Accepting request 950535 from home:psimons:branches:network

Import patches from SLE-15-SP2.

OBS-URL: https://build.opensuse.org/request/show/950535
OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=153

vsftpd-2.0.4-dmapi.patch

@@ -1,8 +1,8 @@
-Index: postlogin.c
+Index: vsftpd-3.0.5/postlogin.c
 ===================================================================
---- postlogin.c.orig	2012-04-10 16:09:50.440384915 +0200
-+++ postlogin.c	2012-04-10 16:10:01.193753389 +0200
-@@ -1053,6 +1053,11 @@
+--- vsftpd-3.0.5.orig/postlogin.c	2015-07-22 21:03:22.000000000 +0200
++++ vsftpd-3.0.5/postlogin.c	2022-02-01 20:12:02.710908421 +0100
+@@ -1061,6 +1061,11 @@ handle_upload_common(struct vsf_session*
      {
        do_truncate = 1;
      }

vsftpd-2.0.4-enable-ssl.patch

@@ -1,5 +1,7 @@
---- builddefs.h.orig
-+++ builddefs.h
+Index: vsftpd-3.0.5/builddefs.h
+===================================================================
+--- vsftpd-3.0.5.orig/builddefs.h	2021-08-02 09:01:43.000000000 +0200
++++ vsftpd-3.0.5/builddefs.h	2022-02-01 20:12:01.538925293 +0100
 @@ -3,7 +3,7 @@
  
  #undef VSF_BUILD_TCPWRAPPERS

vsftpd-2.0.5-enable-debuginfo.patch

@@ -1,8 +1,8 @@
-Index: Makefile
+Index: vsftpd-3.0.5/Makefile
 ===================================================================
---- Makefile.orig	2012-04-03 09:21:18.000000000 +0200
-+++ Makefile	2012-04-10 16:10:53.545547162 +0200
-@@ -9,7 +9,6 @@
+--- vsftpd-3.0.5.orig/Makefile	2012-09-16 09:27:35.000000000 +0200
++++ vsftpd-3.0.5/Makefile	2022-02-01 20:12:04.538882105 +0100
+@@ -9,7 +9,6 @@ CFLAGS	=	-O2 -fPIE -fstack-protector --p
  	#-pedantic -Wconversion
  
  LIBS	=	`./vsf_findlibs.sh`
@@ -10,7 +10,7 @@ Index: Makefile
  LDFLAGS	=	-fPIE -pie -Wl,-z,relro -Wl,-z,now
  
  OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
-@@ -26,7 +25,7 @@
+@@ -26,7 +25,7 @@ OBJS	=	main.o utility.o prelogin.o ftpcm
  	$(CC) -c $*.c $(CFLAGS) $(IFLAGS)
  
  vsftpd: $(OBJS) 

vsftpd-2.0.5-utf8-log-names.patch

@@ -1,8 +1,8 @@
-Index: str.c
+Index: vsftpd-3.0.5/str.c
 ===================================================================
---- str.c.orig	2012-03-28 17:25:40.000000000 +0200
-+++ str.c	2012-04-10 16:10:59.965767345 +0200
-@@ -27,6 +27,24 @@
+--- vsftpd-3.0.5.orig/str.c	2012-09-16 09:09:06.000000000 +0200
++++ vsftpd-3.0.5/str.c	2022-02-01 20:12:05.458868861 +0100
+@@ -27,6 +27,24 @@ static int str_equal_internal(const char
                                const char* p_buf2, unsigned int buf2_len);
  
  /* Private functions */
@@ -27,7 +27,7 @@ Index: str.c
  static void
  s_setbuf(struct mystr* p_str, char* p_newbuf)
  {
-@@ -181,6 +199,45 @@
+@@ -181,6 +199,45 @@ str_reserve(struct mystr* p_str, unsigne
    p_str->p_buf[res_len - 1] = '\0';
  }
  
@@ -73,29 +73,26 @@ Index: str.c
  int
  str_isempty(const struct mystr* p_str)
  {
-@@ -702,11 +759,13 @@
+@@ -702,6 +759,7 @@ void
  str_replace_unprintable(struct mystr* p_str, char new_char)
  {
    unsigned int i;
--  for (i=0; i < p_str->len; i++)
--  {
--    if (!vsf_sysutil_isprint(p_str->p_buf[i]))
 +  if( !str_is_utf8( p_str ) ) {
-+    for (i=0; i < p_str->len; i++)
-     {
--      p_str->p_buf[i] = new_char;
-+      if (!vsf_sysutil_isprint(p_str->p_buf[i]))
-+      {
-+        p_str->p_buf[i] = new_char;
-+      }
+   for (i=0; i < p_str->len; i++)
+   {
+     if (!vsf_sysutil_isprint(p_str->p_buf[i]))
+@@ -709,5 +767,6 @@ str_replace_unprintable(struct mystr* p_
+       p_str->p_buf[i] = new_char;
      }
    }
++  }
  }
-Index: str.h
+ 
+Index: vsftpd-3.0.5/str.h
 ===================================================================
---- str.h.orig	2008-12-17 06:53:23.000000000 +0100
-+++ str.h	2012-04-10 16:10:59.965767345 +0200
-@@ -36,6 +36,7 @@
+--- vsftpd-3.0.5.orig/str.h	2012-09-16 09:01:52.000000000 +0200
++++ vsftpd-3.0.5/str.h	2022-02-01 20:12:05.458868861 +0100
+@@ -36,6 +36,7 @@ void str_free(struct mystr* p_str);
  void str_trunc(struct mystr* p_str, unsigned int trunc_len);
  void str_reserve(struct mystr* p_str, unsigned int res_len);
  

vsftpd-2.0.5-vuser.patch

@@ -1,5 +1,7 @@
---- EXAMPLE/VIRTUAL_USERS/vsftpd.pam.orig
-+++ EXAMPLE/VIRTUAL_USERS/vsftpd.pam
+Index: vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam
+===================================================================
+--- vsftpd-3.0.5.orig/EXAMPLE/VIRTUAL_USERS/vsftpd.pam	2008-02-02 02:30:40.000000000 +0100
++++ vsftpd-3.0.5/EXAMPLE/VIRTUAL_USERS/vsftpd.pam	2022-02-01 20:12:03.670894600 +0100
 @@ -1,2 +1,2 @@
 -auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
 -account required /lib/security/pam_userdb.so db=/etc/vsftpd_login

vsftpd-2.3.5-conf.patch

@@ -1,7 +1,7 @@
-Index: vsftpd.conf
+Index: vsftpd-3.0.5/vsftpd.conf
 ===================================================================
---- vsftpd.conf.orig
-+++ vsftpd.conf
+--- vsftpd-3.0.5.orig/vsftpd.conf	2011-12-17 19:24:40.000000000 +0100
++++ vsftpd-3.0.5/vsftpd.conf	2022-02-01 20:12:06.546853199 +0100
 @@ -4,23 +4,89 @@
  # loosens things up a bit, to make the ftp daemon more usable.
  # Please see vsftpd.conf.5 for all compiled in defaults.

vsftpd-openlog-force.patch

@@ -0,0 +1,18 @@
+Force openlog() to open log immediately iff force!=0.
+Otherwise is log opened on first syslog() call which may be
+after the privileges are dropped and new file descriptors
+cannot be created.
+
+Index: vsftpd-3.0.5/sysutil.c
+===================================================================
+--- vsftpd-3.0.5.orig/sysutil.c	2022-02-01 19:38:36.487789134 +0100
++++ vsftpd-3.0.5/sysutil.c	2022-02-01 19:44:08.787005494 +0100
+@@ -2700,7 +2700,7 @@ vsf_sysutil_openlog(int force)
+ {
+   int facility = LOG_DAEMON;
+   int option = LOG_PID;
+-  if (!force)
++  if (force)
+   {
+     option |= LOG_NDELAY;
+   }

vsftpd-seccomp-getrandom.patch

@@ -0,0 +1,15 @@
+Index: vsftpd-3.0.5/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.5.orig/seccompsandbox.c	2022-02-01 19:47:13.916340458 +0100
++++ vsftpd-3.0.5/seccompsandbox.c	2022-02-01 19:51:24.196737535 +0100
+@@ -406,6 +406,10 @@ seccomp_sandbox_setup_prelogin(const str
+   {
+     allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+     allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
++    // called from openssl's RAND_poll which is invoked in FIPS mode when the DRBG is seeded
++    allow_nr(__NR_getrandom);
++    allow_nr_1_arg_mask(__NR_open, 2, O_RDONLY|O_NOCTTY|O_NONBLOCK|O_CLOEXEC);
++    allow_nr(__NR_getuid);
+   }
+   if (tunable_syslog_enable)
+   {

vsftpd-seccomp-ssl.patch

@@ -0,0 +1,15 @@
+SSL initialization calls RAND_load_file() which needs stat() enabled.
+
+Index: vsftpd-3.0.3/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.3.orig/seccompsandbox.c	2021-12-21 15:33:01.491786690 +0100
++++ vsftpd-3.0.3/seccompsandbox.c	2021-12-21 15:33:01.499786535 +0100
+@@ -559,6 +559,8 @@ seccomp_sandbox_setup_postlogin_broker()
+     allow_nr(__NR_fstat);
+     allow_nr(__NR_fchown);
+     allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
++    // called by RAND_load_file
++    allow_nr(__NR_stat);
+   }
+   if (tunable_syslog_enable)
+   {

vsftpd-seccomp-wait4.patch

@@ -0,0 +1,14 @@
+Broker has to wait for its child.
+
+Index: vsftpd-3.0.2/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.2.orig/seccompsandbox.c
++++ vsftpd-3.0.2/seccompsandbox.c
+@@ -540,6 +540,7 @@ seccomp_sandbox_setup_postlogin_broker()
+   seccomp_sandbox_setup_base();
+   seccomp_sandbox_setup_data_connections();
+   allow_nr_1_arg_match(__NR_sendmsg, 3, 0);
++  allow_nr(__NR_wait4);
+   if (tunable_chown_uploads)
+   {
+     allow_nr(__NR_fstat);

vsftpd.changes

@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Feb  1 18:42:41 UTC 2022 - Peter Simons <psimons@suse.com>
+
+- Add "seccomp-fixes.patch" to fix the syscall architecture offset
+  from 4 to 5, this change was documented in
+  <https://lore.kernel.org/patchwork/patch/554803/>.
+
+- Add "vsftpd-openlog-force.patch" to a logic error in the way the
+  force option for syslog's openlog() call was handled.
+
+- Add "vsftpd-seccomp-getrandom.patch" to fix a seccomp failure in
+  FIPS mode when SSL was enabled. [bsc#1052900]
+
+- Add "vsftpd-seccomp-ssl.patch" to allow stat() to be called,
+  which is required during SSL initialization by RAND_load_file().
+
+- Add "vsftpd-seccomp-wait4.patch" to allow wait4() to be called so
+  that the broker can wait for its child processes.
+
+- Refresh patches to -p1 style so that we can use %autosetup:
+  * vsftpd-2.0.4-dmapi.patch
+  * vsftpd-2.0.4-enable-ssl.patch
+  * vsftpd-2.0.5-enable-debuginfo.patch
+  * vsftpd-2.0.5-utf8-log-names.patch
+  * vsftpd-2.0.5-vuser.patch
+  * vsftpd-2.3.5-conf.patch
+
 -------------------------------------------------------------------
 Wed Jan  5 10:21:02 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 
@@ -22,11 +49,31 @@ Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons <psimons@suse.com>
   * Close the control connection after 10 unknown commands pre-login.
   * Reject any TLS ALPN advertisement that's not 'ftp'.
   * Add ssl_sni_hostname option to require a match on incoming SNI hostname.
+  * The options "ssl_tlsv1_1", "ssl_tlsv1_2", and "ssl_tlsv1_3"
+    have been renamed to "ssl_tlsv11", "ssl_tlsv12", and
+    "ssl_tlsv13" respectively. Note that the man page has not been
+    updated accordingly.
 
 - Upstream has a new GPG key (7B89011BCAE1CFEA).
 
 - "0001-Introduce-TLSv1.1-and-TLSv1.2-options.patch" is now obsolete.
 
+- "0001-Introduce-TLSv1.3-option.patch" is now obsolete.
+
+-------------------------------------------------------------------
+Mon Jun 14 14:26:05 UTC 2021 - Peter Simons <psimons@suse.com>
+
+- OpenSSL was updated to version 1.1.1 in SLE-15-SP2, adding
+  support for the TLSv1.3 protocol. As a consequence, some SLE-15
+  applications that link OpenSSL for TLS support -- like vsftpd --,
+  gained the ability to use the newer TLS protocol, which created
+  interoperability problems with FTP clients in some cases. To
+  remedy the situation, "0001-Introduce-TLSv1.3-option.patch" was
+  applied in a forked SLE-15-SP2 version of vsftpd. The patch adds
+  the configuration option "ssl_tlsv1_3" that system administrators
+  can use to disable TLSv1.3 support on their servers.
+  [bsc#1187188]
+
 -------------------------------------------------------------------
 Thu Dec  3 11:20:20 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
 

vsftpd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package vsftpd
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -88,6 +88,10 @@ Patch33:        vsftpd-avoid-bogus-ssl-write.patch
 Patch35:        0001-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch
 # PATCH-FIX-UPSTREAM https://bugzilla.suse.com/show_bug.cgi?id=1179553
 Patch36:        seccomp-fixes.patch
+Patch37:        vsftpd-openlog-force.patch
+Patch38:        vsftpd-seccomp-getrandom.patch
+Patch39:        vsftpd-seccomp-ssl.patch
+Patch40:        vsftpd-seccomp-wait4.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel
@@ -121,40 +125,7 @@ vsftpd was always faster, supporting over twice as many users in some
 tests.
 
 %prep
-%setup -q
-%patch1 -p1
-%patch3 -p1
-%patch4
-%patch5
-%patch6
-%patch7
-%patch8
-%patch9
-%patch10 -p1
-%patch11 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch35 -p1
-%patch36 -p1
+%autosetup -p1
 
 %build
 %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP