summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris White <chriswhite@gentoo.org>2006-10-11 01:37:46 +0000
committerChris White <chriswhite@gentoo.org>2006-10-11 01:37:46 +0000
commitef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14 (patch)
tree5449bccb6371367752e8f0ed3cf075101522229f /net-ftp
parentReturning it from the attic until vultureng can be updated. thanks Mr.Bones. (diff)
downloadgentoo-2-ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14.tar.gz
gentoo-2-ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14.tar.bz2
gentoo-2-ef31d3afb3e955ec4a0391c2a9fcf2ae9e5eae14.zip
Security bump for bug #384454.
(Portage version: 2.1.2_pre1)
Diffstat (limited to 'net-ftp')
-rw-r--r--net-ftp/ftpd/ChangeLog8
-rw-r--r--net-ftp/ftpd/files/digest-ftpd-0.17-r46
-rw-r--r--net-ftp/ftpd/files/ftpd-0.17-setguid.patch66
-rw-r--r--net-ftp/ftpd/ftpd-0.17-r4.ebuild62
4 files changed, 141 insertions, 1 deletions
diff --git a/net-ftp/ftpd/ChangeLog b/net-ftp/ftpd/ChangeLog
index a88611a1eb61..f8a83c9b78e5 100644
--- a/net-ftp/ftpd/ChangeLog
+++ b/net-ftp/ftpd/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for net-ftp/ftpd
# Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpd/ChangeLog,v 1.26 2006/08/06 02:14:05 chriswhite Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpd/ChangeLog,v 1.27 2006/10/11 01:37:46 chriswhite Exp $
+
+*ftpd-0.17-r4 (11 Oct 2006)
+
+ 11 Oct 2006; Chris White <chriswhite@gentoo.org>
+ +files/ftpd-0.17-setguid.patch, +ftpd-0.17-r4.ebuild:
+ Security bump for bug #384454.
05 Aug 2006; Chris White <chriswhite@gentoo.org> -ftpd-0.17.ebuild,
-ftpd-0.17-r1.ebuild, -ftpd-0.17-r2.ebuild:
diff --git a/net-ftp/ftpd/files/digest-ftpd-0.17-r4 b/net-ftp/ftpd/files/digest-ftpd-0.17-r4
new file mode 100644
index 000000000000..9c0de1ba222e
--- /dev/null
+++ b/net-ftp/ftpd/files/digest-ftpd-0.17-r4
@@ -0,0 +1,6 @@
+MD5 0b9185d5144904798b721354ea9ff156 linux-ftpd-0.17-ssl.patch 36459
+RMD160 5a0d7301f69b4c1714f36419f98134f9aa0ce874 linux-ftpd-0.17-ssl.patch 36459
+SHA256 0082ee6a71fdd83f61e63166f7bbba97c204cdc67f9e1bf10f2df31590fba780 linux-ftpd-0.17-ssl.patch 36459
+MD5 f5f491564812db5d8783daa538c49186 linux-ftpd-0.17.tar.gz 46763
+RMD160 869e410d8f063c764c04f1d3b41b625a9d679d22 linux-ftpd-0.17.tar.gz 46763
+SHA256 65a0b249e38bf3c3a16dbd4d3edd2657683ca8f47b307e92007f378b21d2fa65 linux-ftpd-0.17.tar.gz 46763
diff --git a/net-ftp/ftpd/files/ftpd-0.17-setguid.patch b/net-ftp/ftpd/files/ftpd-0.17-setguid.patch
new file mode 100644
index 000000000000..f25b2b3e4aa3
--- /dev/null
+++ b/net-ftp/ftpd/files/ftpd-0.17-setguid.patch
@@ -0,0 +1,66 @@
+--- linux-ftpd-0.17/ftpd/popen.c.bak 1999-07-16 11:12:54.000000000 +1000
++++ linux-ftpd-0.17/ftpd/popen.c 2006-08-25 13:31:33.950447078 +1000
+@@ -169,8 +169,13 @@
+ * XXX: this doesn't seem right... and shouldn't
+ * we initgroups, or at least setgroups(0,0)?
+ */
+- setgid(getegid());
+- setuid(i);
++
++/*
++ * PSz 25 Aug 06 Must check the return status of these setgid/setuid calls,
++ * see http://www.bress.net/blog/archives/34-setuid-madness.html
++ */
++ if ( setgid(geteuid()) != 0 ) _exit(1);
++ if ( setuid(i) != 0 ) _exit(1);
+
+ #ifndef __linux__
+ /*
+--- linux-ftpd-0.17/ftpd/ftpd.c.bak 2006-08-25 12:53:25.277537000 +1000
++++ linux-ftpd-0.17/ftpd/ftpd.c 2006-08-25 13:46:28.798975583 +1000
+@@ -1159,6 +1159,13 @@
+ }
+ strcpy(pw->pw_dir, "/");
+ setenv("HOME", "/", 1);
++ }
++ /* PSz 25 Aug 06 chdir for real users done after setting UID */
++ if (seteuid((uid_t)pw->pw_uid) < 0) {
++ reply(550, "Can't set uid.");
++ goto bad;
++ }
++ if (guest || dochroot) { /* do nothing, handled above */
+ } else if (chdir(pw->pw_dir) < 0) {
+ if (chdir("/") < 0) {
+ reply(530, "User %s: can't change directory to %s.",
+@@ -1167,10 +1174,7 @@
+ } else
+ lreply(230, "No directory! Logging in with home=/");
+ }
+- if (seteuid((uid_t)pw->pw_uid) < 0) {
+- reply(550, "Can't set uid.");
+- goto bad;
+- }
++
+ sigfillset(&allsigs);
+ sigprocmask(SIG_UNBLOCK,&allsigs,NULL);
+
+@@ -1408,7 +1412,8 @@
+ goto bad;
+ sleep(tries);
+ }
+- (void) seteuid((uid_t)pw->pw_uid);
++/* PSz 25 Aug 06 Check return status */
++ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
+ sigfillset(&allsigs);
+ sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
+
+@@ -1440,7 +1445,8 @@
+ bad:
+ /* Return the real value of errno (close may change it) */
+ t = errno;
+- (void) seteuid((uid_t)pw->pw_uid);
++/* PSz 25 Aug 06 Check return status */
++ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
+ sigfillset (&allsigs);
+ sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
+ (void) close(s);
diff --git a/net-ftp/ftpd/ftpd-0.17-r4.ebuild b/net-ftp/ftpd/ftpd-0.17-r4.ebuild
new file mode 100644
index 000000000000..824de5f3f432
--- /dev/null
+++ b/net-ftp/ftpd/ftpd-0.17-r4.ebuild
@@ -0,0 +1,62 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpd/ftpd-0.17-r4.ebuild,v 1.1 2006/10/11 01:37:46 chriswhite Exp $
+
+inherit eutils ssl-cert
+
+DESCRIPTION="The netkit FTP server with optional SSL support"
+HOMEPAGE="http://www.hcs.harvard.edu/~dholland/computers/netkit.html"
+SRC_URI="ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/linux-${P}.tar.gz
+ mirror://gentoo/linux-${P}-ssl.patch"
+
+LICENSE="as-is"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86"
+IUSE="ssl"
+
+DEPEND="ssl? ( dev-libs/openssl )"
+
+RDEPEND="${DEPEND}
+ virtual/inetd"
+
+S=${WORKDIR}/linux-${P}
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}"
+ use ssl && epatch "${DISTDIR}/linux-${P}-ssl.patch"
+ epatch "${FILESDIR}/${P}-shadowfix.patch"
+
+ # fixes gcc 4.1 compatibility
+ epatch "${FILESDIR}/${P}-gcc41.patch"
+
+ # setguid fix
+ epatch "${FILESDIR}"/${P}-setguid.patch
+}
+
+src_compile() {
+ ./configure --prefix=/usr || die "configure failed"
+ cp MCONFIG MCONFIG.orig
+ sed -e "s:-pipe -O2:${CFLAGS}:" MCONFIG.orig > MCONFIG
+ emake || die "parallel make failed"
+}
+
+src_install() {
+ dobin ftpd/ftpd
+ doman ftpd/ftpd.8
+ dodoc README ChangeLog
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/ftp.xinetd" ftp
+ if use ssl; then
+ insinto /etc/ssl/certs/
+ docert ftpd
+ fi
+}
+
+pkg_postinst() {
+ if use ssl; then
+ einfo "In order to start the server with SSL support"
+ einfo "You need a certificate /etc/ssl/certs/ftpd.pem."
+ einfo "A temporary certificiate has been created."
+ fi
+}