Accepting request 778858 from network

update to 1.3.6c, fix for boo#1164572 (CVE-2020-9272, gh#902), fix for boo#1164574 (CVE-2020-9273, gh#903) (forwarded request 778853 from computersalat)

OBS-URL: https://build.opensuse.org/request/show/778858
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/proftpd?expand=0&rev=39

proftpd-1.3.6b.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fe5baf6c469a2b0b7f0e2611561b6fd5414300e32a76b96adb2ccfe05b5efb60
-size 20260731

proftpd-1.3.6b.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iEYEABECAAYFAl2rcwQACgkQt46JP6URl2rJjgCg1nlOJXXWDtriYR1VXN6HFoYg
-rNwAn1eUP98+weNzMjbHRgnoypjq02WQ
-=p339
------END PGP SIGNATURE-----

proftpd-1.3.6c.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fa3541c4b34136a7b80cb12a2f6f9a0cab5118a5b0a1653d40af49c6479c35ad
+size 20271908

proftpd-1.3.6c.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iEYEABECAAYFAl5Mn80ACgkQt46JP6URl2o1eQCg48IT2mAbeQwZmAkbEmxGRS7f
+nEwAoNGB9stmrqcSqwyivK/AMu2edn59
+=32CO
+-----END PGP SIGNATURE-----

proftpd-ftpasswd.patch

@@ -13,7 +13,7 @@ Index: contrib/ftpasswd
  my $shell_file = "/etc/shells";
  my $default_cracklib_dict = "/usr/lib/cracklib_dict";
  my $cracklib_dict;
-@@ -1109,6 +1109,46 @@ usage: $program [--help] [--hash|--group
+@@ -1128,6 +1128,46 @@ usage: $program [--help] [--hash|--group
      --version
                  Displays the version of $program.
  

proftpd-no_BuildDate.patch

@@ -65,13 +65,13 @@ Index: include/version.h
 -#include "buildstamp.h"
 -
  /* Application version (in various forms) */
- #define PROFTPD_VERSION_NUMBER		0x0001030607
+ #define PROFTPD_VERSION_NUMBER		0x0001030608
- #define PROFTPD_VERSION_TEXT		"1.3.6b"
+ #define PROFTPD_VERSION_TEXT		"1.3.6c"
 Index: src/main.c
 ===================================================================
 --- src/main.c.orig
 +++ src/main.c
-@@ -1891,8 +1891,8 @@ static void standalone_main(void) {
+@@ -1893,8 +1893,8 @@ static void standalone_main(void) {
  
    init_bindings();
  
@@ -82,7 +82,7 @@ Index: src/main.c
  
    if (pr_pidfile_write() < 0) {
      fprintf(stderr, "error opening PidFile '%s': %s\n", pr_pidfile_get(),
-@@ -1952,7 +1952,6 @@ static void show_settings(void) {
+@@ -1954,7 +1954,6 @@ static void show_settings(void) {
    printf("%s", "  Platform: " PR_PLATFORM " [unknown]\n");
  #endif /* !HAVE_UNAME */
  
@@ -90,7 +90,7 @@ Index: src/main.c
    printf("%s", "  Built With:\n    configure " PR_BUILD_OPTS "\n\n");
  
    printf("%s", "  CFLAGS: " PR_BUILD_CFLAGS "\n");
-@@ -2532,7 +2531,6 @@ int main(int argc, char *argv[], char **
+@@ -2534,7 +2533,6 @@ int main(int argc, char *argv[], char **
  
      printf("ProFTPD Version: %s", PROFTPD_VERSION_TEXT " " PR_STATUS "\n");
      printf("  Scoreboard Version: %08x\n", PR_SCOREBOARD_VERSION); 

proftpd-tls-crls-issue859.patch

@@ -1,35 +0,0 @@
-commit 81cc5dce4fc0285629a1b08a07a109af10c208dd
-Author: TJ Saunders <tj@castaglia.org>
-Date:   Sun Nov 24 14:03:54 2019 -0800
-
-    Issue #859, #861: Fix handling of CRL lookups by properly using issuer for
-    lookups, and guarding against null pointers.
-    (CVE-2019-19269, CVE-2019-19270)
-
-diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
-index 4b74cf989..0e08b0399 100644
---- a/contrib/mod_tls.c
-+++ b/contrib/mod_tls.c
-@@ -9777,10 +9777,10 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) {
- 
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
--  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
-+  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
- #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
-       !defined(HAVE_LIBRESSL)
--  crls = X509_STORE_get1_crls(store_ctx, subject);
-+  crls = X509_STORE_get1_crls(store_ctx, issuer);
- #else
-   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
-   crls = NULL;
-@@ -9799,6 +9799,9 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) {
-         ASN1_INTEGER *sn;
- 
-         revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
-+        if (revoked == NULL) {
-+          continue;
-+        }
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
-     !defined(HAVE_LIBRESSL)
-         sn = X509_REVOKED_get0_serialNumber(revoked);

proftpd.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Mon Feb 24 17:06:07 UTC 2020 - chris@computersalat.de
+
+- fix for boo#1164572 (CVE-2020-9272, gh#902)
+- fix for boo#1164574 (CVE-2020-9273, gh#903)
+- update to 1.3.6c
+  * Fixed regression in directory listing latency (Issue #863).
+  * Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for
+    converting them to supported format.
+  * Fixed use-after-free vulnerability during data transfers (Issue #903).
+  * Fixed out-of-bounds read in mod_cap by updating the bundled libcap
+    (Issue #902).
+- remove obsolete proftpd-tls-crls-issue859.patch
+- rebase patches
+  * proftpd-ftpasswd.patch
+  * proftpd-no_BuildDate.patch
+  * proftpd_env-script-interpreter.patch
+
 -------------------------------------------------------------------
 Sat Feb  1 17:25:05 UTC 2020 - chris@computersalat.de
 

proftpd.spec

@@ -22,7 +22,7 @@ Summary:        Configurable GPL-licensed FTP server software
 # We only accept updates for "STABLE" Versions
 License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Ftp/Servers
-Version:        1.3.6b
+Version:        1.3.6c
 Release:        0
 URL:            http://www.proftpd.org/
 Source0:        ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz
@@ -47,8 +47,6 @@ Patch103:       %{name}-strip.patch
 Patch104:       %{name}-no_BuildDate.patch
 #RPMLINT-FIX-openSUSE: env-script-interpreter
 Patch105:       %{name}_env-script-interpreter.patch
-#PATCH-FIX-UPSTREAM: (CVE-2019-19269, CVE-2019-19270)
-Patch200:       %{name}-tls-crls-issue859.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildRequires:  gpg-offline
 BuildRequires:  fdupes
@@ -157,8 +155,6 @@ rm README.AIX
 %patch104
 %patch105
 
-%patch200 -p1
-
 %build
 rm contrib/mod_wrap.c
 rm contrib/mod_geoip.c

proftpd_env-script-interpreter.patch

@@ -6,7 +6,7 @@ Index: contrib/ftpasswd
 -#!/usr/bin/env perl
 +#!/usr/bin/perl
  # ---------------------------------------------------------------------------
- # Copyright (C) 2000-2015 TJ Saunders <tj@castaglia.org>
+ # Copyright (C) 2000-2020 TJ Saunders <tj@castaglia.org>
  #
 Index: contrib/ftpmail
 ===================================================================