Import missing patches from SLE-12-SP4.

OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=156
2022-02-02 10:24:40 +00:00 · 2022-02-02 10:24:40 +00:00 · fa78574173
commit fa78574173
parent dc5119fcfb
5 changed files with 96 additions and 0 deletions
--- a/use-system-wide-tls-cipher-policy.patch
+++ b/use-system-wide-tls-cipher-policy.patch
@ -0,0 +1,26 @@
 Index: vsftpd-3.0.5/tunables.c
 ===================================================================
 --- vsftpd-3.0.5.orig/tunables.c	2022-02-02 10:58:56.589962539 +0100
 +++ vsftpd-3.0.5/tunables.c	2022-02-02 11:00:17.600782133 +0100
@@ -295,7 +295,7 @@ tunables_load_defaults()
   install_str_setting("/usr/share/ssl/certs/vsftpd.pem",
                       &tunable_rsa_cert_file);
   install_str_setting(0, &tunable_dsa_cert_file);
 -  install_str_setting("ECDHE-RSA-AES256-GCM-SHA384", &tunable_ssl_ciphers);
 +  install_str_setting("DEFAULT_SUSE", &tunable_ssl_ciphers);
   install_str_setting(0, &tunable_rsa_private_key_file);
   install_str_setting(0, &tunable_dsa_private_key_file);
   install_str_setting(0, &tunable_ca_certs_file);
 Index: vsftpd-3.0.5/vsftpd.conf.5
 ===================================================================
 --- vsftpd-3.0.5.orig/vsftpd.conf.5	2022-02-02 10:58:56.589962539 +0100
 +++ vsftpd-3.0.5/vsftpd.conf.5	2022-02-02 11:01:58.855306755 +0100
@@ -1025,7 +1025,7 @@ man page for further details. Note that
 security precaution as it prevents malicious remote parties forcing a cipher
 which they have found problems with.
 -Default: DES-CBC3-SHA
 +Default: DEFAULT_SUSE
 .TP
 .B ssl_sni_hostname
 If set, SSL connections will be rejected unless the SNI hostname in the
--- a/vsftpd-allow-dev-log-socket.patch
+++ b/vsftpd-allow-dev-log-socket.patch
@ -0,0 +1,30 @@
 From: mvyskocil@suse.com
 Subject: enable /dev/log related socket call
 Linux-PAM try to open /dev/log, but as socket is not enabled in seccomp
 sandbox, daemon is killed by SIGSYS. Because the attempt is made by process
 with RLIMIT_NOFILE, the correct fix would be to test if we can open a new fd in
 pam. Anyway I would say the risc is small, and other socket syscalls are disabled.
 Fixes: https://bugzilla.novell.com/show_bug.cgi?id=786024
 Index: vsftpd-3.0.5/seccompsandbox.c
 ===================================================================
 --- vsftpd-3.0.5.orig/seccompsandbox.c	2022-02-02 11:03:38.133860169 +0100
 +++ vsftpd-3.0.5/seccompsandbox.c	2022-02-02 11:03:38.177859528 +0100
@@ -366,6 +366,15 @@ seccomp_sandbox_init()
   {
     bug("bad state in seccomp_sandbox_init");
   }
 +
 +  //this is very probably an attempt to open /dev/log
 +  //it fails because process cannot open any file, so it might be safe
 +  //socket(PF_FILE, SOCK_DGRAM|SOCK_CLOEXEC, 0) = -1 EMFILE (Too many open files)
 +  allow_nr_3_arg_match(__NR_socket,
 +                       1, PF_FILE,
 +                       2, SOCK_DGRAM | SOCK_CLOEXEC,
 +                       3, 0);
 +
 }
 void
--- a/vsftpd-enable-sendto-for-prelogin-syslog.patch
+++ b/vsftpd-enable-sendto-for-prelogin-syslog.patch
@ -0,0 +1,21 @@
 Enable sendto for syslog logging to /dev/log in prelogin
 We write to log from check_limits() and therefore we have to allow
 sendto() for syslog otherwise sandbox will kill the child.
 Index: vsftpd-3.0.2/seccompsandbox.c
 ===================================================================
 --- vsftpd-3.0.2.orig/seccompsandbox.c
 +++ vsftpd-3.0.2/seccompsandbox.c
@@ -388,6 +388,11 @@ seccomp_sandbox_setup_prelogin(const str
                        1, PF_FILE,
                        2, SOCK_DGRAM | SOCK_CLOEXEC,
                        3, 0);
 +  // allow syslog logs from check_limits()
 +  if (tunable_syslog_enable)
 +  {
 +    allow_nr_1_arg_match(__NR_sendto, 6, 0);
 +  }
 }
--- a/vsftpd.changes
+++ b/vsftpd.changes
@ -32,6 +32,14 @@ Tue Feb  1 18:42:41 UTC 2022 - Peter Simons <psimons@suse.com>
  configurations and it was never documented anywhere -- not in the
  package's changelog and not in the packages's own man page.
 - Apply "use-system-wide-tls-cipher-policy.patch" so that vsftpd
  follows the system-wide TLS cipher policy "DEFAULT_SUSE" by
  default. Run the command "openssl ciphers -v DEFAULT_SUSE" to see
  which ciphers this includes.
 - Apply "add vsftpd-allow-dev-log-socket.patch" to allow sendto()
  syscall when /dev/log support is enabled. [bnc#786024]
 -------------------------------------------------------------------
 Wed Jan  5 10:21:02 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
@ -67,6 +75,8 @@ Tue Jun 15 07:49:13 AM UTC 2021 - Peter Simons <psimons@suse.com>
 - "0001-Introduce-TLSv1.3-option.patch" is now obsolete.
 - "vsftpd-seccomp-syslog.patch" is now obsolete.
 -------------------------------------------------------------------
 Mon Jun 14 14:26:05 UTC 2021 - Peter Simons <psimons@suse.com>
@ -260,6 +270,12 @@ Wed Mar 23 10:07:55 UTC 2016 - tchvatal@suse.com
 - Require shadow and do not output the error out of useradd
 -------------------------------------------------------------------
 Tue Mar 22 14:56:05 UTC 2016 - tchvatal@suse.com
 - Fix hang when using seccomp and syslog bnc#971784:
  * vsftpd-seccomp-syslog.patch
 -------------------------------------------------------------------
 Tue Mar 22 14:27:27 UTC 2016 - tchvatal@suse.com
--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -93,6 +93,9 @@ Patch38:        vsftpd-seccomp-getrandom.patch
 Patch39:        vsftpd-seccomp-ssl.patch
 Patch40:        vsftpd-seccomp-wait4.patch
 Patch41:        revert-undocumented-config-file-format-changes.patch
 Patch42:        use-system-wide-tls-cipher-policy.patch
 Patch43:        vsftpd-allow-dev-log-socket.patch
 Patch44:        vsftpd-enable-sendto-for-prelogin-syslog.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel