rpm/vsftpd
SHA256
1
0
Fork 0
forked from pool/vsftpd
Code Pull Requests Activity

Accepting request 523208 from network

Browse Source 
- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that
  would cause SSL protocol errors, aborting the connection, whenever
  system errors occurred that were supposed to be non-fatal.
  [bsc#1044292]

- Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with
  various ftp clients that arose when vsftpd is configured with
  option "use_localtime=YES". Basically, it's fine to use local time
  stamps in directory listings, but responding to MDTM commands with
  any time zone other than UTC directly violates RFC3659 and leads
  FTP clients to misinterpret the file's time stamp. [bsc#1024961]

- Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to
  append to a file system pipe. [bsc#1048427]

- Add "vsftpd-3.0.3-address_space_limit.patch" to create the new
  configuration option "address_space_limit", which determines the
  memory limit vsftpd configures for its own process (given in
  bytes). The previously hard-coded limit (100 MB) may not be
  sufficient for vsftpd servers running with certain PAM modules
  enabled, and in such cases administrators may wish to raise the
  limit to match their system's requirements. [bsc#1042137]

- Don't rely on the vsf_findlibs.sh script to figure out the list
  of libraries the build needs to link. The script is wildly
  unreliable and it's hard to predict what results it will produce.
  Also, the results it *does* produce are invisble in the build
  log. We stumbled across this issue when vsftpd suddendly had
  build failures on i586 platforms because the script decided to
  try and link "-lnsl" even though the library was neither
  installed nor required.  

- Drop the explicit specification of the LDFLAGS and LINK variables
  from the call to make. The value of LDFLAGS we passed is the
  default anyway and giving LINK has no effect since it's not used

OBS-URL: https://build.opensuse.org/request/show/523208
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vsftpd?expand=0&rev=62
This commit is contained in:
Dominique Leuenberger 2017-09-14 19:09:29 +00:00 committed by Git OBS Bridge
commit 2eb78e3e0a
6 changed files with 317 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
vsftpd-3.0.3-address_space_limit.patch Normal file
View File

@ -0,0 +1,57 @@
Index: vsftpd-3.0.3/main.c
===================================================================
--- vsftpd-3.0.3.orig/main.c
+++ vsftpd-3.0.3/main.c
@@ -317,7 +317,7 @@ env_init(void)
static void
limits_init(void)
{
- unsigned long limit = VSFTP_AS_LIMIT;
+ unsigned long limit = tunable_address_space_limit ?: VSFTP_AS_LIMIT;
if (tunable_text_userdb_names)
{
/* Turns out, LDAP lookups for lots of userid -> name mappings can really
Index: vsftpd-3.0.3/parseconf.c
===================================================================
--- vsftpd-3.0.3.orig/parseconf.c
+++ vsftpd-3.0.3/parseconf.c
@@ -138,6 +138,7 @@ parseconf_uint_array[] =
{ "delay_successful_login", &tunable_delay_successful_login },
{ "max_login_fails", &tunable_max_login_fails },
{ "chown_upload_mode", &tunable_chown_upload_mode },
+ { "address_space_limit", &tunable_address_space_limit },
{ 0, 0 }
};
Index: vsftpd-3.0.3/tunables.c
===================================================================
--- vsftpd-3.0.3.orig/tunables.c
+++ vsftpd-3.0.3/tunables.c
@@ -110,6 +110,7 @@ unsigned int tunable_delay_failed_login;
unsigned int tunable_delay_successful_login;
unsigned int tunable_max_login_fails;
unsigned int tunable_chown_upload_mode;
+unsigned int tunable_address_space_limit;
const char* tunable_secure_chroot_dir;
const char* tunable_ftp_username;
@@ -255,6 +256,7 @@ tunables_load_defaults()
tunable_max_login_fails = 3;
/* -rw------- */
tunable_chown_upload_mode = 0600;
+ tunable_address_space_limit = 0; /* See main.c:limits_init */
install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
install_str_setting("ftp", &tunable_ftp_username);
Index: vsftpd-3.0.3/tunables.h
===================================================================
--- vsftpd-3.0.3.orig/tunables.h
+++ vsftpd-3.0.3/tunables.h
@@ -112,6 +112,7 @@ extern unsigned int tunable_delay_failed
extern unsigned int tunable_delay_successful_login;
extern unsigned int tunable_max_login_fails;
extern unsigned int tunable_chown_upload_mode;
+extern unsigned int tunable_address_space_limit;
/* String defines */
extern const char* tunable_secure_chroot_dir;

14
vsftpd-append-seek-pipe.patch Normal file
View File

@ -0,0 +1,14 @@
Index: vsftpd-3.0.2/sysutil.c
===================================================================
--- vsftpd-3.0.2.orig/sysutil.c
+++ vsftpd-3.0.2/sysutil.c
@@ -490,7 +490,8 @@ vsf_sysutil_lseek_end(const int fd)
{
filesize_t retval;
retval = lseek(fd, 0, SEEK_END);
- if (retval < 0)
+ /* Ignore ESPIPE to allow append to fifos */
+ if (retval < 0 && errno != ESPIPE)
{
die("lseek");
}

155
vsftpd-die-with-session.patch Normal file
View File

@ -0,0 +1,155 @@
Index: vsftpd-3.0.2/main.c
===================================================================
--- vsftpd-3.0.2.orig/main.c
+++ vsftpd-3.0.2/main.c
@@ -155,6 +155,9 @@ main(int argc, const char* argv[])
the_session.num_clients = ret.num_children;
the_session.num_this_ip = ret.num_this_ip;
}
+
+ die_init(&the_session);
+
if (tunable_tcp_wrappers)
{
the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD);
Index: vsftpd-3.0.2/utility.c
===================================================================
--- vsftpd-3.0.2.orig/utility.c
+++ vsftpd-3.0.2/utility.c
@@ -9,9 +9,22 @@
#include "sysutil.h"
#include "str.h"
#include "defs.h"
+#include "session.h"
+#include "tunables.h"
+#include "privsock.h"
+#include "ssl.h"
+#include <stdio.h>
#define DIE_DEBUG
+static struct vsf_session *s_p_sess = NULL;
+
+void
+die_init(struct vsf_session *p_sess)
+{
+ s_p_sess = p_sess;
+}
+
void
die(const char* p_text)
{
@@ -40,12 +53,70 @@ die2(const char* p_text1, const char* p_
void
bug(const char* p_text)
{
+ /* Detect calls caused by failed logging from bug() itself
+ * to prevent infinite loops */
+ static int s_in_bug = 0;
+ const unsigned int buffer_size = 256;
+ char text_buffer[buffer_size];
+ unsigned int text_len;
+
+ if (s_in_bug)
+ return;
+
+ s_in_bug = 1;
+
+ if (s_p_sess)
+ {
+ /* Try to write the message to logs */
+ if (s_p_sess->vsftpd_log_fd != -1)
+ {
+ snprintf(text_buffer, buffer_size,
+ "%s vsftpd [pid %d]: \"%s\" from \"%s\": %s",
+ vsf_sysutil_get_current_date(), vsf_sysutil_getpid(),
+ str_getbuf(&s_p_sess->user_str),
+ str_getbuf(&s_p_sess->remote_ip_str), p_text);
+ text_len = vsf_sysutil_strlen(text_buffer);
+ vsf_sysutil_write_loop(s_p_sess->vsftpd_log_fd, text_buffer, text_len);
+ }
+
+ if (tunable_syslog_enable)
+ {
+ snprintf(text_buffer, buffer_size, "\"%s\" from \"%s\": %s",
+ str_getbuf(&s_p_sess->user_str),
+ str_getbuf(&s_p_sess->remote_ip_str), p_text);
+ vsf_sysutil_syslog(text_buffer, 1);
+ }
+ }
+ else
+ {
+ /* dummy logging before the system is fully set up */
+ if (tunable_syslog_enable)
+ {
+ vsf_sysutil_syslog(p_text, 1);
+ }
+ }
+
+ snprintf(text_buffer, buffer_size, "500 OOPS: %s\r\n", p_text);
+ text_len = vsf_sysutil_strlen(text_buffer);
+
/* Rats. Try and write the reason to the network for diagnostics */
- vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10);
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text,
- vsf_sysutil_strlen(p_text));
- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2);
+ if (s_p_sess && s_p_sess->control_use_ssl)
+ {
+ if (s_p_sess->ssl_slave_active)
+ {
+ priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
+ priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
+ }
+ else
+ {
+ (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
+ }
+ }
+ else
+ {
+ vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
+ (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, text_buffer, text_len);
+ }
vsf_sysutil_exit(2);
}
Index: vsftpd-3.0.2/utility.h
===================================================================
--- vsftpd-3.0.2.orig/utility.h
+++ vsftpd-3.0.2/utility.h
@@ -2,6 +2,18 @@
#define VSF_UTILITY_H
struct mystr;
+struct vsf_session;
+
+/* die_init
+ * PURPOSE
+ * Initialize static pointer to vsf_session used for
+ * logging and SSL support used by die() and bug().
+ * If not set (or set to NULL) only dummy write
+ * to VSFTP_COMMAND_FD will be done.
+ * PARAMETERS
+ * p_sess - pointer to vsf_session or NULL
+ */
+void die_init(struct vsf_session *p_sess);
/* die()
* PURPOSE
Index: vsftpd-3.0.2/seccompsandbox.c
===================================================================
--- vsftpd-3.0.2.orig/seccompsandbox.c
+++ vsftpd-3.0.2/seccompsandbox.c
@@ -556,6 +556,10 @@ seccomp_sandbox_setup_postlogin_broker()
allow_nr(__NR_fchown);
allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
}
+ if (tunable_syslog_enable)
+ {
+ allow_nr_1_arg_match(__NR_sendto, 6, 0);
+ }
}
void

41
vsftpd-mdtm-in-utc.patch Normal file
View File

@ -0,0 +1,41 @@
Index: vsftpd-3.0.2/postlogin.c
===================================================================
--- vsftpd-3.0.2.orig/postlogin.c 2017-04-06 12:40:37.413294178 +0200
+++ vsftpd-3.0.2/postlogin.c 2017-04-06 12:40:37.610294876 +0200
@@ -1639,7 +1639,7 @@ handle_mdtm(struct vsf_session* p_sess)
else
{
retval = vsf_sysutil_setmodtime(
- str_getbuf(&p_sess->ftp_arg_str), modtime, tunable_use_localtime);
+ str_getbuf(&p_sess->ftp_arg_str), modtime, 0);
if (retval != 0)
{
vsf_cmdio_write(p_sess, FTP_FILEFAIL,
@@ -1664,7 +1664,7 @@ handle_mdtm(struct vsf_session* p_sess)
static struct mystr s_mdtm_res_str;
str_alloc_text(&s_mdtm_res_str,
vsf_sysutil_statbuf_get_numeric_date(
- s_p_statbuf, tunable_use_localtime));
+ s_p_statbuf, 0));
vsf_cmdio_write_str(p_sess, FTP_MDTMOK, &s_mdtm_res_str);
}
}
Index: vsftpd-3.0.2/vsftpd.conf.5
===================================================================
--- vsftpd-3.0.2.orig/vsftpd.conf.5 2017-04-06 12:40:37.496294472 +0200
+++ vsftpd-3.0.2/vsftpd.conf.5 2017-04-06 12:41:50.271557442 +0200
@@ -556,9 +556,11 @@ may be found within the _current_ chroot
Default: NO
.TP
.B use_localtime
-If enabled, vsftpd will display directory listings with the time in your
-local time zone. The default is to display GMT. The times returned by the
-MDTM FTP command are also affected by this option.
+If enabled, vsftpd will display directory listings with the time in your local
+time zone. The default is to display GMT. Note that this setting will NOT
+affect the times returned by the MDTM FTP command in this version of the
+daemon. This behavior deviates from the upstream version, which violated
+RFC3659 and subsequently caused problems with popular FTP clients.
Default: NO
.TP

40
vsftpd.changes
View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Thu Sep 7 12:24:26 UTC 2017 - psimons@suse.com
- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that
would cause SSL protocol errors, aborting the connection, whenever
system errors occurred that were supposed to be non-fatal.
[bsc#1044292]
- Add "vsftpd-mdtm-in-utc.patch" to fix interoperability issue with
various ftp clients that arose when vsftpd is configured with
option "use_localtime=YES". Basically, it's fine to use local time
stamps in directory listings, but responding to MDTM commands with
any time zone other than UTC directly violates RFC3659 and leads
FTP clients to misinterpret the file's time stamp. [bsc#1024961]
- Add "vsftpd-append-seek-pipe.patch" to allow the FTP server to
append to a file system pipe. [bsc#1048427]
- Add "vsftpd-3.0.3-address_space_limit.patch" to create the new
configuration option "address_space_limit", which determines the
memory limit vsftpd configures for its own process (given in
bytes). The previously hard-coded limit (100 MB) may not be
sufficient for vsftpd servers running with certain PAM modules
enabled, and in such cases administrators may wish to raise the
limit to match their system's requirements. [bsc#1042137]
- Don't rely on the vsf_findlibs.sh script to figure out the list
of libraries the build needs to link. The script is wildly
unreliable and it's hard to predict what results it will produce.
Also, the results it *does* produce are invisble in the build
log. We stumbled across this issue when vsftpd suddendly had
build failures on i586 platforms because the script decided to
try and link "-lnsl" even though the library was neither
installed nor required.
- Drop the explicit specification of the LDFLAGS and LINK variables
from the call to make. The value of LDFLAGS we passed is the
default anyway and giving LINK has no effect since it's not used
anywhere in the Makefile.
-------------------------------------------------------------------
Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com

12
vsftpd.spec
View File

@ -72,6 +72,10 @@ Patch24: vsftpd-3.0.2-wnohang.patch
Patch25: vsftpd-3.0.2-fix-chown-uploads.patch
#FIX-FIX-OPENSUSE: bsc#1042673
Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch
Patch27: vsftpd-mdtm-in-utc.patch
Patch28: vsftpd-die-with-session.patch
Patch29: vsftpd-append-seek-pipe.patch
Patch30: vsftpd-3.0.3-address_space_limit.patch
BuildRequires: libcap-devel
BuildRequires: libopenssl-devel
BuildRequires: pam-devel
@ -126,12 +130,16 @@ tests.
%patch24 -p1
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch30 -p1
%build
%define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP
rm -f dummyinc/sys/capability.h
rm dummyinc/sys/capability.h vsf_findlibs.sh
make CFLAGS="%{optflags} -DOPENSSL_NO_SSL_INTERN -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -fstack-protector --param=ssp-buffer-size=4 %{seccomp_opts}" \
LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now" LINK=
LIBS="-lpam -lcap -lssl -lcrypto"
%install
mkdir -p %{buildroot}%{_datadir}/empty