Accepting request 309515 from network

fix for boo#927290 (CVE-2015-3306), update to 1.3.5a (forwarded request 309514 from computersalat) OBS-URL: https://build.opensuse.org/request/show/309515 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/proftpd?expand=0&rev=21
2015-06-02 08:07:40 +00:00 · 2015-06-02 08:07:40 +00:00 · 709db69522
commit 709db69522
parent d7a7bb315f 06b464506a
8 changed files with 50 additions and 36 deletions
--- a/proftpd-1.3.5.tar.gz
+++ b/proftpd-1.3.5.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c10316fb003bd25eccbc08c77dd9057e053693e6527ffa2ea2cc4e08ccb87715
-size 7594509
--- a/proftpd-1.3.5.tar.gz.asc
+++ b/proftpd-1.3.5.tar.gz.asc
@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iEYEABECAAYFAlN072oACgkQt46JP6URl2qVBACgiUEbFlAIzStk+jX0rljjv9xw
-8jkAoIabYGbQ9Wr8+ohBGLoOrlSoJQnH
-=ZAXp
-----END PGP SIGNATURE-----
--- a/proftpd-1.3.5a.tar.gz
+++ b/proftpd-1.3.5a.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a1f48df8539c414ec56e0cea63dcf4b8e16e606c05f10156f030a4a67fae5696
+size 29988477
--- a/proftpd-1.3.5a.tar.gz.asc
+++ b/proftpd-1.3.5a.tar.gz.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iEYEABECAAYFAlVmZ+4ACgkQt46JP6URl2pTLwCeMiXrNoRkvmHGEUFDwFwHdYIM
+io8AoIxqqi320QUG1sSePFQ6Fy041WSl
+=Vapu
+-----END PGP SIGNATURE-----
--- a/proftpd-ftpasswd.patch
+++ b/proftpd-ftpasswd.patch
@ -2,7 +2,7 @@ Index: contrib/ftpasswd
 ===================================================================
 --- contrib/ftpasswd.orig
 +++ contrib/ftpasswd
-@@ -33,8 +33,8 @@ use Getopt::Long;
+@@ -34,8 +34,8 @@ use Getopt::Long;
 $Getopt::Long::auto_abbrev = 0;
 
 my $program = basename($0);
@ -13,7 +13,7 @@ Index: contrib/ftpasswd
 my $shell_file = "/etc/shells";
 my $default_cracklib_dict = "/usr/lib/cracklib_dict";
 my $cracklib_dict;
-@@ -921,6 +921,46 @@ usage: $program [--help] [--hash|--group
+@@ -1074,6 +1074,46 @@ usage: $program [--help] [--hash|--group
     --version
                 Displays the version of $program.
 
--- a/proftpd-no_BuildDate.patch
+++ b/proftpd-no_BuildDate.patch
@ -5,10 +5,10 @@
 src/main.c            |    6 ++----
 4 files changed, 9 insertions(+), 15 deletions(-)

-Index: proftpd-1.3.5/Makefile.in
+Index: Makefile.in
 ===================================================================
--- proftpd-1.3.5.orig/Makefile.in	2012-10-02 18:10:23.000000000 +0100
-+++ proftpd-1.3.5/Makefile.in	2014-09-01 20:12:57.000000000 +0100
+--- Makefile.in.orig
+++ Makefile.in
@@ -24,28 +24,26 @@ BUILD_BIN=proftpd$(EXEEXT) ftpcount$(EXE
 
 all: $(BUILD_BIN)
@ -44,10 +44,10 @@ Index: proftpd-1.3.5/Makefile.in
 	@dirs="$(DIRS)"; \
 	for dir in $$dirs; do \
 		if [ -d "$$dir" ]; then cd $$dir/ && $(MAKE); fi; \
-Index: proftpd-1.3.5/contrib/mod_snmp/db.c
+Index: contrib/mod_snmp/db.c
 ===================================================================
--- proftpd-1.3.5.orig/contrib/mod_snmp/db.c	2014-01-27 17:32:16.000000000 +0000
-+++ proftpd-1.3.5/contrib/mod_snmp/db.c	2014-09-01 23:08:18.000000000 +0100
+--- contrib/mod_snmp/db.c.orig
+++ contrib/mod_snmp/db.c
@@ -1122,7 +1122,7 @@ int snmp_db_get_value(pool *p, unsigned
       return 0;
 
@ -57,21 +57,21 @@ Index: proftpd-1.3.5/contrib/mod_snmp/db.c
       *str_valuelen = strlen(*str_value);
 
       pr_trace_msg(trace_channel, 19,
-Index: proftpd-1.3.5/include/version.h
+Index: include/version.h
 ===================================================================
--- proftpd-1.3.5.orig/include/version.h	2014-05-15 16:53:13.000000000 +0100
-+++ proftpd-1.3.5/include/version.h	2014-09-01 20:12:57.000000000 +0100
+--- include/version.h.orig
+++ include/version.h
@@ -1,5 +1,3 @@
 -#include "buildstamp.h"
 -
 /* Application version (in various forms) */
- #define PROFTPD_VERSION_NUMBER		0x0001030505
- #define PROFTPD_VERSION_TEXT		"1.3.5"
-Index: proftpd-1.3.5/src/main.c
+ #define PROFTPD_VERSION_NUMBER		0x0001030507
+ #define PROFTPD_VERSION_TEXT		"1.3.5a"
+Index: src/main.c
 ===================================================================
--- proftpd-1.3.5.orig/src/main.c	2014-01-25 16:34:09.000000000 +0000
-+++ proftpd-1.3.5/src/main.c	2014-09-01 20:12:57.000000000 +0100
-@@ -2382,8 +2382,8 @@ static void standalone_main(void) {
+--- src/main.c.orig
+++ src/main.c
+@@ -2426,8 +2426,8 @@ static void standalone_main(void) {
 
   init_bindings();
 
@ -82,7 +82,7 @@ Index: proftpd-1.3.5/src/main.c
 
   pr_pidfile_write();
   daemon_loop();
-@@ -2438,7 +2438,6 @@ static void show_settings(void) {
+@@ -2482,7 +2482,6 @@ static void show_settings(void) {
   printf("%s", "  Platform: " PR_PLATFORM " [unknown]\n");
 #endif /* !HAVE_UNAME */
 
@ -90,7 +90,7 @@ Index: proftpd-1.3.5/src/main.c
   printf("%s", "  Built With:\n    configure " PR_BUILD_OPTS "\n\n");
 
   printf("%s", "  CFLAGS: " PR_BUILD_CFLAGS "\n");
-@@ -2956,7 +2955,6 @@ int main(int argc, char *argv[], char **
+@@ -3000,7 +2999,6 @@ int main(int argc, char *argv[], char **
 
     printf("ProFTPD Version: %s", PROFTPD_VERSION_TEXT " " PR_STATUS "\n");
     printf("  Scoreboard Version: %08x\n", PR_SCOREBOARD_VERSION); 
--- a/proftpd.changes
+++ b/proftpd.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sun May 31 18:54:45 UTC 2015 - chris@computersalat.de
+
+- fix for boo#927290 (CVE-2015-3306)
+- update to 1.3.5a:
+  See http://www.proftpd.org/docs/NEWS-1.3.5a
+- rebase patches
+  * proftpd-ftpasswd.patch
+  * proftpd-no_BuildDate.patch
+- remove gpg-offline dependency
+- fix permissions on passwd file
+  * unable to use world-readable AuthUserFile '.../passwd' (perms 0644):
+  * 0644 -> 0440
+
 -------------------------------------------------------------------
 Mon Sep  1 22:04:02 UTC 2014 - andreas.stieger@gmx.de

--- a/proftpd.spec
+++ b/proftpd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package proftpd
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@ License:        GPL-2.0+
 Group:          Productivity/Networking/Ftp/Servers
 # Please save your time and do not update to "rc" versions.
 # We only accept updates for "STABLE" Versions
-Version:        1.3.5
+Version:        1.3.5a
 Release:        0
 Url:            http://www.proftpd.org/
 Source0:        ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz
@ -43,7 +43,7 @@ Patch103:       %{name}-strip.patch
 #PATCH-FIX-openSUSE: file-contains-date-and-time
 Patch104:       %{name}-no_BuildDate.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  gpg-offline
+#BuildRequires:  gpg-offline
 BuildRequires:  krb5-devel
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
@ -134,14 +134,14 @@ Requires:       %{name} = %{version}
 Here are Documentation for ProFTPD

 %prep
-%gpg_verify %{S:1}
+#gpg_verify %{S:1}
 %setup -q
 %{__rm} README.AIX
 %patch100
 %patch101
 %patch102
 %patch103
-%patch104 -p1
+%patch104

 %build
 rm contrib/mod_wrap.c
@ -188,7 +188,7 @@ export CXXFLAGS="$CFLAGS"

 # some needed dirs
 %{__install} -d $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/{conf.d,auth}
-%{__install} -m 0644 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd
+%{__install} -m 0440 %{S:12} $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/auth/passwd
 %{__install} -d -m 0750 $RPM_BUILD_ROOT/var/log/%{name}

 %if 0%{?has_systemd}
@ -265,7 +265,7 @@ fi
 %doc sample-configurations/*.conf
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/
 %dir %attr(0750,ftp,ftp) %{_sysconfdir}/%{name}/auth/
-%config(noreplace) %attr(0644,root,ftp) %{_sysconfdir}/%{name}/auth/passwd
+%config(noreplace) %attr(0440,root,ftp) %{_sysconfdir}/%{name}/auth/passwd
 %dir %attr(0755,root,root) %{_sysconfdir}/%{name}/conf.d
 %config(noreplace) %attr(0640,root,root) %{_sysconfdir}/%{name}/%{name}.conf
 %{_sysconfdir}/%{name}/PROFTPD-MIB.txt