rpm/pure-ftpd
SHA256
1
0
Fork 0
forked from pool/pure-ftpd
Code Pull Requests Activity

Compare commits

base: rpm:factory
Branches Tags
rpm:factory rpm:devel pool:factory pool:devel pool:leap-16.0
..
compare: pool:factory
Branches Tags
pool:factory pool:devel pool:leap-16.0 rpm:factory rpm:devel

2 Commits
factory ... factory

Author SHA256 Message Date
Ana Guerrero
417f29be51 Accepting request 1286288 from network 
CVE-2024-48208

OBS-URL: https://build.opensuse.org/request/show/1286288
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pure-ftpd?expand=0&rev=9
 2025-06-17 16:23:34 +00:00
Peter Simons
deee531733 CVE-2024-48208 
OBS-URL: https://build.opensuse.org/package/show/network/pure-ftpd?expand=0&rev=94
 2025-06-17 08:01:21 +00:00
3 changed files with 36 additions and 2 deletions
Expand all files Collapse all files

25
CVE-2024-48208.patch Normal file
View File

@@ -0,0 +1,25 @@
From 2bbe0f25c6b905044803649a29df5f765f940b91 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Fri, 25 Oct 2024 10:20:24 +0200
Subject: [PATCH] Fix code similar to the one fixed in 350d66fbbd6
Noticed by @StayPirate, thanks!
---
src/ls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ls.c b/src/ls.c
index 9063646..94150ad 100644
--- a/src/ls.c
+++ b/src/ls.c
@@ -972,8 +972,8 @@ void donlst(const char *base)
if (*base != 0 && chdir(base) != 0) {
if (*base++ == '-') {
- while (!isspace((unsigned char) *base++));
- while (isspace((unsigned char) *base++));
+ while (*base != 0 && !isspace((unsigned char) *base++));
+ while (*base != 0 && isspace((unsigned char) *base++));
if (*base != 0 && chdir(base) != 0) {
addreply_noformat(550, MSG_STAT_FAILURE2);
return;

9
pure-ftpd.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Jun 17 07:57:50 UTC 2025 - Peter Simons <psimons@suse.com>
- Apply "CVE-2024-48208.patch" to fix a buffer overflow
vulnerability cause by an out-of-bounds read in the domlsd()
function. [bsc#1232331, CVE-2024-48208]
-------------------------------------------------------------------
Thu Feb 29 14:59:24 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
@@ -14,7 +21,7 @@ Wed Oct 4 08:49:26 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
-------------------------------------------------------------------
Mon Jan 16 11:10:54 UTC 2023 - Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
- Migration of PAM settings to /usr/lib/pam.d.
-------------------------------------------------------------------
Mon Aug 1 22:37:52 UTC 2022 - Dirk Müller <dmueller@suse.com>

4
pure-ftpd.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package pure-ftpd
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -45,6 +45,7 @@ Patch7: %{name}-1.0.50-default_tcp_sedrcv_buffer_size.patch
Patch8: pure-ftpd-1.0.36-cap-audit-control.patch
Patch9: pure-ftpd-apparmor.patch
Patch10: pure-ftpd-malloc-limit.patch
Patch11: https://github.com/jedisct1/pure-ftpd/commit/2bbe0f25c6b905044803649a29df5f765f940b91.patch#:/CVE-2024-48208.patch
BuildRequires: libcap-devel
BuildRequires: libsodium-devel
BuildRequires: mysql-devel
@@ -80,6 +81,7 @@ Apache log files, and more.
%patch -P 8 -p1
%patch -P 9 -p2
%patch -P 10 -p1
%patch -P 11 -p1
%build
CFLAGS="%{optflags} -I%{_includedir}/mysql"