SHA256
1
0
forked from pool/pure-ftpd

2 Commits

3 changed files with 36 additions and 2 deletions

25
CVE-2024-48208.patch Normal file
View File

@@ -0,0 +1,25 @@
From 2bbe0f25c6b905044803649a29df5f765f940b91 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Fri, 25 Oct 2024 10:20:24 +0200
Subject: [PATCH] Fix code similar to the one fixed in 350d66fbbd6
Noticed by @StayPirate, thanks!
---
src/ls.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/ls.c b/src/ls.c
index 9063646..94150ad 100644
--- a/src/ls.c
+++ b/src/ls.c
@@ -972,8 +972,8 @@ void donlst(const char *base)
if (*base != 0 && chdir(base) != 0) {
if (*base++ == '-') {
- while (!isspace((unsigned char) *base++));
- while (isspace((unsigned char) *base++));
+ while (*base != 0 && !isspace((unsigned char) *base++));
+ while (*base != 0 && isspace((unsigned char) *base++));
if (*base != 0 && chdir(base) != 0) {
addreply_noformat(550, MSG_STAT_FAILURE2);
return;

View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Jun 17 07:57:50 UTC 2025 - Peter Simons <psimons@suse.com>
- Apply "CVE-2024-48208.patch" to fix a buffer overflow
vulnerability cause by an out-of-bounds read in the domlsd()
function. [bsc#1232331, CVE-2024-48208]
-------------------------------------------------------------------
Thu Feb 29 14:59:24 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
@@ -14,7 +21,7 @@ Wed Oct 4 08:49:26 UTC 2023 - Thorsten Kukuk <kukuk@suse.com>
-------------------------------------------------------------------
Mon Jan 16 11:10:54 UTC 2023 - Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
- Migration of PAM settings to /usr/lib/pam.d.
-------------------------------------------------------------------
Mon Aug 1 22:37:52 UTC 2022 - Dirk Müller <dmueller@suse.com>

View File

@@ -1,7 +1,7 @@
#
# spec file for package pure-ftpd
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -45,6 +45,7 @@ Patch7: %{name}-1.0.50-default_tcp_sedrcv_buffer_size.patch
Patch8: pure-ftpd-1.0.36-cap-audit-control.patch
Patch9: pure-ftpd-apparmor.patch
Patch10: pure-ftpd-malloc-limit.patch
Patch11: https://github.com/jedisct1/pure-ftpd/commit/2bbe0f25c6b905044803649a29df5f765f940b91.patch#:/CVE-2024-48208.patch
BuildRequires: libcap-devel
BuildRequires: libsodium-devel
BuildRequires: mysql-devel
@@ -80,6 +81,7 @@ Apache log files, and more.
%patch -P 8 -p1
%patch -P 9 -p2
%patch -P 10 -p1
%patch -P 11 -p1
%build
CFLAGS="%{optflags} -I%{_includedir}/mysql"