diff options
author | Thomas Deutschmann <whissi@gentoo.org> | 2020-03-25 19:43:39 +0100 |
---|---|---|
committer | Thomas Deutschmann <whissi@gentoo.org> | 2020-03-25 19:44:01 +0100 |
commit | 21b5c196ee853f0900754eab49fee2906747f567 (patch) | |
tree | aa78d321fedea2f320199ee1b2b40646955023c0 /net-ftp | |
parent | sys-apps/heirloom-tools: remove patrick as maintainer (diff) | |
download | gentoo-21b5c196ee853f0900754eab49fee2906747f567.tar.gz gentoo-21b5c196ee853f0900754eab49fee2906747f567.tar.bz2 gentoo-21b5c196ee853f0900754eab49fee2906747f567.zip |
net-ftp/pure-ftpd: security cleanup (bug #711124)
Bug: https://bugs.gentoo.org/711124
Package-Manager: Portage-2.3.94, Repoman-2.3.21
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
Diffstat (limited to 'net-ftp')
-rw-r--r-- | net-ftp/pure-ftpd/Manifest | 1 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch | 22 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch | 46 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch | 22 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch | 21 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/metadata.xml | 1 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild | 144 | ||||
-rw-r--r-- | net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild | 148 |
8 files changed, 0 insertions, 405 deletions
diff --git a/net-ftp/pure-ftpd/Manifest b/net-ftp/pure-ftpd/Manifest index 746be8280a0a..2892703c30e0 100644 --- a/net-ftp/pure-ftpd/Manifest +++ b/net-ftp/pure-ftpd/Manifest @@ -1,2 +1 @@ -DIST pure-ftpd-1.0.47.tar.bz2 489177 BLAKE2B 06e71ead47b87dedf47a84e488b2de127fcd297c2e9ca7a617c2ee2760cf55b816884763721826c512558d016cbd38a87a11ca0e8c2334d93145edc6f88d9287 SHA512 c1920a3f67f04635fde600fe226a7730b801e7e64658b25f1d9f9c0b35a704664be4adfb0b291594f7e0f10beade25eae9a5e6cc3b6777a3b413f3c2d9574e63 DIST pure-ftpd-1.0.49.tar.bz2 487958 BLAKE2B bd5f10a49b533eb6c257032659e97aa7ae16ec9402704d8ee06c92938e217b748b390ccf0e31b3640f41cb7a93f85b29c8ddcdc296f214391b1d92da9d701a7c SHA512 b44896d6fe2cda9169b1db93c5260bb892af14a173f2d25e60dd6530afe85d8e9156985609e35da7e5550dc123afb42bc5012beb9fca9011054cf0ed8b2eddef diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch deleted file mode 100644 index a9ad0a30b9b6..000000000000 --- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 27a5c200f9643ce907118aad169279b3a66a9e8a Mon Sep 17 00:00:00 2001 -From: Frank Denis <github@pureftpd.org> -Date: Sat, 4 Nov 2017 20:46:16 +0100 -Subject: [PATCH] Increase MAX_DATA_SIZE due to Argon2id requirements - ---- - src/ftpd.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/ftpd.h b/src/ftpd.h -index 1beeab8..5bb1f6b 100644 ---- a/src/ftpd.h -+++ b/src/ftpd.h -@@ -557,7 +557,7 @@ Your platform has a very large PATH_MAX, we should not trust it. - - #ifndef MAX_DATA_SIZE - # ifdef HAVE_LIBSODIUM --# define MAX_DATA_SIZE (40 * 1024 * 1024) -+# define MAX_DATA_SIZE (70 * 1024 * 1024) - # elif defined(WITH_LDAP) || defined(WITH_MYSQL) || defined(WITH_PGSQL) - # define MAX_DATA_SIZE (16 * 1024 * 1024) /* Max memory usage - SQL/LDAP need more */ - # else diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch deleted file mode 100644 index 65f19bf49da7..000000000000 --- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad Mon Sep 17 00:00:00 2001 -From: Frank Denis <github@pureftpd.org> -Date: Wed, 19 Sep 2018 23:53:45 +0200 -Subject: [PATCH] TLS1.3 compatibility - -Fixes #94 ---- - src/tls.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/src/tls.c b/src/tls.c -index c693d3b..f383ed9 100644 ---- a/src/tls.c -+++ b/src/tls.c -@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret) - if ((where & SSL_CB_HANDSHAKE_START) != 0) { - if ((cnx == tls_cnx && tls_cnx_handshook != 0) || - (cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) { -- die(400, LOG_ERR, "TLS renegociation"); -+ const SSL_CIPHER *cipher; -+ const char *cipher_version; -+ if ((cipher = SSL_get_current_cipher(cnx)) == NULL || -+ (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) { -+ die(400, LOG_ERR, "No cipher"); -+ } -+ if (strcmp(cipher_version, "TLSv1.3") != 0) { -+ die(400, LOG_ERR, "TLS renegociation"); -+ return; -+ } - } - return; - } -@@ -264,10 +273,10 @@ int tls_init_library(void) - OpenSSL_add_all_algorithms(); - # else - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | -- OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); -+ OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | -- OPENSSL_INIT_ADD_ALL_DIGESTS | -- OPENSSL_INIT_LOAD_CONFIG, NULL); -+ OPENSSL_INIT_ADD_ALL_DIGESTS | -+ OPENSSL_INIT_LOAD_CONFIG, NULL); - # endif - while (RAND_status() == 0) { - rnd = zrand(); diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch deleted file mode 100644 index cd4532bb97ab..000000000000 --- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch +++ /dev/null @@ -1,22 +0,0 @@ -From aa68b2d620ef0c83c7f52213c7e6093722b0b8bd Mon Sep 17 00:00:00 2001 -From: Frank Denis <github@pureftpd.org> -Date: Wed, 24 Oct 2018 19:19:26 +0200 -Subject: [PATCH] Disable TLSv1_1 - ---- - src/tls.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tls.c b/src/tls.c -index f383ed9..c4e2a1b 100644 ---- a/src/tls.c -+++ b/src/tls.c -@@ -297,7 +297,7 @@ int tls_init_library(void) - SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1); - # endif - # ifdef SSL_OP_NO_TLSv1_1 -- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_1); -+ SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1); - # endif - # ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2); diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch deleted file mode 100644 index cbe9c8bdcb8f..000000000000 --- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch +++ /dev/null @@ -1,21 +0,0 @@ -Temporarily disable TLSv1.3 support - -Disable TLSv1.3 until support for it is fixed in pure-ftpd. This is a -workaround for the following issue: -https://github.com/jedisct1/pure-ftpd/issues/102 - ---- a/src/tls.c -+++ b/src/tls.c -@@ -301,6 +301,10 @@ int tls_init_library(void) - # endif - # ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2); -+# endif -+ /* Disable TLSv1.3 support until it works properly in pure-ftpd */ -+# ifdef SSL_OP_NO_TLSv1_3 -+ SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_3); - # endif - if (tlsciphersuite != NULL) { - if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) { --- -2.20.1 diff --git a/net-ftp/pure-ftpd/metadata.xml b/net-ftp/pure-ftpd/metadata.xml index 5ee42de87aec..35a922921783 100644 --- a/net-ftp/pure-ftpd/metadata.xml +++ b/net-ftp/pure-ftpd/metadata.xml @@ -11,7 +11,6 @@ <flag name="anonperm">Permit anonymous to change file permissions</flag> <flag name="anonren">Permit anonymous to rename files</flag> <flag name="anonres">Permit anonymous to resume file transfers</flag> - <flag name="charconv">Enables charset conversion</flag> <flag name="implicittls">Enable TLS on Port 990</flag> <flag name="noiplog">Disables logging of IP addresses</flag> <flag name="paranoidmsg">Display paranoid messages instead of normal diff --git a/net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild b/net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild deleted file mode 100644 index de299a33183d..000000000000 --- a/net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild +++ /dev/null @@ -1,144 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit flag-o-matic - -KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ia64 ppc ppc64 sparc x86" - -DESCRIPTION="Fast, production-quality, standard-conformant FTP server" -HOMEPAGE="http://www.pureftpd.org/" -SRC_URI="ftp://ftp.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2 - http://download.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2" - -LICENSE="BSD" -SLOT="0" - -IUSE="anondel anonperm anonren anonres caps charconv implicittls ldap libressl mysql noiplog pam paranoidmsg postgres resolveids selinux ssl sysquota vchroot xinetd" - -REQUIRED_USE="implicittls? ( ssl )" - -DEPEND="caps? ( sys-libs/libcap ) - charconv? ( virtual/libiconv ) - ldap? ( >=net-nds/openldap-2.0.25 ) - mysql? ( || ( - dev-db/mariadb-connector-c - dev-db/mysql-connector-c - ) ) - pam? ( sys-libs/pam ) - postgres? ( dev-db/postgresql:= ) - ssl? ( - !libressl? ( >=dev-libs/openssl-0.9.6g:0=[-bindist] ) - libressl? ( dev-libs/libressl:= ) - ) - sysquota? ( sys-fs/quota[-rpc] ) - xinetd? ( virtual/inetd )" - -RDEPEND="${DEPEND} - dev-libs/libsodium:= - net-ftp/ftpbase - selinux? ( sec-policy/selinux-ftp )" - -PATCHES=( - "${FILESDIR}/${PN}-1.0.28-pam.patch" - "${FILESDIR}/${PN}-1.0.47-MAX_DATA_SIZE.patch" - "${FILESDIR}/${PN}-1.0.47-TLSv1.3.patch" - "${FILESDIR}/${PN}-1.0.47-disable-TLSv1.3.patch" - "${FILESDIR}/${PN}-1.0.47-disable-TLSv1.1.patch" -) - -src_configure() { - # adjust max user length to something more appropriate - # for virtual hosts. See bug #62472 for details. - sed -e "s:# define MAX_USER_LENGTH 32U:# define MAX_USER_LENGTH 127U:" \ - -i "${S}/src/ftpd.h" || die "sed failed" - - # Those features are only configurable like this, see bug #179375. - use anondel && append-cppflags -DANON_CAN_DELETE - use anonperm && append-cppflags -DANON_CAN_CHANGE_PERMS - use anonren && append-cppflags -DANON_CAN_RENAME - use anonres && append-cppflags -DANON_CAN_RESUME - use resolveids && append-cppflags -DALWAYS_RESOLVE_IDS - - # Do not auto-use SSP -- let the user select this. - export ax_cv_check_cflags___fstack_protector_all=no - - local myeconfargs=( - --enable-largefile - --with-altlog - --with-cookie - --with-diraliases - --with-extauth - --with-ftpwho - --with-language=${PUREFTPD_LANG:=english} - --with-peruserlimits - --with-privsep - --with-puredb - --with-quotas - --with-ratios - --with-throttling - --with-uploadscript - --with-virtualhosts - $(use_with charconv rfc2640) - $(use_with ldap) - $(use_with mysql) - $(use_with pam) - $(use_with paranoidmsg) - $(use_with postgres pgsql) - $(use_with ssl tls) - $(use_with implicittls) - $(use_with vchroot virtualchroot) - $(use_with sysquota sysquotas) - $(usex caps '' '--without-capabilities') - $(usex noiplog '--without-iplogging' '') - $(usex xinetd '' '--without-inetd') - ) - econf "${myeconfargs[@]}" -} - -src_install() { - local DOCS=( AUTHORS CONTACT ChangeLog FAQ HISTORY INSTALL README* NEWS ) - - default - - newinitd "${FILESDIR}/pure-ftpd.rc11" ${PN} - newconfd "${FILESDIR}/pure-ftpd.conf_d-3" ${PN} - - if use implicittls ; then - sed -i '/^SERVER/s@21@990@' "${ED}"/etc/conf.d/${PN} \ - || die "Adjusting default server port for implicittls usage failed!" - fi - - keepdir /var/lib/run/${PN} - - if use xinetd ; then - insinto /etc/xinetd.d - newins "${FILESDIR}/pure-ftpd.xinetd" ${PN} - fi - - if use ldap ; then - insinto /etc/openldap/schema - doins pureftpd.schema - insinto /etc/openldap - insopts -m 0600 - doins pureftpd-ldap.conf - fi -} - -pkg_postinst() { - if [[ -z "${REPLACING_VERSIONS}" ]]; then - # This is a new installation - elog - elog "Before starting Pure-FTPd, you have to edit the /etc/conf.d/pure-ftpd file!" - elog - ewarn "It's *really* important to read the README provided with Pure-FTPd!" - ewarn "Check out http://download.pureftpd.org/pub/pure-ftpd/doc/README for general info" - ewarn "and http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for SSL/TLS info." - ewarn - if use charconv ; then - ewarn "Charset conversion is an *experimental* feature!" - ewarn "Remember to set a valid charset for your filesystem in the configuration!" - fi - fi -} diff --git a/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild b/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild deleted file mode 100644 index d1be10cc99f1..000000000000 --- a/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit flag-o-matic - -DESCRIPTION="Fast, production-quality, standard-conformant FTP server" -HOMEPAGE="http://www.pureftpd.org/" -if [[ "${PV}" == 9999 ]] ; then - inherit autotools git-r3 - EGIT_REPO_URI="https://github.com/jedisct1/pure-ftpd.git" -else - SRC_URI="ftp://ftp.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2 - http://download.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" -fi - -LICENSE="BSD" -SLOT="0" - -IUSE="anondel anonperm anonren anonres caps implicittls ldap libressl mysql noiplog pam paranoidmsg postgres resolveids selinux ssl sysquota vchroot xinetd" - -REQUIRED_USE="implicittls? ( ssl )" - -DEPEND="caps? ( sys-libs/libcap ) - ldap? ( >=net-nds/openldap-2.0.25 ) - mysql? ( || ( - dev-db/mariadb-connector-c - dev-db/mysql-connector-c - ) ) - pam? ( sys-libs/pam ) - postgres? ( dev-db/postgresql:= ) - ssl? ( - !libressl? ( >=dev-libs/openssl-0.9.6g:0=[-bindist] ) - libressl? ( dev-libs/libressl:= ) - ) - sysquota? ( sys-fs/quota[-rpc] ) - xinetd? ( virtual/inetd )" - -RDEPEND="${DEPEND} - dev-libs/libsodium:= - net-ftp/ftpbase - selinux? ( sec-policy/selinux-ftp )" - -PATCHES=( - "${FILESDIR}/${PN}-1.0.28-pam.patch" -) - -src_prepare() { - default - [[ "${PV}" == 9999 ]] && eautoreconf -} - -src_configure() { - # adjust max user length to something more appropriate - # for virtual hosts. See bug #62472 for details. - sed -e "s:# define MAX_USER_LENGTH 32U:# define MAX_USER_LENGTH 127U:" \ - -i "${S}/src/ftpd.h" || die "sed failed" - - # Those features are only configurable like this, see bug #179375. - use anondel && append-cppflags -DANON_CAN_DELETE - use anonperm && append-cppflags -DANON_CAN_CHANGE_PERMS - use anonren && append-cppflags -DANON_CAN_RENAME - use anonres && append-cppflags -DANON_CAN_RESUME - use resolveids && append-cppflags -DALWAYS_RESOLVE_IDS - - # Do not auto-use SSP -- let the user select this. - export ax_cv_check_cflags___fstack_protector_all=no - - local myeconfargs=( - --enable-largefile - # Required for correct pid file location. - # pure-ftpd appends "/run/pure-ftpd.pid" to the localstatedir - # path, and tries to write to that file even when being - # started in foreground. So we need to pin this to / - --localstatedir="${EPREFIX}"/ - --with-altlog - --with-cookie - --with-diraliases - --with-extauth - --with-ftpwho - --with-language=${PUREFTPD_LANG:=english} - --with-peruserlimits - --with-privsep - --with-puredb - --with-quotas - --with-ratios - --with-throttling - --with-uploadscript - --with-virtualhosts - $(use_with ldap) - $(use_with mysql) - $(use_with pam) - $(use_with paranoidmsg) - $(use_with postgres pgsql) - $(use_with ssl tls) - $(use_with implicittls) - $(use_with vchroot virtualchroot) - $(use_with sysquota sysquotas) - $(usex caps '' '--without-capabilities') - $(usex noiplog '--without-iplogging' '') - $(usex xinetd '' '--without-inetd') - ) - econf "${myeconfargs[@]}" -} - -src_install() { - local DOCS=( AUTHORS ChangeLog FAQ HISTORY README* NEWS ) - - default - - newinitd "${FILESDIR}/pure-ftpd.rc11" ${PN} - newconfd "${FILESDIR}/pure-ftpd.conf_d-3" ${PN} - - if use implicittls ; then - sed -i '/^SERVER/s@21@990@' "${ED}"/etc/conf.d/${PN} \ - || die "Adjusting default server port for implicittls usage failed!" - fi - - keepdir /var/lib/run/${PN} - - if use xinetd ; then - insinto /etc/xinetd.d - newins "${FILESDIR}/pure-ftpd.xinetd" ${PN} - fi - - if use ldap ; then - insinto /etc/openldap/schema - doins pureftpd.schema - insinto /etc/openldap - insopts -m 0600 - doins pureftpd-ldap.conf - fi -} - -pkg_postinst() { - if [[ -z "${REPLACING_VERSIONS}" ]]; then - # This is a new installation - elog - elog "Before starting Pure-FTPd, you have to edit the /etc/conf.d/pure-ftpd file!" - elog - ewarn "It's *really* important to read the README provided with Pure-FTPd!" - ewarn "Check out http://download.pureftpd.org/pub/pure-ftpd/doc/README for general info" - ewarn "and http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for SSL/TLS info." - ewarn - fi -} |