Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I have 2 patches for vsftpd 3.0.2-17+deb8u1: - - patch for CVE-2015-1419 - - patch for Debian bug #783077 A debdiff is attached. Thanks. CU Jörg - -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (500, 'testing-updates'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/6 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVUPqxAAoJEAn4nzyModJdEp0QAJHTjE0lDWYKYSHm+mq9Q4Pe cvgfTDb1kVIEsG35cu4LKMhogNMsM0a3pHVOGtVvR3ioKjjCZO7BQca6lp42IMZO hIilFgtdmgyf/pnqXRmEz3zrLEq8YL5bmd2FpA5yAkVKHRhAAK9qYrECW5cXd5gY OpEOH5quZAAuVB+yDDfbbi/tzx45Lalr0OxyHurRFrshYT3YSyKzK0f/sSCRIEwY Ao7m71Y3/bYao035yjC29GU/ctS4Pdn3+TA1oGIqpx9umAzEMbs+0TPHlwKsZ423 n4RWcNHToMqMIkb+tvN+9QYMjtWzDGkxdu+CfRw6Bk51WGGHk4sxasrcupQoFoy5 cJirrSrJlgz7bJ1hPRe5Y+szaO8Jjacxl/raunCx4TgbR/pEtO3vc5OFMnAsp+Uv yt3VAN/EFLLng0A4CX2fu92NPL4We7a9U1jZ0cEYUvT1JlYrjF/PLFyDOe9FJFt3 0SACRc08Cd72F1D4ELHW/jpiVvAczHMfghPqFEA0zX+XbM2Gn2ekq0o4VRtzYoxr ocb3Dmy4kDzVmvGjK/ypbJTnPsuxAmxElY3wwozN6+W/zLU8Fzpxr90Rh4k/z4RQ 3hmOK+BWfkJFTMugOWzOYBL54E3/usU/gUc90R6XCQORNI4CsAXZghVfTqwYYALH /zsOUCgh7QAgoIWOXHlu =QBV+ -----END PGP SIGNATURE-----
diff -Nru vsftpd-3.0.2/debian/changelog vsftpd-3.0.2/debian/changelog --- vsftpd-3.0.2/debian/changelog 2014-10-07 15:56:49.000000000 +0200 +++ vsftpd-3.0.2/debian/changelog 2015-05-11 20:51:26.000000000 +0200 @@ -1,3 +1,19 @@ +vsftpd (3.0.2-17+deb8u1) stable; urgency=medium + + * Add patch debian/patches/0050-CVE-2015-1419.patch from 3.0.2-18: + - Fix config option "deny_file" not always being handled correctly + CVE-2015-1419 (Closes: #776922). + * Add patch debian/patches/0055-set_default_listen.patch from 3.0.2-19: + - Set the default value of tunable_listen to the same value of listen from + the man page vsftpd.conf (Closes: #783077). + * Add year 2015 to debian/copyright. + * debian/vsftpd.postrm: + - Remove systemd files and directories when purging. + - Replace fixed path with a POSIX-compliant shell function to check + the existence of a command. + + -- Jörg Frings-Fürst <[email protected]> Mon, 11 May 2015 15:35:19 +0200 + vsftpd (3.0.2-17) unstable; urgency=medium * Add debian/patches/0035-address_space_limit.patch to increase the diff -Nru vsftpd-3.0.2/debian/copyright vsftpd-3.0.2/debian/copyright --- vsftpd-3.0.2/debian/copyright 2014-08-20 21:56:58.000000000 +0200 +++ vsftpd-3.0.2/debian/copyright 2015-05-11 15:47:38.000000000 +0200 @@ -10,7 +10,7 @@ Files: debian/* Copyright: 2009-2014 Daniel Baumann <[email protected]> - 2014 Jörg Frings-Fürst <[email protected]> + 2014-2015 Jörg Frings-Fürst <[email protected]> License: GPL-2 with SSL exception License: GPL-2 with SSL exception diff -Nru vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch --- vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch 1970-01-01 01:00:00.000000000 +0100 +++ vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch 2015-02-24 16:41:52.000000000 +0100 @@ -0,0 +1,104 @@ +Description: CVE-2015-1419: config option deny_file is not handled correctly +Author: Marcus Meissner <[email protected]> +Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922 +Last-Update: 2015-02-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/ls.c +=================================================================== +--- trunk.orig/ls.c ++++ trunk/ls.c +@@ -7,6 +7,7 @@ + * Would you believe, code to handle directory listing. + */ + ++#include <stdlib.h> + #include "ls.h" + #include "access.h" + #include "defs.h" +@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct + struct mystr temp_str = INIT_MYSTR; + struct mystr brace_list_str = INIT_MYSTR; + struct mystr new_filter_str = INIT_MYSTR; ++ struct mystr normalize_filename_str = INIT_MYSTR; ++ const char *normname; ++ const char *path; + int ret = 0; + char last_token = 0; + int must_match_at_current_pos = 1; ++ + str_copy(&filter_remain_str, p_filter_str); +- str_copy(&name_remain_str, p_filename_str); ++ ++ /* normalize filepath */ ++ path = str_strdup(p_filename_str); ++ normname = realpath(path, NULL); ++ if (normname == NULL) ++ goto out; ++ str_alloc_text(&normalize_filename_str, normname); ++ ++ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) { ++ if (str_get_char_at(p_filter_str, 0) == '/') { ++ if (str_get_char_at(&normalize_filename_str, 0) != '/') { ++ str_getcwd (&name_remain_str); ++ ++ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */ ++ str_append_char (&name_remain_str, '/'); ++ ++ str_append_str (&name_remain_str, &normalize_filename_str); ++ } ++ else ++ str_copy (&name_remain_str, &normalize_filename_str); ++ } else { ++ if (str_get_char_at(p_filter_str, 0) != '{') ++ str_basename (&name_remain_str, &normalize_filename_str); ++ else ++ str_copy (&name_remain_str, &normalize_filename_str); ++ } ++ } else ++ str_copy(&name_remain_str, &normalize_filename_str); + + while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) + { +@@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct + ret = 0; + } + out: ++ free(normname); ++ free(path); ++ str_free(&normalize_filename_str); + str_free(&filter_remain_str); + str_free(&name_remain_str); + str_free(&temp_str); +Index: trunk/str.c +=================================================================== +--- trunk.orig/str.c ++++ trunk/str.c +@@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_ + } + } + ++void ++str_basename (struct mystr* d_str, const struct mystr* path) ++{ ++ static struct mystr tmp; ++ ++ str_copy (&tmp, path); ++ str_split_char_reverse(&tmp, d_str, '/'); ++ ++ if (str_isempty(d_str)) ++ str_copy (d_str, path); ++} +Index: trunk/str.h +=================================================================== +--- trunk.orig/str.h ++++ trunk/str.h +@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst + int str_atoi(const struct mystr* p_str); + filesize_t str_a_to_filesize_t(const struct mystr* p_str); + unsigned int str_octal_to_uint(const struct mystr* p_str); ++void str_basename (struct mystr* d_str, const struct mystr* path); + + /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string + * buffer, starting at character position 'p_pos'. The extracted line will diff -Nru vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch --- vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch 1970-01-01 01:00:00.000000000 +0100 +++ vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch 2015-04-21 20:45:30.000000000 +0200 @@ -0,0 +1,21 @@ +Description: Change the default of tunable_listen. + Change the default of tunable_listen to the same as in + man page vsftpd.conf. +Author: Jörg Frings-Fürst <[email protected]> +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783077 +Last-Update: 2015-04-21 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: trunk/tunables.c +=================================================================== +--- trunk.orig/tunables.c ++++ trunk/tunables.c +@@ -182,7 +182,7 @@ tunables_load_defaults() + tunable_use_localtime = 0; + tunable_check_shell = 1; + tunable_hide_ids = 0; +- tunable_listen = 1; ++ tunable_listen = 0; + tunable_port_promiscuous = 0; + tunable_passwd_chroot_enable = 0; + tunable_no_anon_password = 0; diff -Nru vsftpd-3.0.2/debian/patches/series vsftpd-3.0.2/debian/patches/series --- vsftpd-3.0.2/debian/patches/series 2014-10-05 12:05:36.000000000 +0200 +++ vsftpd-3.0.2/debian/patches/series 2015-05-11 15:39:42.000000000 +0200 @@ -19,3 +19,5 @@ 0035-address_space_limit.patch 0040-disable-anonymous.patch 0045-seccomp-gettimeofday.patch +0050-CVE-2015-1419.patch +0055-set_default_listen.patch diff -Nru vsftpd-3.0.2/debian/vsftpd.postrm vsftpd-3.0.2/debian/vsftpd.postrm --- vsftpd-3.0.2/debian/vsftpd.postrm 2014-05-07 22:17:52.000000000 +0200 +++ vsftpd-3.0.2/debian/vsftpd.postrm 2015-03-03 18:40:36.000000000 +0100 @@ -2,18 +2,39 @@ set -e +# +# POSIX-compliant shell function +# to check for the existence of a command +# Return 0 if found +# +pathfind() { + OLDIFS="$IFS" + IFS=: + for p in $PATH; do + if [ -x "$p/$*" ]; then + IFS="$OLDIFS" + return 0 + fi + done + IFS="$OLDIFS" + return 1 +} + + case "${1}" in remove) _USERNAME="ftp" _GROUPNAME="${_USERNAME}" _DIRECTORY="/srv/ftp" - if [ -x /usr/sbin/deluser ] + pathfind deluser + if [ $? = 0 ] ; then deluser --quiet --system ${_USERNAME} fi - if [ -x /usr/sbin/delgroup ] + pathfind delgroup + if [ $? = 0 ] ; then delgroup --quiet --system --only-if-empty ${_GROUPNAME} || true fi @@ -24,7 +45,27 @@ fi ;; - purge|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + purge) +# +# purge systemd files +# + rm -f /etc/systemd/system/vsftpd.service + rm -f /etc/systemd/system/multi-user.target.wants/vsftpd.service + rm -f /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/vsftpd.service + rm -f /var/lib/systemd/deb-systemd-helper-enabled/vsftpd.service.dsh-also + rm -f /var/lib/systemd/deb-systemd-helper-masked/vsftpd.service + if [ -d /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/ ]; then + rmdir --ignore-fail-on-non-empty /var/lib/systemd/deb-systemd-helper-enabled/multi-user.target.wants/ + fi + if [ -d /var/lib/systemd/deb-systemd-helper-enabled ]; then + rmdir --ignore-fail-on-non-empty /var/lib/systemd/deb-systemd-helper-enabled + fi + if [ -d /var/lib/systemd/deb-systemd-helper-masked ]; then + rmdir --ignore-fail-on-non-empty /var/lib/systemd/deb-systemd-helper-masked + fi + ;; + + upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;;
