diff options
| author |   Christian Hoffmann <hoffie@gentoo.org> | 2008-11-06 12:54:07 +0000 |
|---|---|---|
| committer | Christian Hoffmann <hoffie@gentoo.org> | 2008-11-06 12:54:07 +0000 |
| commit | 5faa5e3bb29c2863b694c1b5c08afdd0b9e8ec96 (patch) | |
| tree | caea66e594cb25f0001f13ea0c7eb8ef0c91a0e8 /net-ftp | |
| parent | Version bump (diff) | |
| download | gentoo-2-5faa5e3bb29c2863b694c1b5c08afdd0b9e8ec96.tar.gz gentoo-2-5faa5e3bb29c2863b694c1b5c08afdd0b9e8ec96.tar.bz2 gentoo-2-5faa5e3bb29c2863b694c1b5c08afdd0b9e8ec96.zip | |
version bump and patch for security bug 238762 (CVE-2008-4242); this bump has been done due to lack of maintainer activity, as noted in the security handling policy; also fixes bug 238288 and bug 238691
(Portage version: 2.2_rc13/cvs/Linux 2.6.27-gentoo x86_64)
Diffstat (limited to 'net-ftp')
| -rw-r--r-- | net-ftp/proftpd/ChangeLog | 12 | ||||
| -rw-r--r-- | net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch | 192 | ||||
| -rw-r--r-- | net-ftp/proftpd/proftpd-1.3.2_rc2.ebuild | 214 |
3 files changed, 417 insertions, 1 deletions
diff --git a/net-ftp/proftpd/ChangeLog b/net-ftp/proftpd/ChangeLog index 1b4bbad13caa..347cc4cde9b3 100644 --- a/net-ftp/proftpd/ChangeLog +++ b/net-ftp/proftpd/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for net-ftp/proftpd # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/ChangeLog,v 1.173 2008/08/21 22:45:39 cardoe Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/ChangeLog,v 1.174 2008/11/06 12:54:07 hoffie Exp $ + +*proftpd-1.3.2_rc2 (06 Nov 2008) + + 06 Nov 2008; Christian Hoffmann <hoffie@gentoo.org> + +files/proftpd-1.3.2_rc2-CVE-2008-4242.patch, +proftpd-1.3.2_rc2.ebuild: + version bump and patch for security bug 238762 (CVE-2008-4242); this bump + has been done due to lack of maintainer activity, as noted in the security + handling policy; compile-tested on ~amd64 and seems to work von hardened + x86; please don't bug me with anything except for regressions I caused; + also fixes bug 238288 and bug 238691 21 Aug 2008; Doug Goldstein <cardoe@gentoo.org> metadata.xml: add GLEP 56 USE flag desc from use.local.desc diff --git a/net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch b/net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch new file mode 100644 index 000000000000..1b95d3c239d5 --- /dev/null +++ b/net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch @@ -0,0 +1,192 @@ +This fixes CVE-2008-4242 (Gentoo bug 238762) +Source: http://bugs.proftpd.org/show_bug.cgi?id=3115 + +Index: src/main.c +=================================================================== +RCS file: /cvsroot/proftp/proftpd/src/main.c,v +retrieving revision 1.344 +diff -u -r1.344 main.c +--- src/main.c 8 Sep 2008 00:47:11 -0000 1.344 ++++ src/main.c 20 Sep 2008 20:10:49 -0000 +@@ -516,20 +516,32 @@ + static long get_max_cmd_len(size_t buflen) { + long res; + int *bufsz = NULL; ++ size_t default_cmd_bufsz; + ++ /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which ++ * is smaller than PR_DEFAULT_CMD_BUFSZ. We need to handle such cases ++ * properly. ++ */ ++ default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ; ++ if (default_cmd_bufsz > buflen) { ++ default_cmd_bufsz = buflen; ++ } ++ + bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE); + if (bufsz == NULL) { +- res = PR_DEFAULT_CMD_BUFSZ; ++ res = default_cmd_bufsz; + + } else if (*bufsz <= 0) { + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) given, " +- "using default buffer size (%u) instead", *bufsz, PR_DEFAULT_CMD_BUFSZ); +- res = PR_DEFAULT_CMD_BUFSZ; ++ "using default buffer size (%lu) instead", *bufsz, ++ (unsigned long) default_cmd_bufsz); ++ res = default_cmd_bufsz; + + } else if (*bufsz + 1 > buflen) { + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) given, " +- "using default buffer size (%u) instead", *bufsz, PR_DEFAULT_CMD_BUFSZ); +- res = PR_DEFAULT_CMD_BUFSZ; ++ "using default buffer size (%lu) instead", *bufsz, ++ (unsigned long) default_cmd_bufsz); ++ res = default_cmd_bufsz; + + } else { + pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz); +@@ -577,11 +589,26 @@ + return -1; + } + +- memset(buf, '\0', sizeof(buf)); ++ while (TRUE) { ++ pr_signals_handle(); + +- if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm, +- session.c->outstrm) == NULL) +- return -1; ++ memset(buf, '\0', sizeof(buf)); ++ ++ if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm, ++ session.c->outstrm) == NULL) { ++ ++ if (errno == E2BIG) { ++ /* The client sent a too-long command which was ignored; give ++ * them another chance? ++ */ ++ continue; ++ } ++ ++ return -1; ++ } ++ ++ break; ++ } + + if (cmd_bufsz == -1) + cmd_bufsz = get_max_cmd_len(sizeof(buf)); +Index: src/netio.c +=================================================================== +RCS file: /cvsroot/proftp/proftpd/src/netio.c,v +retrieving revision 1.33 +diff -u -r1.33 netio.c +--- src/netio.c 3 Apr 2008 03:14:31 -0000 1.33 ++++ src/netio.c 20 Sep 2008 20:10:49 -0000 +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2001-2007 The ProFTPD Project team ++ * Copyright (c) 2001-2008 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -30,19 +30,19 @@ + #include <signal.h> + + #ifndef IAC +-#define IAC 255 ++# define IAC 255 + #endif + #ifndef DONT +-#define DONT 254 ++# define DONT 254 + #endif + #ifndef DO +-#define DO 253 ++# define DO 253 + #endif + #ifndef WONT +-#define WONT 252 ++# define WONT 252 + #endif + #ifndef WILL +-#define WILL 251 ++# define WILL 251 + #endif + + static const char *trace_channel = "netio"; +@@ -51,6 +51,17 @@ + static pr_netio_t *core_data_netio = NULL, *data_netio = NULL; + static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL; + ++/* Used to track whether the previous text read from the client's control ++ * connection was a properly-terminated command. If so, then read in the ++ * next/current text as per normal. If NOT (e.g. the client sent a too-long ++ * command), then read in the next/current text, but ignore it. Only clear ++ * this flag if the next/current command can be read as per normal. ++ * ++ * The pr_netio_telnet_gets() uses this variable, in conjunction with its ++ * saw_newline flag, for handling too-long commands from clients. ++ */ ++static int properly_terminated_prev_command = TRUE; ++ + static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) { + pool *netio_pool = NULL; + pr_netio_stream_t *nstrm = NULL; +@@ -950,7 +961,7 @@ + char *bp = buf; + unsigned char cp; + static unsigned char mode = 0; +- int toread, handle_iac = TRUE; ++ int toread, handle_iac = TRUE, saw_newline = FALSE; + pr_buffer_t *pbuf = NULL; + + if (buflen == 0) { +@@ -983,8 +994,9 @@ + *bp = '\0'; + return buf; + +- } else ++ } else { + return NULL; ++ } + } + + pbuf->remaining = pbuf->buflen - toread; +@@ -1049,6 +1061,8 @@ + toread--; + *bp++ = *pbuf->current++; + pbuf->remaining++; ++ ++ saw_newline = TRUE; + break; + } + +@@ -1056,6 +1070,25 @@ + pbuf->current = NULL; + } + ++ if (!saw_newline) { ++ /* If we haven't seen a newline, then assume the client is deliberately ++ * sending a too-long command, trying to exploit buffer sizes and make ++ * the server make some possibly bad assumptions. ++ */ ++ ++ properly_terminated_prev_command = FALSE; ++ errno = E2BIG; ++ return NULL; ++ } ++ ++ if (!properly_terminated_prev_command) { ++ properly_terminated_prev_command = TRUE; ++ pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring"); ++ errno = E2BIG; ++ return NULL; ++ } ++ ++ properly_terminated_prev_command = TRUE; + *bp = '\0'; + return buf; + } diff --git a/net-ftp/proftpd/proftpd-1.3.2_rc2.ebuild b/net-ftp/proftpd/proftpd-1.3.2_rc2.ebuild new file mode 100644 index 000000000000..baf880951b36 --- /dev/null +++ b/net-ftp/proftpd/proftpd-1.3.2_rc2.ebuild @@ -0,0 +1,214 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/proftpd-1.3.2_rc2.ebuild,v 1.1 2008/11/06 12:54:07 hoffie Exp $ + +inherit eutils flag-o-matic toolchain-funcs + +KEYWORDS="~alpha ~amd64 ~hppa ~mips ~ppc ~ppc64 ~sparc ~x86" + +IUSE="acl authfile clamav hardened ifsession ipv6 ldap mysql ncurses nls noauthunix opensslcrypt pam postgres radius rewrite selinux shaper sitemisc softquota ssl tcpd vroot xinetd" + +SHAPER_VER="0.6.2" +VROOT_VER="0.7.2" + +DESCRIPTION="An advanced and very configurable FTP server." +SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/}.tar.bz2 + clamav? ( http://www.uglyboxindustries.com/mod_clamav_new.c http://www.uglyboxindustries.com/mod_clamav_new.html ) + shaper? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-shaper-${SHAPER_VER}.tar.gz ) + vroot? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-vroot-${VROOT_VER}.tar.gz )" +HOMEPAGE="http://www.proftpd.org/ + http://www.castaglia.org/proftpd/ + http://www.uglyboxindustries.com/open-source.php" + +SLOT="0" +LICENSE="GPL-2" + +DEPEND="acl? ( sys-apps/acl sys-apps/attr ) + clamav? ( app-antivirus/clamav ) + ldap? ( >=net-nds/openldap-1.2.11 ) + mysql? ( virtual/mysql ) + ncurses? ( sys-libs/ncurses ) + opensslcrypt? ( >=dev-libs/openssl-0.9.6f ) + pam? ( virtual/pam ) + postgres? ( virtual/postgresql-base ) + ssl? ( >=dev-libs/openssl-0.9.6f ) + tcpd? ( >=sys-apps/tcp-wrappers-7.6-r3 ) + xinetd? ( virtual/inetd )" + +RDEPEND="${DEPEND} + net-ftp/ftpbase + selinux? ( sec-policy/selinux-ftpd )" + +S="${WORKDIR}/${P/_/}" + +pkg_setup() { + # Add the proftpd user to make the default config + # work out-of-the-box + enewgroup proftpd + enewuser proftpd -1 -1 -1 proftpd +} + +src_unpack() { + unpack ${P/_/}.tar.bz2 + + cd "${S}" + + epatch "${FILESDIR}/${P}-CVE-2008-4242.patch" + + # Fix stripping of files + sed -e "s| @INSTALL_STRIP@||g" -i Make* + + if use shaper ; then + unpack ${PN}-mod-shaper-${SHAPER_VER}.tar.gz + cp -f mod_shaper/mod_shaper.c contrib/ + fi + + if use clamav ; then + cp -f "${DISTDIR}/mod_clamav_new.c" contrib/mod_clamav.c + cp -f "${DISTDIR}/mod_clamav_new.html" doc/mod_clamav.html + fi + + if use vroot ; then + unpack ${PN}-mod-vroot-${VROOT_VER}.tar.gz + cp -f mod_vroot/mod_vroot.c contrib/ + cp -f mod_vroot/mod_vroot.html doc/ + fi +} + +src_compile() { + addpredict /etc/krb5.conf + local modules myconf + + modules="mod_ratio:mod_readme" + use acl && modules="${modules}:mod_facl" + use clamav && modules="${modules}:mod_clamav" + use pam && modules="${modules}:mod_auth_pam" + use radius && modules="${modules}:mod_radius" + use rewrite && modules="${modules}:mod_rewrite" + use shaper && modules="${modules}:mod_shaper" + use sitemisc && modules="${modules}:mod_site_misc" + use ssl && modules="${modules}:mod_tls" + use tcpd && modules="${modules}:mod_wrap" + use vroot && modules="${modules}:mod_vroot" + + # pam needs to be explicitely disabled + use pam || myconf="${myconf} --enable-auth-pam=no" + + if use ldap ; then + modules="${modules}:mod_ldap" + append-ldflags "-lresolv" + fi + + if use opensslcrypt ; then + append-ldflags "-lcrypto" + myconf="${myconf} --enable-openssl --with-includes=/usr/include/openssl" + CFLAGS="${CFLAGS} -DHAVE_OPENSSL" + fi + + if use nls ; then + myconf="${myconf} --enable-nls" + fi + + if use mysql && use postgres ; then + ewarn "ProFTPD only supports either the MySQL or PostgreSQL modules." + ewarn "Presently this ebuild defaults to mysql. If you would like to" + ewarn "change the default behaviour, merge ProFTPD with:" + ewarn "USE='-mysql postgres' emerge proftpd" + epause 5 + fi + + if use mysql ; then + modules="${modules}:mod_sql:mod_sql_mysql" + myconf="${myconf} --with-includes=/usr/include/mysql" + elif use postgres ; then + modules="${modules}:mod_sql:mod_sql_postgres" + myconf="${myconf} --with-includes=/usr/include/postgresql" + fi + + if use softquota ; then + modules="${modules}:mod_quotatab" + if use mysql || use postgres ; then + modules="${modules}:mod_quotatab_sql" + fi + if use ldap ; then + modules="${modules}:mod_quotatab_file:mod_quotatab_ldap" + else + modules="${modules}:mod_quotatab_file" + fi + fi + + # mod_ifsession should be the last module in the --with-modules list + # see http://www.castaglia.org/proftpd/modules/mod_ifsession.html#Installation + use ifsession && modules="${modules}:mod_ifsession" + + # bug #30359 + use hardened && echo > lib/libcap/cap_sys.c + gcc-specs-pie && echo > lib/libcap/cap_sys.c + + if use noauthunix ; then + myconf="${myconf} --disable-auth-unix" + else + myconf="${myconf} --enable-auth-unix" + fi + + econf \ + --sbindir=/usr/sbin \ + --localstatedir=/var/run \ + --sysconfdir=/etc/proftpd \ + --enable-shadow \ + --enable-autoshadow \ + --enable-ctrls \ + --with-modules=${modules} \ + $(use_enable acl facl) \ + $(use_enable authfile auth-file) \ + $(use_enable ipv6) \ + $(use_enable ncurses) \ + ${myconf} || die "econf failed" + + emake || die "emake failed" +} + +src_install() { + # Note rundir needs to be specified to avoid sandbox violation + # on initial install. See Make.rules + emake DESTDIR="${D}" install || die "emake install failed" + + keepdir /var/run/proftpd + + dodoc "${FILESDIR}/proftpd.conf" \ + COPYING CREDITS ChangeLog NEWS README* \ + doc/license.txt + dohtml doc/*.html + + use shaper && dohtml mod_shaper/mod_shaper.html + + docinto rfc + dodoc doc/rfc/*.txt + + mv -f "${D}/etc/proftpd/proftpd.conf" "${D}/etc/proftpd/proftpd.conf.distrib" + + insinto /etc/proftpd + newins "${FILESDIR}/proftpd.conf" proftpd.conf.sample + + if use xinetd ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/proftpd.xinetd" proftpd + fi + + newinitd "${FILESDIR}/proftpd.rc6" proftpd +} + +pkg_postinst() { + elog + elog "You can find the config files in /etc/proftpd" + elog + ewarn "With the introduction of net-ftp/ftpbase the ftp user is now ftp." + ewarn "Remember to change that in the configuration file." + ewarn + if use clamav ; then + ewarn "mod_clamav was updated to a new version, which uses Clamd" + ewarn "only for virus scanning, so you'll have to set Clamd up" + ewarn "and start it, also re-check the mod_clamav docs." + ewarn + fi +} |