diff options
author | Chris White <chriswhite@gentoo.org> | 2006-10-11 01:37:46 +0000 |
---|---|---|
committer | Chris White <chriswhite@gentoo.org> | 2006-10-11 01:37:46 +0000 |
commit | ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14 (patch) | |
tree | 5449bccb6371367752e8f0ed3cf075101522229f | |
parent | Returning it from the attic until vultureng can be updated. thanks Mr.Bones. (diff) | |
download | gentoo-2-ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14.tar.gz gentoo-2-ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14.tar.bz2 gentoo-2-ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14.zip |
Security bump for bug #384454.
(Portage version: 2.1.2_pre1)
-rw-r--r-- | net-ftp/ftpd/ChangeLog | 8 | ||||
-rw-r--r-- | net-ftp/ftpd/files/digest-ftpd-0.17-r4 | 6 | ||||
-rw-r--r-- | net-ftp/ftpd/files/ftpd-0.17-setguid.patch | 66 | ||||
-rw-r--r-- | net-ftp/ftpd/ftpd-0.17-r4.ebuild | 62 |
4 files changed, 141 insertions, 1 deletions
diff --git a/net-ftp/ftpd/ChangeLog b/net-ftp/ftpd/ChangeLog index a88611a1eb61..f8a83c9b78e5 100644 --- a/net-ftp/ftpd/ChangeLog +++ b/net-ftp/ftpd/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for net-ftp/ftpd # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpd/ChangeLog,v 1.26 2006/08/06 02:14:05 chriswhite Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpd/ChangeLog,v 1.27 2006/10/11 01:37:46 chriswhite Exp $ + +*ftpd-0.17-r4 (11 Oct 2006) + + 11 Oct 2006; Chris White <chriswhite@gentoo.org> + +files/ftpd-0.17-setguid.patch, +ftpd-0.17-r4.ebuild: + Security bump for bug #384454. 05 Aug 2006; Chris White <chriswhite@gentoo.org> -ftpd-0.17.ebuild, -ftpd-0.17-r1.ebuild, -ftpd-0.17-r2.ebuild: diff --git a/net-ftp/ftpd/files/digest-ftpd-0.17-r4 b/net-ftp/ftpd/files/digest-ftpd-0.17-r4 new file mode 100644 index 000000000000..9c0de1ba222e --- /dev/null +++ b/net-ftp/ftpd/files/digest-ftpd-0.17-r4 @@ -0,0 +1,6 @@ +MD5 0b9185d5144904798b721354ea9ff156 linux-ftpd-0.17-ssl.patch 36459 +RMD160 5a0d7301f69b4c1714f36419f98134f9aa0ce874 linux-ftpd-0.17-ssl.patch 36459 +SHA256 0082ee6a71fdd83f61e63166f7bbba97c204cdc67f9e1bf10f2df31590fba780 linux-ftpd-0.17-ssl.patch 36459 +MD5 f5f491564812db5d8783daa538c49186 linux-ftpd-0.17.tar.gz 46763 +RMD160 869e410d8f063c764c04f1d3b41b625a9d679d22 linux-ftpd-0.17.tar.gz 46763 +SHA256 65a0b249e38bf3c3a16dbd4d3edd2657683ca8f47b307e92007f378b21d2fa65 linux-ftpd-0.17.tar.gz 46763 diff --git a/net-ftp/ftpd/files/ftpd-0.17-setguid.patch b/net-ftp/ftpd/files/ftpd-0.17-setguid.patch new file mode 100644 index 000000000000..f25b2b3e4aa3 --- /dev/null +++ b/net-ftp/ftpd/files/ftpd-0.17-setguid.patch @@ -0,0 +1,66 @@ +--- linux-ftpd-0.17/ftpd/popen.c.bak 1999-07-16 11:12:54.000000000 +1000 ++++ linux-ftpd-0.17/ftpd/popen.c 2006-08-25 13:31:33.950447078 +1000 +@@ -169,8 +169,13 @@ + * XXX: this doesn't seem right... and shouldn't + * we initgroups, or at least setgroups(0,0)? + */ +- setgid(getegid()); +- setuid(i); ++ ++/* ++ * PSz 25 Aug 06 Must check the return status of these setgid/setuid calls, ++ * see http://www.bress.net/blog/archives/34-setuid-madness.html ++ */ ++ if ( setgid(geteuid()) != 0 ) _exit(1); ++ if ( setuid(i) != 0 ) _exit(1); + + #ifndef __linux__ + /* +--- linux-ftpd-0.17/ftpd/ftpd.c.bak 2006-08-25 12:53:25.277537000 +1000 ++++ linux-ftpd-0.17/ftpd/ftpd.c 2006-08-25 13:46:28.798975583 +1000 +@@ -1159,6 +1159,13 @@ + } + strcpy(pw->pw_dir, "/"); + setenv("HOME", "/", 1); ++ } ++ /* PSz 25 Aug 06 chdir for real users done after setting UID */ ++ if (seteuid((uid_t)pw->pw_uid) < 0) { ++ reply(550, "Can't set uid."); ++ goto bad; ++ } ++ if (guest || dochroot) { /* do nothing, handled above */ + } else if (chdir(pw->pw_dir) < 0) { + if (chdir("/") < 0) { + reply(530, "User %s: can't change directory to %s.", +@@ -1167,10 +1174,7 @@ + } else + lreply(230, "No directory! Logging in with home=/"); + } +- if (seteuid((uid_t)pw->pw_uid) < 0) { +- reply(550, "Can't set uid."); +- goto bad; +- } ++ + sigfillset(&allsigs); + sigprocmask(SIG_UNBLOCK,&allsigs,NULL); + +@@ -1408,7 +1412,8 @@ + goto bad; + sleep(tries); + } +- (void) seteuid((uid_t)pw->pw_uid); ++/* PSz 25 Aug 06 Check return status */ ++ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1); + sigfillset(&allsigs); + sigprocmask (SIG_UNBLOCK, &allsigs, NULL); + +@@ -1440,7 +1445,8 @@ + bad: + /* Return the real value of errno (close may change it) */ + t = errno; +- (void) seteuid((uid_t)pw->pw_uid); ++/* PSz 25 Aug 06 Check return status */ ++ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1); + sigfillset (&allsigs); + sigprocmask (SIG_UNBLOCK, &allsigs, NULL); + (void) close(s); diff --git a/net-ftp/ftpd/ftpd-0.17-r4.ebuild b/net-ftp/ftpd/ftpd-0.17-r4.ebuild new file mode 100644 index 000000000000..824de5f3f432 --- /dev/null +++ b/net-ftp/ftpd/ftpd-0.17-r4.ebuild @@ -0,0 +1,62 @@ +# Copyright 1999-2006 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpd/ftpd-0.17-r4.ebuild,v 1.1 2006/10/11 01:37:46 chriswhite Exp $ + +inherit eutils ssl-cert + +DESCRIPTION="The netkit FTP server with optional SSL support" +HOMEPAGE="http://www.hcs.harvard.edu/~dholland/computers/netkit.html" +SRC_URI="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/linux-${P}.tar.gz + mirror://gentoo/linux-${P}-ssl.patch" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86" +IUSE="ssl" + +DEPEND="ssl? ( dev-libs/openssl )" + +RDEPEND="${DEPEND} + virtual/inetd" + +S=${WORKDIR}/linux-${P} + +src_unpack() { + unpack ${A} + cd "${S}" + use ssl && epatch "${DISTDIR}/linux-${P}-ssl.patch" + epatch "${FILESDIR}/${P}-shadowfix.patch" + + # fixes gcc 4.1 compatibility + epatch "${FILESDIR}/${P}-gcc41.patch" + + # setguid fix + epatch "${FILESDIR}"/${P}-setguid.patch +} + +src_compile() { + ./configure --prefix=/usr || die "configure failed" + cp MCONFIG MCONFIG.orig + sed -e "s:-pipe -O2:${CFLAGS}:" MCONFIG.orig > MCONFIG + emake || die "parallel make failed" +} + +src_install() { + dobin ftpd/ftpd + doman ftpd/ftpd.8 + dodoc README ChangeLog + insinto /etc/xinetd.d + newins "${FILESDIR}/ftp.xinetd" ftp + if use ssl; then + insinto /etc/ssl/certs/ + docert ftpd + fi +} + +pkg_postinst() { + if use ssl; then + einfo "In order to start the server with SSL support" + einfo "You need a certificate /etc/ssl/certs/ftpd.pem." + einfo "A temporary certificiate has been created." + fi +} |