Hi Adam,
first thanks for your comments.
Am Montag, den 11.05.2015, 20:27 +0100 schrieb Adam D. Barratt:
> Control: tags -1 + moreinfo
>
> On Mon, 2015-05-11 at 20:53 +0200, Jörg Frings-Fürst wrote:
> > I have 2 patches for vsftpd 3.0.2-17+deb8u1:
> >
> > - patch for CVE-2015-1419
> > - patch for Debian bug #783077
>
> Well, you also included some packaging changes, which I'm not currently
> happy with.
>
> + - Remove systemd files and directories when purging.
>
> Why? What is this achieving that isn't already handled by
> deb-systemd-helper and dpkg?
>
Yes. I have some piuparts messages about that. I check it again
tomorrow.
The changes at the .postrm file are reverted and a new debdiff is
attached.
> In any case, https://piuparts.debian.org/jessie/pass/vsftpd_3.0.2-17.log
> indicates that -17 already purges cleanly with no left-over files.
>
> Regards
>
> Adam
>
CU
Jörg
--
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key : 8CA1D25D
CAcert Key S/N : 0E:D4:56
Old pgp Key: BE581B6E (revoked since 2014-12-31).
Jörg Frings-Fürst
D-54526 Niederkail
Threema: SYR8SJXB
IRC: j_f-f@freenode.net
j_f-f@oftc.net
My wish list:
- Please send me a picture from the nature at your home.
diff -Nru vsftpd-3.0.2/debian/changelog vsftpd-3.0.2/debian/changelog
--- vsftpd-3.0.2/debian/changelog 2014-10-07 15:56:49.000000000 +0200
+++ vsftpd-3.0.2/debian/changelog 2015-05-11 21:34:05.000000000 +0200
@@ -1,3 +1,15 @@
+vsftpd (3.0.2-17+deb8u1) stable; urgency=medium
+
+ * Add patch debian/patches/0050-CVE-2015-1419.patch from 3.0.2-18:
+ - Fix config option "deny_file" not always being handled correctly
+ CVE-2015-1419 (Closes: #776922).
+ * Add patch debian/patches/0055-set_default_listen.patch from 3.0.2-19:
+ - Set the default value of tunable_listen to the same value of listen from
+ the man page vsftpd.conf (Closes: #783077).
+ * Add year 2015 to debian/copyright.
+
+ -- Jörg Frings-Fürst <debian@jff-webhosting.net> Mon, 11 May 2015 15:35:19 +0200
+
vsftpd (3.0.2-17) unstable; urgency=medium
* Add debian/patches/0035-address_space_limit.patch to increase the
diff -Nru vsftpd-3.0.2/debian/copyright vsftpd-3.0.2/debian/copyright
--- vsftpd-3.0.2/debian/copyright 2014-08-20 21:56:58.000000000 +0200
+++ vsftpd-3.0.2/debian/copyright 2015-05-11 15:47:38.000000000 +0200
@@ -10,7 +10,7 @@
Files: debian/*
Copyright: 2009-2014 Daniel Baumann <mail@daniel-baumann.ch>
- 2014 Jörg Frings-Fürst <debian@jff-webhosting.net>
+ 2014-2015 Jörg Frings-Fürst <debian@jff-webhosting.net>
License: GPL-2 with SSL exception
License: GPL-2 with SSL exception
diff -Nru vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch
--- vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch 1970-01-01 01:00:00.000000000 +0100
+++ vsftpd-3.0.2/debian/patches/0050-CVE-2015-1419.patch 2015-02-24 16:41:52.000000000 +0100
@@ -0,0 +1,104 @@
+Description: CVE-2015-1419: config option deny_file is not handled correctly
+Author: Marcus Meissner <meissner@suse.com>
+Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
+Last-Update: 2015-02-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/ls.c
+===================================================================
+--- trunk.orig/ls.c
++++ trunk/ls.c
+@@ -7,6 +7,7 @@
+ * Would you believe, code to handle directory listing.
+ */
+
++#include <stdlib.h>
+ #include "ls.h"
+ #include "access.h"
+ #include "defs.h"
+@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
+ struct mystr temp_str = INIT_MYSTR;
+ struct mystr brace_list_str = INIT_MYSTR;
+ struct mystr new_filter_str = INIT_MYSTR;
++ struct mystr normalize_filename_str = INIT_MYSTR;
++ const char *normname;
++ const char *path;
+ int ret = 0;
+ char last_token = 0;
+ int must_match_at_current_pos = 1;
++
+ str_copy(&filter_remain_str, p_filter_str);
+- str_copy(&name_remain_str, p_filename_str);
++
++ /* normalize filepath */
++ path = str_strdup(p_filename_str);
++ normname = realpath(path, NULL);
++ if (normname == NULL)
++ goto out;
++ str_alloc_text(&normalize_filename_str, normname);
++
++ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
++ if (str_get_char_at(p_filter_str, 0) == '/') {
++ if (str_get_char_at(&normalize_filename_str, 0) != '/') {
++ str_getcwd (&name_remain_str);
++
++ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
++ str_append_char (&name_remain_str, '/');
++
++ str_append_str (&name_remain_str, &normalize_filename_str);
++ }
++ else
++ str_copy (&name_remain_str, &normalize_filename_str);
++ } else {
++ if (str_get_char_at(p_filter_str, 0) != '{')
++ str_basename (&name_remain_str, &normalize_filename_str);
++ else
++ str_copy (&name_remain_str, &normalize_filename_str);
++ }
++ } else
++ str_copy(&name_remain_str, &normalize_filename_str);
+
+ while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
+ {
+@@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct
+ ret = 0;
+ }
+ out:
++ free(normname);
++ free(path);
++ str_free(&normalize_filename_str);
+ str_free(&filter_remain_str);
+ str_free(&name_remain_str);
+ str_free(&temp_str);
+Index: trunk/str.c
+===================================================================
+--- trunk.orig/str.c
++++ trunk/str.c
+@@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_
+ }
+ }
+
++void
++str_basename (struct mystr* d_str, const struct mystr* path)
++{
++ static struct mystr tmp;
++
++ str_copy (&tmp, path);
++ str_split_char_reverse(&tmp, d_str, '/');
++
++ if (str_isempty(d_str))
++ str_copy (d_str, path);
++}
+Index: trunk/str.h
+===================================================================
+--- trunk.orig/str.h
++++ trunk/str.h
+@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
+ int str_atoi(const struct mystr* p_str);
+ filesize_t str_a_to_filesize_t(const struct mystr* p_str);
+ unsigned int str_octal_to_uint(const struct mystr* p_str);
++void str_basename (struct mystr* d_str, const struct mystr* path);
+
+ /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
+ * buffer, starting at character position 'p_pos'. The extracted line will
diff -Nru vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch
--- vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch 1970-01-01 01:00:00.000000000 +0100
+++ vsftpd-3.0.2/debian/patches/0055-set_default_listen.patch 2015-04-21 20:45:30.000000000 +0200
@@ -0,0 +1,21 @@
+Description: Change the default of tunable_listen.
+ Change the default of tunable_listen to the same as in
+ man page vsftpd.conf.
+Author: Jörg Frings-Fürst <debian@jff-webhosting.net>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783077
+Last-Update: 2015-04-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/tunables.c
+===================================================================
+--- trunk.orig/tunables.c
++++ trunk/tunables.c
+@@ -182,7 +182,7 @@ tunables_load_defaults()
+ tunable_use_localtime = 0;
+ tunable_check_shell = 1;
+ tunable_hide_ids = 0;
+- tunable_listen = 1;
++ tunable_listen = 0;
+ tunable_port_promiscuous = 0;
+ tunable_passwd_chroot_enable = 0;
+ tunable_no_anon_password = 0;
diff -Nru vsftpd-3.0.2/debian/patches/series vsftpd-3.0.2/debian/patches/series
--- vsftpd-3.0.2/debian/patches/series 2014-10-05 12:05:36.000000000 +0200
+++ vsftpd-3.0.2/debian/patches/series 2015-05-11 15:39:42.000000000 +0200
@@ -19,3 +19,5 @@
0035-address_space_limit.patch
0040-disable-anonymous.patch
0045-seccomp-gettimeofday.patch
+0050-CVE-2015-1419.patch
+0055-set_default_listen.patch
Attachment:
signature.asc
Description: This is a digitally signed message part