From 5212f8c57146ae0d5c954fee3a039e7071cc4935a0ec556ecdec416b577554d2 Mon Sep 17 00:00:00 2001 From: Christian Wittmer Date: Sun, 31 May 2015 19:20:12 +0000 Subject: [PATCH 1/2] Accepting request 309477 from home:computersalat:devel:network fix for boo#927290 (CVE-2015-3306), update to 1.3.5a OBS-URL: https://build.opensuse.org/request/show/309477 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=33 --- proftpd-1.3.5.tar.gz | 3 --- proftpd-1.3.5.tar.gz.asc | 7 ------- proftpd-1.3.5a.tar.gz | 3 +++ proftpd-1.3.5a.tar.gz.asc | 7 +++++++ proftpd-ftpasswd.patch | 4 ++-- proftpd-no_BuildDate.patch | 34 +++++++++++++++++----------------- proftpd.changes | 11 +++++++++++ proftpd.spec | 10 +++++----- 8 files changed, 45 insertions(+), 34 deletions(-) delete mode 100644 proftpd-1.3.5.tar.gz delete mode 100644 proftpd-1.3.5.tar.gz.asc create mode 100644 proftpd-1.3.5a.tar.gz create mode 100644 proftpd-1.3.5a.tar.gz.asc diff --git a/proftpd-1.3.5.tar.gz b/proftpd-1.3.5.tar.gz deleted file mode 100644 index a26ee05..0000000 --- a/proftpd-1.3.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c10316fb003bd25eccbc08c77dd9057e053693e6527ffa2ea2cc4e08ccb87715 -size 7594509 diff --git a/proftpd-1.3.5.tar.gz.asc b/proftpd-1.3.5.tar.gz.asc deleted file mode 100644 index c736830..0000000 --- a/proftpd-1.3.5.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (GNU/Linux) - -iEYEABECAAYFAlN072oACgkQt46JP6URl2qVBACgiUEbFlAIzStk+jX0rljjv9xw -8jkAoIabYGbQ9Wr8+ohBGLoOrlSoJQnH -=ZAXp ------END PGP SIGNATURE----- diff --git a/proftpd-1.3.5a.tar.gz b/proftpd-1.3.5a.tar.gz new file mode 100644 index 0000000..171ace9 --- /dev/null +++ b/proftpd-1.3.5a.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1f48df8539c414ec56e0cea63dcf4b8e16e606c05f10156f030a4a67fae5696 +size 29988477 diff --git a/proftpd-1.3.5a.tar.gz.asc b/proftpd-1.3.5a.tar.gz.asc new file mode 100644 index 0000000..fe5e05e --- /dev/null +++ b/proftpd-1.3.5a.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iEYEABECAAYFAlVmZ+4ACgkQt46JP6URl2pTLwCeMiXrNoRkvmHGEUFDwFwHdYIM +io8AoIxqqi320QUG1sSePFQ6Fy041WSl +=Vapu +-----END PGP SIGNATURE----- diff --git a/proftpd-ftpasswd.patch b/proftpd-ftpasswd.patch index 976b182..ceb69cb 100644 --- a/proftpd-ftpasswd.patch +++ b/proftpd-ftpasswd.patch @@ -2,7 +2,7 @@ Index: contrib/ftpasswd =================================================================== --- contrib/ftpasswd.orig +++ contrib/ftpasswd -@@ -33,8 +33,8 @@ use Getopt::Long; +@@ -34,8 +34,8 @@ use Getopt::Long; $Getopt::Long::auto_abbrev = 0; my $program = basename($0); @@ -13,7 +13,7 @@ Index: contrib/ftpasswd my $shell_file = "/etc/shells"; my $default_cracklib_dict = "/usr/lib/cracklib_dict"; my $cracklib_dict; -@@ -921,6 +921,46 @@ usage: $program [--help] [--hash|--group +@@ -1074,6 +1074,46 @@ usage: $program [--help] [--hash|--group --version Displays the version of $program. diff --git a/proftpd-no_BuildDate.patch b/proftpd-no_BuildDate.patch index 1305a90..12ab69a 100644 --- a/proftpd-no_BuildDate.patch +++ b/proftpd-no_BuildDate.patch @@ -5,10 +5,10 @@ src/main.c | 6 ++---- 4 files changed, 9 insertions(+), 15 deletions(-) -Index: proftpd-1.3.5/Makefile.in +Index: Makefile.in =================================================================== ---- proftpd-1.3.5.orig/Makefile.in 2012-10-02 18:10:23.000000000 +0100 -+++ proftpd-1.3.5/Makefile.in 2014-09-01 20:12:57.000000000 +0100 +--- Makefile.in.orig ++++ Makefile.in @@ -24,28 +24,26 @@ BUILD_BIN=proftpd$(EXEEXT) ftpcount$(EXE all: $(BUILD_BIN) @@ -44,10 +44,10 @@ Index: proftpd-1.3.5/Makefile.in @dirs="$(DIRS)"; \ for dir in $$dirs; do \ if [ -d "$$dir" ]; then cd $$dir/ && $(MAKE); fi; \ -Index: proftpd-1.3.5/contrib/mod_snmp/db.c +Index: contrib/mod_snmp/db.c =================================================================== ---- proftpd-1.3.5.orig/contrib/mod_snmp/db.c 2014-01-27 17:32:16.000000000 +0000 -+++ proftpd-1.3.5/contrib/mod_snmp/db.c 2014-09-01 23:08:18.000000000 +0100 +--- contrib/mod_snmp/db.c.orig ++++ contrib/mod_snmp/db.c @@ -1122,7 +1122,7 @@ int snmp_db_get_value(pool *p, unsigned return 0; @@ -57,21 +57,21 @@ Index: proftpd-1.3.5/contrib/mod_snmp/db.c *str_valuelen = strlen(*str_value); pr_trace_msg(trace_channel, 19, -Index: proftpd-1.3.5/include/version.h +Index: include/version.h =================================================================== ---- proftpd-1.3.5.orig/include/version.h 2014-05-15 16:53:13.000000000 +0100 -+++ proftpd-1.3.5/include/version.h 2014-09-01 20:12:57.000000000 +0100 +--- include/version.h.orig ++++ include/version.h @@ -1,5 +1,3 @@ -#include "buildstamp.h" - /* Application version (in various forms) */ - #define PROFTPD_VERSION_NUMBER 0x0001030505 - #define PROFTPD_VERSION_TEXT "1.3.5" -Index: proftpd-1.3.5/src/main.c + #define PROFTPD_VERSION_NUMBER 0x0001030507 + #define PROFTPD_VERSION_TEXT "1.3.5a" +Index: src/main.c =================================================================== ---- proftpd-1.3.5.orig/src/main.c 2014-01-25 16:34:09.000000000 +0000 -+++ proftpd-1.3.5/src/main.c 2014-09-01 20:12:57.000000000 +0100 -@@ -2382,8 +2382,8 @@ static void standalone_main(void) { +--- src/main.c.orig ++++ src/main.c +@@ -2426,8 +2426,8 @@ static void standalone_main(void) { init_bindings(); @@ -82,7 +82,7 @@ Index: proftpd-1.3.5/src/main.c pr_pidfile_write(); daemon_loop(); -@@ -2438,7 +2438,6 @@ static void show_settings(void) { +@@ -2482,7 +2482,6 @@ static void show_settings(void) { printf("%s", " Platform: " PR_PLATFORM " [unknown]\n"); #endif /* !HAVE_UNAME */ @@ -90,7 +90,7 @@ Index: proftpd-1.3.5/src/main.c printf("%s", " Built With:\n configure " PR_BUILD_OPTS "\n\n"); printf("%s", " CFLAGS: " PR_BUILD_CFLAGS "\n"); -@@ -2956,7 +2955,6 @@ int main(int argc, char *argv[], char ** +@@ -3000,7 +2999,6 @@ int main(int argc, char *argv[], char ** printf("ProFTPD Version: %s", PROFTPD_VERSION_TEXT " " PR_STATUS "\n"); printf(" Scoreboard Version: %08x\n", PR_SCOREBOARD_VERSION); diff --git a/proftpd.changes b/proftpd.changes index 64abd31..f6615b8 100644 --- a/proftpd.changes +++ b/proftpd.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Sun May 31 18:54:45 UTC 2015 - chris@computersalat.de + +- fix for boo#927290 (CVE-2015-3306) +- update to 1.3.5a: + See http://www.proftpd.org/docs/NEWS-1.3.5a +- rebase patches + * proftpd-ftpasswd.patch + * proftpd-no_BuildDate.patch +- remove gpg-offline dependency + ------------------------------------------------------------------- Mon Sep 1 22:04:02 UTC 2014 - andreas.stieger@gmx.de diff --git a/proftpd.spec b/proftpd.spec index e037f31..50d1baa 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -1,7 +1,7 @@ # # spec file for package proftpd # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ License: GPL-2.0+ Group: Productivity/Networking/Ftp/Servers # Please save your time and do not update to "rc" versions. # We only accept updates for "STABLE" Versions -Version: 1.3.5 +Version: 1.3.5a Release: 0 Url: http://www.proftpd.org/ Source0: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz @@ -43,7 +43,7 @@ Patch103: %{name}-strip.patch #PATCH-FIX-openSUSE: file-contains-date-and-time Patch104: %{name}-no_BuildDate.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: gpg-offline +#BuildRequires: gpg-offline BuildRequires: krb5-devel BuildRequires: libacl-devel BuildRequires: libattr-devel @@ -134,14 +134,14 @@ Requires: %{name} = %{version} Here are Documentation for ProFTPD %prep -%gpg_verify %{S:1} +#gpg_verify %{S:1} %setup -q %{__rm} README.AIX %patch100 %patch101 %patch102 %patch103 -%patch104 -p1 +%patch104 %build rm contrib/mod_wrap.c From 06b464506a8012d9f5e43a48dc3260aa6138cfcc792aaf91951a4e608f34cf4e Mon Sep 17 00:00:00 2001 From: Christian Wittmer Date: Sun, 31 May 2015 23:19:56 +0000 Subject: [PATCH 2/2] Accepting request 309514 from home:computersalat:devel:network fix for boo#927290 (CVE-2015-3306), update to 1.3.5a OBS-URL: https://build.opensuse.org/request/show/309514 OBS-URL: https://build.opensuse.org/package/show/network/proftpd?expand=0&rev=34 --- proftpd.changes | 5 ++++- proftpd.spec | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/proftpd.changes b/proftpd.changes index f6615b8..61872f7 100644 --- a/proftpd.changes +++ b/proftpd.changes @@ -7,7 +7,10 @@ Sun May 31 18:54:45 UTC 2015 - chris@computersalat.de - rebase patches * proftpd-ftpasswd.patch * proftpd-no_BuildDate.patch -- remove gpg-offline dependency +- remove gpg-offline dependency +- fix permissions on passwd file + * unable to use world-readable AuthUserFile '.../passwd' (perms 0644): + * 0644 -> 0440 ------------------------------------------------------------------- Mon Sep 1 22:04:02 UTC 2014 - andreas.stieger@gmx.de diff --git a/proftpd.spec b/proftpd.spec index 50d1baa..d7a0601 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -188,7 +188,7 @@ export CXXFLAGS="$CFLAGS" # some needed dirs %{__install} -d $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/{conf.d,auth} -%{__install} -m 0644 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd +%{__install} -m 0440 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd %{__install} -d -m 0750 $RPM_BUILD_ROOT/var/log/%{name} %if 0%{?has_systemd} @@ -265,7 +265,7 @@ fi %doc sample-configurations/*.conf %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/ %dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/ -%config(noreplace) %attr(0644,root,ftp) %{_sysconfdir}/%{name}/auth/passwd +%config(noreplace) %attr(0440,root,ftp) %{_sysconfdir}/%{name}/auth/passwd %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf %{_sysconfdir}/%{name}/PROFTPD-MIB.txt