f69b4c1714f36419f98134f9aa0ce874 linux-ftpd-0.17-ssl.patch 36459 +SHA256 0082ee6a71fdd83f61e63166f7bbba97c204cdc67f9e1bf10f2df31590fba780 linux-ftpd-0.17-ssl.patch 36459 +MD5 f5f491564812db5d8783daa538c49186 linux-ftpd-0.17.tar.gz 46763 +RMD160 869e410d8f063c764c04f1d3b41b625a9d679d22 linux-ftpd-0.17.tar.gz 46763 +SHA256 65a0b249e38bf3c3a16dbd4d3edd2657683ca8f47b307e92007f378b21d2fa65 linux-ftpd-0.17.tar.gz 46763 diff --git a/net-ftp/netkit-ftpd/files/ftp.xinetd b/net-ftp/netkit-ftpd/files/ftp.xinetd new file mode 100644 index 000000000000..2081ba9be2be --- /dev/null +++ b/net-ftp/netkit-ftpd/files/ftp.xinetd @@ -0,0 +1,13 @@ +# default: off +# $Header: /var/cvsroot/gentoo-x86/net-ftp/netkit-ftpd/files/ftp.xinetd,v 1.1 2007/01/21 18:54:47 vapier Exp $ +# description: The netkit ftp daemon with optional SSL support. + +service ftp +{ + socket_type = stream + protocol = tcp + wait = no + user = root + server = /usr/bin/ftpd + disable = yes +} diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-build.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-build.patch new file mode 100644 index 000000000000..6df58378c93f --- /dev/null +++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-build.patch @@ -0,0 +1,43 @@ +--- configure ++++ configure +@@ -114,40 +114,6 @@ + echo 'no' + fi + +-if [ x$DEBUG = x ]; then +- echo -n "Checking if $CC accepts -O2... " +- if ( +- $CC -O2 __conftest.c -o __conftest +- ) >/dev/null 2>&1; then +- echo 'yes' +- CFLAGS="$CFLAGS -O2" +- else +- echo 'no' +- echo -n "Checking if $CC accepts -O... " +- if ( +- $CC -O __conftest.c -o __conftest +- ) >/dev/null 2>&1; then +- echo 'yes' +- CFLAGS="$CFLAGS -O" +- else +- echo 'no' +- fi +- fi +- +-else +- echo -n "Checking if $CC accepts -g... " +- if ( +- $CC -g __conftest.c -o __conftest +- ) >/dev/null 2>&1; then +- echo 'yes' +- CFLAGS="$CFLAGS -g" +- else +- echo 'no' +- fi +- +-fi +- +-LDFLAGS= + LIBS= + + rm -f __conftest* diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-cleanup-ssl.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-cleanup-ssl.patch new file mode 100644 index 000000000000..e228eaceda5f --- /dev/null +++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-cleanup-ssl.patch @@ -0,0 +1,10 @@ +--- ftpd/ftpcmd.y ++++ ftpd/ftpcmd.y +@@ -109,6 +109,7 @@ + typedef struct ssl_st SSL; + int SSL_write(SSL *ssl,const char *buf,int num); + extern int do_ssl_start(void); ++int ssl_getc(SSL *ssl_con); + extern int ssl_secure_flag; + extern int ssl_active_flag; + extern SSL *ssl_con; diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-cleanup.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-cleanup.patch new file mode 100644 index 000000000000..73289adfba05 --- /dev/null +++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-cleanup.patch @@ -0,0 +1,10 @@ +--- ftpd/logwtmp.c ++++ ftpd/logwtmp.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include + #include diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-gcc41.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-gcc41.patch new file mode 100644 index 000000000000..5f516ce5d356 --- /dev/null +++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-gcc41.patch @@ -0,0 +1,32 @@ +--- linux-ftpd-0.17/ftpd/ftpcmd.y ++++ linux-ftpd-0.17/ftpd/ftpcmd.y +@@ -125,7 +125,14 @@ + char cbuf[512]; + char *fromname; + +-struct tab; ++struct tab { ++ const char *name; ++ short token; ++ short state; ++ short implemented; /* 1 if command is implemented */ ++ const char *help; ++}; ++ + static int yylex __P((void)); + static void sizecmd __P((char *)); + static void help __P((struct tab *, char *)); +@@ -891,13 +898,6 @@ + #define SITECMD 7 /* SITE command */ + #define NSTR 8 /* Number followed by a string */ + +-struct tab { +- const char *name; +- short token; +- short state; +- short implemented; /* 1 if command is implemented */ +- const char *help; +-}; + + struct tab cmdtab[] = { /* In order defined in RFC 765 */ + { "AUTH", AUTH, STR1, 1, " auth_type" }, diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-setguid.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-setguid.patch new file mode 100644 index 000000000000..f5d0cf75fcfd --- /dev/null +++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-setguid.patch @@ -0,0 +1,66 @@ +--- linux-ftpd-0.17/ftpd/popen.c ++++ linux-ftpd-0.17/ftpd/popen.c +@@ -169,8 +169,13 @@ + * XXX: this doesn't seem right... and shouldn't + * we initgroups, or at least setgroups(0,0)? + */ +- setgid(getegid()); +- setuid(i); ++ ++/* ++ * PSz 25 Aug 06 Must check the return status of these setgid/setuid calls, ++ * see http://www.bress.net/blog/archives/34-setuid-madness.html ++ */ ++ if ( setgid(getegid()) != 0 ) _exit(1); ++ if ( setuid(i) != 0 ) _exit(1); + + #ifndef __linux__ + /* +--- linux-ftpd-0.17/ftpd/ftpd.c ++++ linux-ftpd-0.17/ftpd/ftpd.c +@@ -1159,6 +1159,13 @@ + } + strcpy(pw->pw_dir, "/"); + setenv("HOME", "/", 1); ++ } ++ /* PSz 25 Aug 06 chdir for real users done after setting UID */ ++ if (seteuid((uid_t)pw->pw_uid) < 0) { ++ reply(550, "Can't set uid."); ++ goto bad; ++ } ++ if (guest || dochroot) { /* do nothing, handled above */ + } else if (chdir(pw->pw_dir) < 0) { + if (chdir("/") < 0) { + reply(530, "User %s: can't change directory to %s.", +@@ -1167,10 +1174,7 @@ + } else + lreply(230, "No directory! Logging in with home=/"); + } +- if (seteuid((uid_t)pw->pw_uid) < 0) { +- reply(550, "Can't set uid."); +- goto bad; +- } ++ + sigfillset(&allsigs); + sigprocmask(SIG_UNBLOCK,&allsigs,NULL); + +@@ -1408,7 +1412,8 @@ + goto bad; + sleep(tries); + } +- (void) seteuid((uid_t)pw->pw_uid); ++/* PSz 25 Aug 06 Check return status */ ++ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1); + sigfillset(&allsigs); + sigprocmask (SIG_UNBLOCK, &allsigs, NULL); + +@@ -1440,7 +1445,8 @@ + bad: + /* Return the real value of errno (close may change it) */ + t = errno; +- (void) seteuid((uid_t)pw->pw_uid); ++/* PSz 25 Aug 06 Check return status */ ++ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1); + sigfillset (&allsigs); + sigprocmask (SIG_UNBLOCK, &allsigs, NULL); + (void) close(s); diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-shadowfix.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-shadowfix.patch new file mode 100644 index 000000000000..79a241ff9c51 --- /dev/null +++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-shadowfix.patch @@ -0,0 +1,28 @@ +--- linux-ftpd-0.17/ftpd/Makefile ++++ linux-ftpd-0.17-patched/ftpd/Makefile +@@ -19,7 +19,11 @@ + all: ftpd + + %.o: %.c ++ ifdef USE_SHADOW ++ $(CC) $(CFLAGS) -DUSE_SHADOW -DHASSETPROCTITLE $< -c ++ else + $(CC) $(CFLAGS) -DHASSETPROCTITLE $< -c ++ endif + + ftpcmd.c: %.c: %.y + $(YACC) $< +--- linux-ftpd-0.17/support/Makefile ++++ linux-ftpd-0.17-patched/support/Makefile +@@ -5,7 +5,11 @@ + all: libsupport.a + + %.o: %.c ++ ifdef USE_SHADOW ++ $(CC) $(CFLAGS) -DUSE_SHADOW -DHASSETPROCTITLE $< -c ++ else + $(CC) $(CFLAGS) -DHASSETPROCTITLE $< -c ++ endif + + libsupport.a: $(OBJS) + ar -cruv $@ $^ diff --git a/net-ftp/netkit-ftpd/metadata.xml b/net-ftp/netkit-ftpd/metadata.xml new file mode 100644 index 000000000000..0384a4ab03a7 --- /dev/null +++ b/net-ftp/netkit-ftpd/metadata.xml @@ -0,0 +1,5 @@ + + + +base-system + diff --git a/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r4.ebuild b/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r4.ebuild new file mode 100644 index 000000000000..85f2e9666d2c --- /dev/null +++ b/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r4.ebuild @@ -0,0 +1,57 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r4.ebuild,v 1.1 2007/01/21 18:54:47 vapier Exp $ + +inherit eutils ssl-cert + +MY_P="linux-ftpd-${PV}" +DESCRIPTION="The netkit FTP server with optional SSL support" +HOMEPAGE="http://www.hcs.harvard.edu/~dholland/computers/netkit.html" +SRC_URI="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/${MY_P}.tar.gz + mirror://gentoo/${MY_P}-ssl.patch" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="alpha amd64 ~ia64 ppc sparc x86" +IUSE="ssl" + +DEPEND="ssl? ( dev-libs/openssl )" +RDEPEND="${DEPEND} + virtual/inetd" + +S=${WORKDIR}/${MY_P} + +src_unpack() { + unpack ${A} + cd "${S}" + use ssl && epatch "${DISTDIR}"/${MY_P}-ssl.patch + epatch "${FILESDIR}"/${P}-shadowfix.patch + epatch "${FILESDIR}"/${P}-gcc41.patch + epatch "${FILESDIR}"/${P}-setguid.patch +} + +src_compile() { + ./configure --prefix=/usr || die "configure failed" + sed -i -e "s:-pipe -O2:${CFLAGS}:" MCONFIG + emake || die "parallel make failed" +} + +src_install() { + dobin ftpd/ftpd || die + doman ftpd/ftpd.8 + dodoc README ChangeLog + insinto /etc/xinetd.d + newins "${FILESDIR}"/ftp.xinetd ftp + if use ssl ; then + insinto /etc/ssl/certs + docert ftpd + fi +} + +pkg_postinst() { + if use ssl ; then + einfo "In order to start the server with SSL support" + einfo "You need a certificate /etc/ssl/certs/ftpd.pem." + einfo "A temporary certificiate has been created." + fi +} diff --git a/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r5.ebuild b/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r5.ebuild new file mode 100644 index 000000000000..821a517b42a5 --- /dev/null +++ b/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r5.ebuild @@ -0,0 +1,58 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r5.ebuild,v 1.1 2007/01/21 18:54:47 vapier Exp $ + +inherit eutils ssl-cert + +MY_P="linux-ftpd-${PV}" +DESCRIPTION="The netkit FTP server with optional SSL support" +HOMEPAGE="http://www.hcs.harvard.edu/~dholland/computers/netkit.html" +SRC_URI="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/${MY_P}.tar.gz + mirror://gentoo/${MY_P}-ssl.patch" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~ia64 ~ppc ~s390 ~sh ~sparc ~x86" +IUSE="ssl" + +DEPEND="ssl? ( dev-libs/openssl )" +RDEPEND="${DEPEND} + virtual/inetd" + +S=${WORKDIR}/${MY_P} + +src_unpack() { + unpack ${MY_P}.tar.gz + cd "${S}" + use ssl && epatch "${DISTDIR}"/${MY_P}-ssl.patch "${FILESDIR}"/${P}-cleanup-ssl.patch + epatch "${FILESDIR}"/${P}-cleanup.patch + epatch "${FILESDIR}"/${P}-build.patch + epatch "${FILESDIR}"/${P}-shadowfix.patch + epatch "${FILESDIR}"/${P}-gcc41.patch + epatch "${FILESDIR}"/${P}-setguid.patch +} + +src_compile() { + ./configure --prefix=/usr || die "configure failed" + emake || die "parallel make failed" +} + +src_install() { + dobin ftpd/ftpd || die + doman ftpd/ftpd.8 + dodoc README ChangeLog + insinto /etc/xinetd.d + newins "${FILESDIR}"/ftp.xinetd ftp + if use ssl ; then + insinto /etc/ssl/certs + docert ftpd + fi +} + +pkg_postinst() { + if use ssl ; then + einfo "In order to start the server with SSL support" + einfo "You need a certificate /etc/ssl/certs/ftpd.pem." + einfo "A temporary certificiate has been created." + fi +}