Accepting request 621884 from home:computersalat:devel:network

update to 1.3.5e

OBS-URL: https://build.opensuse.org/request/show/621884
OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=56

proftpd-1.3.5d.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f4e2997be7f22a5b31d7ac72497ed4f4471d24d32385978350410713e76129ac
-size 29966560

proftpd-1.3.5d.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iEYEABECAAYFAlh8H14ACgkQt46JP6URl2p0IgCeMBKtSUR8imfqKRQWohWqNi5b
-3qYAoOt6bdwbszl0njyGYtQpnWkWpqD6
-=j3a6
------END PGP SIGNATURE-----

proftpd-1.3.5e.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8307dc0103a8e716b99745919be7f09b54708c57c7d5aa70262f7593dc56bc9d
+size 29968142

proftpd-1.3.5e.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iEYEABECAAYFAljqnpEACgkQt46JP6URl2perACgjwSNGXCRyoRFQRsIY2s+1aXd
+IZgAoPP5fcWOlP0i2/Dl8tnQrYFtI0gG
+=wGie
+-----END PGP SIGNATURE-----

proftpd-AllowChrootSymlinks.patch

@@ -1,125 +0,0 @@
-commit ecff21e0d0e84f35c299ef91d7fda088e516d4ed
-Author: TJ Saunders <tj@castaglia.org>
-Date:   Mon Mar 6 08:31:29 2017 -0800
-
-    Backporting recursive handling of DefaultRoot path, when AllowChrootSymlinks
-    is off, to 1.3.5 branch. (CVE-2017-7418)
-
-diff --git a/modules/mod_auth.c b/modules/mod_auth.c
-index 386576162..410215979 100644
---- a/modules/mod_auth.c
-+++ b/modules/mod_auth.c
-@@ -2,7 +2,7 @@
-  * ProFTPD - FTP server daemon
-  * Copyright (c) 1997, 1998 Public Flood Software
-  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
-- * Copyright (c) 2001-2016 The ProFTPD Project team
-+ * Copyright (c) 2001-2017 The ProFTPD Project team
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License as published by
-@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p, xaset_t *conf) {
-   return dir;
- }
- 
--/* Determine if the user (non-anon) needs a default root dir other than /.
-- */
-+static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
-+  int res, xerrno = 0;
-+  struct stat st;
-+  char *ptr;
-+
-+  if (pathlen == 0) {
-+    return 0;
-+  }
-+
-+  pr_fs_clear_cache();
-+  res = pr_fsio_lstat(path, &st);
-+  if (res < 0) {
-+    xerrno = errno;
-+
-+    pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
-+      strerror(xerrno));
-+
-+    errno = xerrno;
-+    return -1;
-+  }
- 
-+  if (S_ISLNK(st.st_mode)) {
-+    errno = EPERM;
-+    return -1;
-+  }
-+
-+  /* To handle the case where a component further up the path might be a
-+   * symlink (which lstat(2) will NOT handle), we walk the path backwards,
-+   * calling ourselves recursively.
-+   */
-+
-+  ptr = strrchr(path, '/');
-+  if (ptr != NULL) {
-+    char *new_path;
-+    size_t new_pathlen;
-+
-+    pr_signals_handle();
-+
-+    new_pathlen = ptr - path;
-+
-+    /* Make sure our pointer actually changed position. */
-+    if (new_pathlen == pathlen) {
-+      return 0;
-+    }
-+
-+    new_path = pstrndup(p, path, new_pathlen);
-+
-+    pr_log_debug(DEBUG10,
-+      "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
-+      new_path);
-+    res = is_symlink_path(p, new_path, new_pathlen);
-+    if (res < 0) {
-+      return -1;
-+    }
-+  }
-+
-+  return 0;
-+}
-+
-+/* Determine if the user (non-anon) needs a default root dir other than /. */
- static int get_default_root(pool *p, int allow_symlinks, char **root) {
-   config_rec *c = NULL;
-   char *dir = NULL;
-@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
- 
-       if (allow_symlinks == FALSE) {
-         char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
--        struct stat st;
-         size_t pathlen;
- 
-         /* First, deal with any possible interpolation.  dir_realpath() will
-@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
-           path[pathlen-1] = '\0';
-         }
- 
--        pr_fs_clear_cache();
--        res = pr_fsio_lstat(path, &st);
-+        res = is_symlink_path(p, path, pathlen);
-         if (res < 0) {
--          xerrno = errno;
--
--          pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
--            strerror(xerrno));
--
--          errno = xerrno;
--          return -1;
--        }
-+          if (errno == EPERM) {
-+            pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
-+              "(denied by AllowChrootSymlinks config)", path);
-+          }
- 
--        if (S_ISLNK(st.st_mode)) {
--          pr_log_pri(PR_LOG_WARNING,
--            "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
--            "config)", path);
-           errno = EPERM;
-           return -1;
-         }

proftpd-dist.patch

@@ -41,7 +41,7 @@ Index: contrib/dist/rpm/proftpd.logrotate
      sharedscripts
      postrotate
 -        test -f /var/lock/subsys/proftpd && /usr/bin/killall -HUP proftpd || :
-+     /etc/init.d/proftpd reload
++     /usr/sbin/rcproftpd reload
 +     #/etc/init.d/xinetd reload
      endscript
  }

proftpd-no_BuildDate.patch

@@ -65,8 +65,8 @@ Index: include/version.h
 -#include "buildstamp.h"
 -
  /* Application version (in various forms) */
- #define PROFTPD_VERSION_NUMBER		0x0001030510
+ #define PROFTPD_VERSION_NUMBER		0x0001030511
- #define PROFTPD_VERSION_TEXT		"1.3.5d"
+ #define PROFTPD_VERSION_TEXT		"1.3.5e"
 Index: src/main.c
 ===================================================================
 --- src/main.c.orig

proftpd.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Jul 10 11:57:58 UTC 2018 - chris@computersalat.de
+
+- update to 1.3.5e
+  * Fixed SFTP issue with umac-64@openssh.com digest/MAC.
+  * Fixed regression with mod_sftp rekeying.
+  * Backported fix for "AllowChrootSymlinks off" checking each component
+    for symlinks (CVE-2017-7418).
+- remove obsolete patch
+  * proftpd-AllowChrootSymlinks.patch (now included)
+- rebase patches
+  * proftpd-dist.patch
+  * proftpd-no_BuildDate.patch
+  * proftpd_include-in-limit-section.patch
+
 -------------------------------------------------------------------
 Fri Jul 21 04:43:44 UTC 2017 - bwiedemann@suse.com
 

proftpd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package proftpd
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,9 +20,9 @@ Name:           proftpd
 Summary:        Highly configurable GPL-licensed FTP server software
 # Please save your time and do not update to "rc" versions.
 # We only accept updates for "STABLE" Versions
-License:        GPL-2.0+
+License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Ftp/Servers
-Version:        1.3.5d
+Version:        1.3.5e
 Release:        0
 Url:            http://www.proftpd.org/
 Source0:        ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz
@@ -35,10 +35,6 @@ Source15:       %{name}.keyring
 Source16:       %{name}-tls.template
 Source17:       %{name}-limit.template
 Source18:       %{name}-ssl.README
-#PATCH-FIX-UPSTREAM (CVE-2017-7418):
-# AllowChrootSymlinks not enforced by replacing a path component with a symbolic link
-### github commit: ecff21e0d0e84f35c299ef91d7fda088e516d4ed
-Patch0:         %{name}-AllowChrootSymlinks.patch
 #PATCH-FIX-openSUSE: pam, logrotate, xinet
 Patch100:       %{name}-dist.patch
 #PATCH-FIX-openSUSE: provide a useful default config
@@ -53,6 +49,7 @@ Patch104:       %{name}-no_BuildDate.patch
 Patch105:       %{name}_include-in-limit-section.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildRequires:  gpg-offline
+BuildRequires:  fdupes
 BuildRequires:  krb5-devel
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
@@ -148,7 +145,6 @@ Here are Documentation for ProFTPD
 #gpg_verify %{S:1}
 %setup -q
 rm README.AIX
-%patch0 -p1
 #
 %patch100
 %patch101
@@ -210,12 +206,14 @@ install -d -m 0750 %{buildroot}/var/log/%{name}
 install -D -m 0644 %{S:13} %{buildroot}%{_unitdir}/%{name}.service
 ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rc%{name}
 # systemd need to create a tmp dir: /run/proftpd
-install -D -m 0644 %{S:14} %{buildroot}%{_prefix}/lib/tmpfiles.d/%{name}.conf
+install -D -m 0644 %{S:14} %{buildroot}%{_tmpfilesdir}/%{name}.conf
 %else #SysVinit
 install -D -m 0755 %{S:11} %{buildroot}/%{_sysconfdir}/init.d/%{name}
 ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}/%{_sbindir}/rc%{name}
 %endif
 
+%fdupes -s %{buildroot}%{_sysconfdir}/%{name}
+
 %find_lang %{name}
 
 %pre
@@ -233,7 +231,7 @@ ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}/%{_sbindir}/rc%{name}
 %post
 %if 0%{?has_systemd}
 %service_add_post %{name}.service
-/usr/bin/systemd-tmpfiles --create %{name}.conf || :
+%tmpfiles_create %{_tmpfilesdir}/%{name}.conf || :
 %else
 %{fillup_and_insserv -f proftpd}
 install -d %{_localstatedir}/run/%{name}
@@ -266,8 +264,6 @@ install -d %{_localstatedir}/run/%{name}
 %defattr(-,root,root)
 %doc COPYING CREDITS ChangeLog NEWS README* RELEASE_NOTES
 %doc contrib/README.*
-#%doc contrib/xferstats.holger-preiss*
-#%doc contrib/ftpasswd contrib/ftpquota
 %doc sample-configurations/*.conf
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/
 %dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/
@@ -278,14 +274,14 @@ install -d %{_localstatedir}/run/%{name}
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/includes/
 %config %{_sysconfdir}/%{name}/includes/limit.template
 %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf
-%{_sysconfdir}/%{name}/PROFTPD-MIB.txt
+%config %{_sysconfdir}/%{name}/PROFTPD-MIB.txt
 %dir %attr(0700,ftp,ftp) %{_sysconfdir}/%{name}/ssl/
 %config %{_sysconfdir}/%{name}/ssl/README
 %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %config(noreplace) %{_sysconfdir}/pam.d/%{name}
 %config(noreplace) %{_sysconfdir}/%{name}/blacklist.dat
 %config(noreplace) %{_sysconfdir}/%{name}/dhparams.pem
-%dir %attr(0750,ftp,ftp) %{_localstatedir}/log/%{name}
+%dir %attr(0750,root,root) %{_localstatedir}/log/%{name}
 %{_sbindir}/*
 %{_mandir}/man?/*
 %dir %attr(0755,root,root) %{_libdir}/%{name}/
@@ -297,7 +293,7 @@ install -d %{_localstatedir}/run/%{name}
 %exclude %{_libdir}/%{name}/mod_sql_sqlite.so
 %if 0%{?has_systemd}
 %{_unitdir}/%{name}.service
-%{_prefix}/lib/tmpfiles.d/%{name}.conf
+%{_tmpfilesdir}/%{name}.conf
 %ghost %dir /run/%{name}
 %else
 %{_sysconfdir}/init.d/%{name}

proftpd_include-in-limit-section.patch

@@ -2,7 +2,7 @@ Index: RELEASE_NOTES
 ===================================================================
 --- RELEASE_NOTES.orig
 +++ RELEASE_NOTES
-@@ -12,6 +12,16 @@ ChangeLog files.
+@@ -20,6 +20,16 @@ ChangeLog files.
    + Fixed regression where all normal FTP users were handled as anonymous
      users.