net-ftp/proftpd: fix mod_copy RCE, bug #690528

Also known as CVE-2019-12815.

Bug: https://bugs.gentoo.org/690528
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

2 files changed, 371 insertions, 0 deletions

diff --git a/net-ftp/proftpd/files/proftpd-1.3.6-mod_copy.patch b/net-ftp/proftpd/files/proftpd-1.3.6-mod_copy.patch
new file mode 100644
index 000000000000..40d912eb2b50
--- /dev/null
+++ b/net-ftp/proftpd/files/proftpd-1.3.6-mod_copy.patch
@@ -0,0 +1,96 @@
+https://bugs.gentoo.org/690528
+CVE-2019-12815
+
+From a73dbfe3b61459e7c2806d5162b12f0957990cb3 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Wed, 17 Jul 2019 09:48:39 -0700
+Subject: [PATCH] Backport of fix for Bug#4372 to the 1.3.6 branch.
+
+---
+ NEWS               |  1 +
+ contrib/mod_copy.c | 36 +++++++++++++++++++++++++++++++++---
+ 2 files changed, 34 insertions(+), 3 deletions(-)
+
+--- a/contrib/mod_copy.c
++++ b/contrib/mod_copy.c
+@@ -1,7 +1,7 @@
+ /*
+  * ProFTPD: mod_copy -- a module supporting copying of files on the server
+  *                      without transferring the data to the client and back
+- * Copyright (c) 2009-2016 TJ Saunders
++ * Copyright (c) 2009-2019 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -657,7 +657,7 @@ MODRET copy_copy(cmd_rec *cmd) {
+ MODRET copy_cpfr(cmd_rec *cmd) {
+   register unsigned int i;
+   int res;
+-  char *path = "";
++  char *cmd_name, *path = "";
+   unsigned char *authenticated = NULL;
+ 
+   if (copy_engine == FALSE) {
+@@ -705,6 +705,21 @@ MODRET copy_cpfr(cmd_rec *cmd) {
+     path = pstrcat(cmd->tmp_pool, path, *path ? " " : "", decoded_path, NULL);
+   }
+ 
++  cmd_name = cmd->argv[0];
++  pr_cmd_set_name(cmd, "SITE_CPFR");
++  if (!dir_check(cmd->tmp_pool, cmd, G_READ, path, NULL)) {
++    int xerrno = EPERM;
++
++    pr_cmd_set_name(cmd, cmd_name);
++    pr_response_add_err(R_550, "%s: %s", (char *) cmd->argv[3],
++      strerror(xerrno));
++
++    pr_cmd_set_errno(cmd, xerrno);
++    errno = xerrno;
++    return PR_ERROR(cmd);
++  }
++  pr_cmd_set_name(cmd, cmd_name);
++
+   res = pr_filter_allow_path(CURRENT_CONF, path);
+   switch (res) {
+     case 0:
+@@ -758,6 +773,7 @@ MODRET copy_cpfr(cmd_rec *cmd) {
+ MODRET copy_cpto(cmd_rec *cmd) {
+   register unsigned int i;
+   const char *from, *to = "";
++  char *cmd_name;
+   unsigned char *authenticated = NULL;
+ 
+   if (copy_engine == FALSE) {
+@@ -816,6 +832,20 @@ MODRET copy_cpto(cmd_rec *cmd) {
+ 
+   to = dir_canonical_vpath(cmd->tmp_pool, to);
+ 
++  cmd_name = cmd->argv[0];
++  pr_cmd_set_name(cmd, "SITE_CPTO");
++  if (!dir_check(cmd->tmp_pool, cmd, G_WRITE, to, NULL)) {
++    int xerrno = EPERM;
++
++    pr_cmd_set_name(cmd, cmd_name);
++    pr_response_add_err(R_550, "%s: %s", to, strerror(xerrno));
++
++    pr_cmd_set_errno(cmd, xerrno);
++    errno = xerrno;
++    return PR_ERROR(cmd);
++  }
++  pr_cmd_set_name(cmd, cmd_name);
++
+   if (copy_paths(cmd->tmp_pool, from, to) < 0) {
+     int xerrno = errno;
+     const char *err_code = R_550;
+@@ -940,7 +970,7 @@ static conftable copy_conftab[] = {
+ 
+ static cmdtable copy_cmdtab[] = {
+   { CMD, 	C_SITE, G_WRITE,	copy_copy,	FALSE,	FALSE, CL_MISC },
+-  { CMD, 	C_SITE, G_DIRS,		copy_cpfr,	FALSE,	FALSE, CL_MISC },
++  { CMD, 	C_SITE, G_READ,		copy_cpfr,	FALSE,	FALSE, CL_MISC },
+   { CMD, 	C_SITE, G_WRITE,	copy_cpto,	FALSE,	FALSE, CL_MISC },
+   { POST_CMD,	C_PASS,	G_NONE,		copy_post_pass, FALSE,	FALSE },
+   { LOG_CMD, 	C_SITE, G_NONE,		copy_log_site,	FALSE,	FALSE },
+-- 
+2.22.0
+
diff --git a/net-ftp/proftpd/proftpd-1.3.6-r5.ebuild b/net-ftp/proftpd/proftpd-1.3.6-r5.ebuild
new file mode 100644
index 000000000000..1ae8f3c9735a
--- /dev/null
+++ b/net-ftp/proftpd/proftpd-1.3.6-r5.ebuild
@@ -0,0 +1,275 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit multilib systemd tmpfiles
+
+MOD_CASE="0.7"
+MOD_CLAMAV="0.11rc"
+MOD_DISKUSE="0.9"
+MOD_GSS="1.3.6"
+MOD_MSG="0.4.1"
+MOD_VROOT="0.9.4"
+
+DESCRIPTION="An advanced and very configurable FTP server"
+HOMEPAGE="http://www.proftpd.org/
+	http://www.castaglia.org/proftpd/
+	http://www.thrallingpenguin.com/resources/mod_clamav.htm
+	http://gssmod.sourceforge.net/"
+SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/}.tar.gz
+	case? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-case-${MOD_CASE}.tar.gz )
+	clamav? ( https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-${MOD_CLAMAV}.tar.gz )
+	diskuse? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-diskuse-${MOD_DISKUSE}.tar.gz )
+	kerberos? ( mirror://sourceforge/gssmod/mod_gss-${MOD_GSS}.tar.gz )
+	msg? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-msg-${MOD_MSG}.tar.gz )
+	vroot? ( https://github.com/Castaglia/${PN}-mod_vroot/archive/v${MOD_VROOT}.tar.gz -> mod_vroot-${MOD_VROOT}.tar.gz )"
+LICENSE="GPL-2"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+IUSE="acl authfile ban +caps case clamav copy ctrls deflate diskuse dso dynmasq exec ifsession ifversion ident ipv6
+	kerberos ldap libressl log_forensic memcache msg mysql ncurses nls pam +pcre postgres qos radius
+	ratio readme rewrite selinux sftp shaper sitemisc snmp sodium softquota sqlite ssl tcpd test unique_id vroot"
+# TODO: geoip
+REQUIRED_USE="ban? ( ctrls )
+	msg? ( ctrls )
+	sftp? ( ssl )
+	shaper? ( ctrls )
+
+	mysql? ( ssl )
+	postgres? ( ssl )
+	sqlite? ( ssl )
+"
+
+CDEPEND="acl? ( virtual/acl )
+	caps? ( sys-libs/libcap )
+	clamav? ( app-antivirus/clamav )
+	kerberos? ( virtual/krb5 )
+	ldap? ( net-nds/openldap )
+	memcache? ( >=dev-libs/libmemcached-0.41 )
+	mysql? ( dev-db/mysql-connector-c:0= )
+	nls? ( virtual/libiconv )
+	ncurses? ( sys-libs/ncurses:0= )
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:= )
+	)
+	pam? ( virtual/pam )
+	pcre? ( dev-libs/libpcre )
+	postgres? ( dev-db/postgresql:= )
+	sodium? ( dev-libs/libsodium:0= )
+	sqlite? ( dev-db/sqlite:3 )
+"
+DEPEND="${CDEPEND}
+	test? ( dev-libs/check )"
+RDEPEND="${CDEPEND}
+	net-ftp/ftpbase
+	selinux? ( sec-policy/selinux-ftp )"
+
+S="${WORKDIR}/${P/_/}"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.3.6-use-trace.patch
+	"${FILESDIR}"/${PN}-1.3.6-sighup-crash.patch
+	"${FILESDIR}"/${PN}-1.3.6-mod_copy.patch
+)
+
+RESTRICT=test # tests corrupt memory. need to be fixed upstream first
+
+in_dir() {
+	pushd "${WORKDIR}/${1}" || die
+	shift
+	"$@"
+	popd
+}
+
+src_prepare() {
+	# Skip 'install-conf' / Support LINGUAS
+	sed -i -e "/install-all/s/ install-conf//" Makefile.in || die
+	sed -i -e "s/^LANGS=.*$/LANGS=${LINGUAS}/" locale/Makefile.in || die
+
+	# Prepare external modules
+	if use case; then
+		cp -v "${WORKDIR}"/mod_case/mod_case.c contrib || die
+		cp -v "${WORKDIR}"/mod_case/mod_case.html doc/contrib || die
+	fi
+
+	if use clamav ; then
+		cp -v "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}/mod_clamav.{c,h} contrib || die
+		eapply "${WORKDIR}"/mod_clamav-${MOD_CLAMAV}/${PN}.patch
+	fi
+
+	if use diskuse; then
+		in_dir mod_diskuse eapply "${FILESDIR}"/${PN}-1.3.6_rc4-diskuse-refresh-api.patch
+
+		# ./configure will modify files. Symlink them instead of copying
+		ln -sv "${WORKDIR}"/mod_diskuse/mod_diskuse.h "${S}"/contrib || die
+
+		cp -v "${WORKDIR}"/mod_diskuse/mod_diskuse.c "${S}"/contrib || die
+		cp -v "${WORKDIR}"/mod_diskuse/mod_diskuse.html "${S}"/doc/contrib || die
+	fi
+
+	if use msg; then
+		in_dir mod_msg eapply "${FILESDIR}"/${PN}-1.3.6_rc4-msg-refresh-api.patch
+
+		cp -v "${WORKDIR}"/mod_msg/mod_msg.c contrib || die
+		cp -v "${WORKDIR}"/mod_msg/mod_msg.html doc/contrib || die
+	fi
+
+	if use vroot; then
+		in_dir ${PN}-mod_vroot-${MOD_VROOT} eapply "${FILESDIR}"/${PN}-1.3.6_rc4-vroot-refresh-api.patch
+
+		cp -v "${WORKDIR}"/${PN}-mod_vroot-${MOD_VROOT}/mod_vroot.c contrib || die
+		cp -v "${WORKDIR}"/${PN}-mod_vroot-${MOD_VROOT}/mod_vroot.html doc/contrib || die
+	fi
+
+	if use kerberos ; then
+		in_dir mod_gss-${MOD_GSS} eapply "${FILESDIR}"/${PN}-1.3.6_rc4-gss-refresh-api.patch
+
+		# Support app-crypt/heimdal / Gentoo Bug #284853
+		sed -i -e "s/krb5_principal2principalname/_\0/" "${WORKDIR}"/mod_gss-${MOD_GSS}/mod_auth_gss.c.in || die
+
+		# Remove obsolete DES / Gentoo Bug #324903
+		# Replace 'rpm' lookups / Gentoo Bug #391021
+		sed -i -e "/ac_gss_libs/s/ -ldes425//" \
+			-e "s/ac_libdir=\`rpm -q -l.*$/ac_libdir=\/usr\/$(get_libdir)\//" \
+			-e "s/ac_includedir=\`rpm -q -l.*$/ac_includedir=\/usr\/include\//" "${WORKDIR}"/mod_gss-${MOD_GSS}/configure{,.in}  || die
+
+		# ./configure will modify files. Symlink them instead of copying
+		ln -sv "${WORKDIR}"/mod_gss-${MOD_GSS}/mod_auth_gss.c "${S}"/contrib || die
+		ln -sv "${WORKDIR}"/mod_gss-${MOD_GSS}/mod_gss.c "${S}"/contrib || die
+		ln -sv "${WORKDIR}"/mod_gss-${MOD_GSS}/mod_gss.h "${S}"/include || die
+
+		cp -v "${WORKDIR}"/mod_gss-${MOD_GSS}/README.mod_{auth_gss,gss} "${S}" || die
+		cp -v "${WORKDIR}"/mod_gss-${MOD_GSS}/mod_gss.html "${S}"/doc/contrib || die
+		cp -v "${WORKDIR}"/mod_gss-${MOD_GSS}/rfc{1509,2228}.txt "${S}"/doc/rfc || die
+	fi
+
+	default
+}
+
+src_configure() {
+	local c m
+
+	use acl && m="${m}:mod_facl"
+	use ban && m="${m}:mod_ban"
+	use case && m="${m}:mod_case"
+	use clamav && m="${m}:mod_clamav"
+	use copy && m="${m}:mod_copy"
+	use ctrls && m="${m}:mod_ctrls_admin"
+	use deflate && m="${m}:mod_deflate"
+	if use diskuse ; then
+		in_dir mod_diskuse econf
+		m="${m}:mod_diskuse"
+	fi
+	use dynmasq && m="${m}:mod_dynmasq"
+	use exec && m="${m}:mod_exec"
+	use ifsession && m="${m}:mod_ifsession"
+	use ifversion && m="${m}:mod_ifversion"
+	if use kerberos ; then
+		in_dir mod_gss-${MOD_GSS} econf
+		m="${m}:mod_gss:mod_auth_gss"
+	fi
+	use ldap && m="${m}:mod_ldap"
+	use log_forensic && m="${m}:mod_log_forensic"
+	use msg && m="${m}:mod_msg"
+	if use mysql || use postgres || use sqlite ; then
+		m="${m}:mod_sql:mod_sql_passwd"
+		use mysql && m="${m}:mod_sql_mysql"
+		use postgres && m="${m}:mod_sql_postgres"
+		use sqlite && m="${m}:mod_sql_sqlite"
+	fi
+	use qos && m="${m}:mod_qos"
+	use radius && m="${m}:mod_radius"
+	use ratio && m="${m}:mod_ratio"
+	use readme && m="${m}:mod_readme"
+	use rewrite && m="${m}:mod_rewrite"
+	if use sftp ; then
+		m="${m}:mod_sftp"
+		use pam && m="${m}:mod_sftp_pam"
+		use mysql || use postgres || use sqlite && m="${m}:mod_sftp_sql"
+	fi
+	use shaper && m="${m}:mod_shaper"
+	use sitemisc && m="${m}:mod_site_misc"
+	use snmp && m="${m}:mod_snmp"
+	if use softquota ; then
+		m="${m}:mod_quotatab:mod_quotatab_file"
+		use ldap && m="${m}:mod_quotatab_ldap"
+		use radius && m="${m}:mod_quotatab_radius"
+		use mysql || use postgres || use sqlite && m="${m}:mod_quotatab_sql"
+	fi
+	if use ssl ; then
+		m="${m}:mod_tls:mod_tls_shmcache"
+		use memcache && m="${m}:mod_tls_memcache"
+	fi
+	if use tcpd ; then
+		m="${m}:mod_wrap2:mod_wrap2_file"
+		use mysql || use postgres || use sqlite && m="${m}:mod_wrap2_sql"
+	fi
+	use unique_id && m="${m}:mod_unique_id"
+	use vroot && m="${m}:mod_vroot"
+
+	if [[ -n ${PROFTP_CUSTOM_MODULES} ]]; then
+		einfo "Adding user-specified extra modules: '${PROFTP_CUSTOM_MODULES}'"
+		m="${m}:${PROFTP_CUSTOM_MODULES}"
+	fi
+
+	[[ -z ${m} ]] || c="${c} --with-modules=${m:1}"
+
+	econf --localstatedir=/var/run/proftpd --sysconfdir=/etc/proftpd --disable-strip \
+		$(use_enable acl facl) \
+		$(use_enable authfile auth-file) \
+		$(use_enable caps cap) \
+		$(use_enable ctrls) \
+		$(use_enable dso) \
+		$(use_enable ident) \
+		$(use_enable ipv6) \
+		$(use_enable memcache) \
+		$(use_enable ncurses) \
+		$(use_enable nls) \
+		$(use_enable ssl openssl) \
+		$(use_enable pam auth-pam) \
+		$(use_enable pcre) \
+		$(use_enable sodium) \
+		$(use_enable test tests) \
+		--enable-trace \
+		$(use_enable userland_GNU shadow) \
+		$(use_enable userland_GNU autoshadow) \
+		${c:1}
+}
+
+src_test() {
+	emake api-tests -C tests
+}
+
+src_install() {
+	default
+	[[ -z ${LINGUAS-set} ]] && rm -r "${ED}"/usr/share/locale
+	rm -rf "${ED}"/var/run
+
+	newinitd "${FILESDIR}"/proftpd.initd proftpd
+	insinto /etc/proftpd
+	doins "${FILESDIR}"/proftpd.conf.sample
+
+	insinto /etc/xinetd.d
+	newins "${FILESDIR}"/proftpd.xinetd proftpd
+
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/${PN}.logrotate ${PN}
+
+	dodoc ChangeLog CREDITS INSTALL NEWS README* RELEASE_NOTES
+
+	docinto html
+	dodoc doc/*.html doc/contrib/*.html doc/howto/*.html doc/modules/*.html
+
+	docinto rfc
+	dodoc doc/rfc/*.txt
+
+	systemd_dounit       "${FILESDIR}"/${PN}.service
+	systemd_newtmpfilesd "${FILESDIR}"/${PN}-tmpfiles.d.conf ${PN}.conf
+}
+
+pkg_postinst() {
+	# Create /var/run files at package merge time: bug #650000
+	tmpfiles_process ${PN}.conf
+}