Bug#769206: unblock tnftp/20130505-2

Aníbal Monsalve Salazar Tue, 11 Nov 2014 22:36:37 -0800

Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock


Please unblock tnftp/20130505-2

debdiff tnftp_20130505-1.dsc tnftp_20130505-2.dsc
diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog
--- tnftp-20130505/debian/changelog     2013-05-26 01:01:45.000000000 +0100
+++ tnftp-20130505/debian/changelog     2014-11-06 10:42:07.000000000 +0000
@@ -1,3 +1,19 @@
+tnftp (20130505-2) unstable; urgency=medium
+
+  * Only trust filenames with special meaning if they came from
+    the command line. CVE-2014-8517.
+    Add upstream patch CVE-2014-8517.patch.
+    Closes: #767171.
+  * Run dh-autoreconf to update for new architectures.
+    Patch by Brahadambal Srinivasan <[email protected]>.
+    Closes: 759467.
+  * Standards Version is 3.9.6.
+  * Fix uses-deprecated-compression-for-data-tarball.
+  * Fix build-depends-on-obsolete-package.
+    build-depends: hardening-wrapper => use dpkg-buildflags instead.
+
+ -- Anibal Monsalve Salazar <[email protected]>  Thu, 06 Nov 2014 10:42:01 
+0000
+
 tnftp (20130505-1) unstable; urgency=low
 
   * New upstream version 20130505
diff -Nru tnftp-20130505/debian/compat tnftp-20130505/debian/compat
--- tnftp-20130505/debian/compat        2009-04-06 01:20:42.000000000 +0100
+++ tnftp-20130505/debian/compat        2014-11-06 09:57:48.000000000 +0000
@@ -1 +1 @@
-7
+9
diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control
--- tnftp-20130505/debian/control       2013-05-26 00:04:41.000000000 +0100
+++ tnftp-20130505/debian/control       2014-11-06 10:02:59.000000000 +0000
@@ -2,8 +2,8 @@
 Section: net
 Priority: optional
 Maintainer: Anibal Monsalve Salazar <[email protected]>
-Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev
-Standards-Version: 3.9.4
+Build-Depends: debhelper (>= 9), libncurses5-dev, libssl-dev, autotools-dev
+Standards-Version: 3.9.6
 Homepage: http://en.wikipedia.org/wiki/Tnftp
 
 Package: tnftp
diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch 
tnftp-20130505/debian/patches/CVE-2014-8517.patch
--- tnftp-20130505/debian/patches/CVE-2014-8517.patch   1970-01-01 
01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/CVE-2014-8517.patch   2014-11-06 
10:24:25.000000000 +0000
@@ -0,0 +1,92 @@
+Date: Sun, 26 Oct 2014 12:21:59 -0400
+From: Christos Zoulas <[email protected]>
+To: [email protected]
+Subject: CVS commit: src/usr.bin/ftp
+X-Mailer: log_accum
+
+Module Name:    src
+Committed By:   christos
+Date:           Sun Oct 26 16:21:59 UTC 2014
+
+Modified Files:
+    src/usr.bin/ftp: fetch.c
+
+Log Message:
+    don't pay attention to special characters if they don't come from the 
command
+    line (from jmcneill)
+
+http://security-tracker.debian.org/tracker/CVE-2014-8517
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171
+http://www.openwall.com/lists/oss-security/2014/10/28/4
+
+Index: tnftp-20130505/src/fetch.c
+===================================================================
+--- tnftp-20130505.orig/src/fetch.c
++++ tnftp-20130505/src/fetch.c
+@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p
+       url_decode(decodedpath);
+ 
+       if (outfile)
+-              savefile = ftp_strdup(outfile);
++              savefile = outfile;
+       else {
+               cp = strrchr(decodedpath, '/');         /* find savefile */
+               if (cp != NULL)
+@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p
+       rangestart = rangeend = entitylen = -1;
+       mtime = -1;
+       if (restartautofetch) {
+-              if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+-                  stat(savefile, &sb) == 0)
++              if (stat(savefile, &sb) == 0)
+                       restart_point = sb.st_size;
+       }
+       if (urltype == FILE_URL_T) {            /* file:// URLs */
+@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p
+               }
+       }               /* end of ftp:// or http:// specific setup */
+ 
+-                      /* Open the output file. */
+-      if (strcmp(savefile, "-") == 0) {
+-              fout = stdout;
+-      } else if (*savefile == '|') {
+-              oldintp = xsignal(SIGPIPE, SIG_IGN);
+-              fout = popen(savefile + 1, "w");
+-              if (fout == NULL) {
+-                      warn("Can't execute `%s'", savefile + 1);
+-                      goto cleanup_fetch_url;
++      /* Open the output file. */
++
++      /*
++       * Only trust filenames with special meaning if they came from
++       * the command line
++       */
++      if (outfile == savefile) {
++              if (strcmp(savefile, "-") == 0) {
++                      fout = stdout;
++              } else if (*savefile == '|') {
++                      oldintp = xsignal(SIGPIPE, SIG_IGN);
++                      fout = popen(savefile + 1, "w");
++                      if (fout == NULL) {
++                              warn("Can't execute `%s'", savefile + 1);
++                              goto cleanup_fetch_url;
++                      }
++                      closefunc = pclose;
+               }
+-              closefunc = pclose;
+-      } else {
++      }
++      if (fout == NULL) {
+               if ((rangeend != -1 && rangeend <= restart_point) ||
+                   (rangestart == -1 && filesize != -1 && filesize <= 
restart_point)) {
+                       /* already done */
+@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p
+               (*closefunc)(fout);
+       if (res0)
+               freeaddrinfo(res0);
+-      FREEPTR(savefile);
++      if (savefile != outfile)
++              FREEPTR(savefile);
+       FREEPTR(uuser);
+       if (pass != NULL)
+               memset(pass, 0, strlen(pass));
diff -Nru tnftp-20130505/debian/patches/series 
tnftp-20130505/debian/patches/series
--- tnftp-20130505/debian/patches/series        1970-01-01 01:00:00.000000000 
+0100
+++ tnftp-20130505/debian/patches/series        2014-11-06 09:28:13.000000000 
+0000
@@ -0,0 +1 @@
+CVE-2014-8517.patch
diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules
--- tnftp-20130505/debian/rules 2013-05-26 00:56:53.000000000 +0100
+++ tnftp-20130505/debian/rules 2014-11-06 10:41:48.000000000 +0000
@@ -5,15 +5,13 @@
 # Uncomment this to turn on verbose mode.
 export DH_VERBOSE=1
 
-# Make use of security features through hardening-wrapper
-export DEB_BUILD_HARDENING=1
-
 build-arch: build
 build-indep: build
 build: build-stamp
 build-stamp:
        dh_testdir
-       ./configure --prefix=/usr --mandir=\$${prefix}/share/man
+       dh_autotools-dev_updateconfig
+       ./configure --prefix=/usr --mandir=\$${prefix}/share/man $(shell 
dpkg-buildflags --export=configure)
        $(MAKE)
        touch build-stamp
 
@@ -22,6 +20,7 @@
        dh_testroot
        rm -f build-stamp
        [ ! -f Makefile ] || $(MAKE) distclean
+       dh_autotools-dev_restoreconfig
        dh_clean
 
 install: build
@@ -63,7 +62,7 @@
        dh_gencontrol
        dh_lintian
        dh_md5sums
-       dh_builddeb -- -Zbzip2 -z9
+       dh_builddeb
 
 binary: binary-indep binary-arch
 .PHONY: build clean binary-indep binary-arch binary install
diff -Nru tnftp-20130505/debian/source/options 
tnftp-20130505/debian/source/options
--- tnftp-20130505/debian/source/options        2009-11-23 10:37:44.000000000 
+0000
+++ tnftp-20130505/debian/source/options        1970-01-01 01:00:00.000000000 
+0100
@@ -1,2 +0,0 @@
-compression = "bzip2"
-compression-level = 9


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: https://lists.debian.org/[email protected]

Bug#769206: unblock tnftp/20130505-2

Reply via email to