Fix security bugs #156503 and #154650. Update mod_shaper to 0.6.2.

(Portage version: 2.1.2_rc2-r2)
author: Luca Longinotti <chtekk@gentoo.org> 2006-11-28 17:06:14 +0000
committer: Luca Longinotti <chtekk@gentoo.org> 2006-11-28 17:06:14 +0000
commit: 4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1 (patch)
tree: da6e99bb36bed79b245512a534253bd278128948 /net-ftp
parent: Updated homepage. (diff)
download: gentoo-2-4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1.tar.gz
gentoo-2-4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1.tar.bz2
gentoo-2-4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1.zip
5 files changed, 297 insertions, 1 deletions
diff --git a/net-ftp/proftpd/ChangeLog b/net-ftp/proftpd/ChangeLog
index 8672665bdbf0..aa59c1f94fb4 100644
--- a/net-ftp/proftpd/ChangeLog
+++ b/net-ftp/proftpd/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-ftp/proftpd
 # Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/ChangeLog,v 1.129 2006/11/23 16:45:27 vivo Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/ChangeLog,v 1.130 2006/11/28 17:06:14 chtekk Exp $
+
+*proftpd-1.3.0a (28 Nov 2006)
+
+  28 Nov 2006; Luca Longinotti <chtekk@gentoo.org>
+  +files/proftpd-1.3.0-main_commandbuf.patch,
+  +files/proftpd-1.3.0-mod_tls_overflow.patch, +proftpd-1.3.0a.ebuild:
+  Fix security bugs #156503 and #154650. Update mod_shaper to 0.6.2.
 
   23 Nov 2006; Francesco Riosa <vivo@gentoo.org> proftpd-1.2.10-r7.ebuild,
   proftpd-1.3.0-r1.ebuild, proftpd-1.3.0-r2.ebuild:
diff --git a/net-ftp/proftpd/files/digest-proftpd-1.3.0a b/net-ftp/proftpd/files/digest-proftpd-1.3.0a
new file mode 100644
index 000000000000..90a2c2c8cbc8
--- /dev/null
+++ b/net-ftp/proftpd/files/digest-proftpd-1.3.0a
@@ -0,0 +1,15 @@
+MD5 da279361d5a34b37ce1f64d3830c4c17 mod_clamav_new.c 7399
+RMD160 ae4de6385245a3c79d3c54bb7af9d2fe45a59feb mod_clamav_new.c 7399
+SHA256 a5a3860c73c8bc3781516cbc912d7736517a92a15a6fd8352eeed638bcce60c1 mod_clamav_new.c 7399
+MD5 098551feed28f069ef01e77af88d55dc mod_clamav_new.html 4645
+RMD160 bc853541e6859e7929c0ed9b01b8f220e09b8ca2 mod_clamav_new.html 4645
+SHA256 ac0ab5f44cfc6c8118664c2a7300450486f52fb3bcde332b4bb9c506dd765a1e mod_clamav_new.html 4645
+MD5 cc2e99f38a810982f91d5cbe1f4091f0 proftpd-1.3.0a.tar.bz2 1386956
+RMD160 406998669e798e1af253fd822d4d09dbeb75c98a proftpd-1.3.0a.tar.bz2 1386956
+SHA256 02f614586ff692a67299510064100b0537fd53b4ed0d238d7aaa5b723bf7a0aa proftpd-1.3.0a.tar.bz2 1386956
+MD5 74fbdcac94cde09c67bc033e22324c8c proftpd-mod-shaper-0.6.2.tar.gz 19002
+RMD160 3d1fdb82596672c9177009ebb30459a017e74c53 proftpd-mod-shaper-0.6.2.tar.gz 19002
+SHA256 59f39bca40462c3bba20feb7be031d7453c366adb4b7fa6d8f50974eb45ae99e proftpd-mod-shaper-0.6.2.tar.gz 19002
+MD5 bafd6c9ecfdf352641465b866be12f27 proftpd-mod-vroot-0.7.1.tar.gz 5613
+RMD160 b9677793f7cf6075467d7f41e4b8a9dfef89a847 proftpd-mod-vroot-0.7.1.tar.gz 5613
+SHA256 30d58c326bb30c080048662db0c4ffaf28f478fce40452c0c3c217cb5d2124e1 proftpd-mod-vroot-0.7.1.tar.gz 5613
diff --git a/net-ftp/proftpd/files/proftpd-1.3.0-main_commandbuf.patch b/net-ftp/proftpd/files/proftpd-1.3.0-main_commandbuf.patch
new file mode 100644
index 000000000000..c770a60fb42f
--- /dev/null
+++ b/net-ftp/proftpd/files/proftpd-1.3.0-main_commandbuf.patch
@@ -0,0 +1,45 @@
+--- src/main.c	2006/09/29 16:38:16	1.292
++++ src/main.c	2006/11/17 23:42:04	1.294
+@@ -116,5 +116,7 @@
+ 
+ static char sbuf[PR_TUNABLE_BUFFER_SIZE] = {'\0'};
+ 
++#define PR_DEFAULT_CMD_BUFSZ	512
++
+ static char **Argv = NULL;
+ static char *LastArgv = NULL;
+@@ -832,16 +834,25 @@
+       pr_timer_reset(TIMER_IDLE, NULL);
+ 
+     if (cmd_buf_size == -1) {
+-      long *buf_size = get_param_ptr(main_server->conf,
+-        "CommandBufferSize", FALSE);
+-
+-      if (buf_size == NULL || *buf_size <= 0)
+-        cmd_buf_size = 512;
++      int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE);
++      if (bufsz == NULL) {
++        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++
++      } else if (*bufsz <= 0) {
++        pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
++          "given, using default buffer size (%u) instead",
++          *bufsz, PR_DEFAULT_CMD_BUFSZ);
++        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
++
++      } else if (*bufsz + 1 > sizeof(buf)) {
++        pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
++          "given, using default buffer size (%u) instead",
++          *bufsz, PR_DEFAULT_CMD_BUFSZ);
++        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+ 
+-      else if (*buf_size + 1 > sizeof(buf)) {
+-	pr_log_pri(PR_LOG_WARNING, "Invalid CommandBufferSize size given. "
+-          "Resetting to 512.");
+-	cmd_buf_size = 512;
++      } else {
++        pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz);
++        cmd_buf_size = (long) *bufsz;
+       }
+     }
+ 
diff --git a/net-ftp/proftpd/files/proftpd-1.3.0-mod_tls_overflow.patch b/net-ftp/proftpd/files/proftpd-1.3.0-mod_tls_overflow.patch
new file mode 100644
index 000000000000..56dfd9b9011b
--- /dev/null
+++ b/net-ftp/proftpd/files/proftpd-1.3.0-mod_tls_overflow.patch
@@ -0,0 +1,11 @@
+--- contrib/mod_tls.c   2005-11-08 18:59:49 +0100
++++ contrib/mod_tls.c   2006-11-15 17:54:43 +0100
+@@ -2421,6 +2421,8 @@
+      datalen = BIO_get_mem_data(mem, &data);
+
+   if (data) {
++    if (datalen > sizeof(buf)-1)
++        datalen = sizeof(buf)-1;
+     memset(&buf, '\0', sizeof(buf));
+     memcpy(buf, data, datalen);
+     buf[datalen] = '\0';
diff --git a/net-ftp/proftpd/proftpd-1.3.0a.ebuild b/net-ftp/proftpd/proftpd-1.3.0a.ebuild
new file mode 100644
index 000000000000..a27ca571d787
--- /dev/null
+++ b/net-ftp/proftpd/proftpd-1.3.0a.ebuild
@@ -0,0 +1,218 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-ftp/proftpd/proftpd-1.3.0a.ebuild,v 1.1 2006/11/28 17:06:14 chtekk Exp $
+
+inherit eutils flag-o-matic toolchain-funcs
+
+KEYWORDS="~alpha ~amd64 ~hppa ~ppc ~ppc64 ~sparc ~x86"
+
+IUSE="acl authfile clamav hardened ifsession ipv6 ldap mysql ncurses noauthunix opensslcrypt pam postgres radius rewrite selinux shaper sitemisc softquota ssl tcpd vroot xinetd"
+
+SHAPER_VER="0.6.2"
+VROOT_VER="0.7.1"
+
+DESCRIPTION="An advanced and very configurable FTP server."
+SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P}.tar.bz2
+		clamav? ( http://www.uglyboxindustries.com/mod_clamav_new.c http://www.uglyboxindustries.com/mod_clamav_new.html )
+		shaper? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-shaper-${SHAPER_VER}.tar.gz )
+		vroot? ( http://www.castaglia.org/${PN}/modules/${PN}-mod-vroot-${VROOT_VER}.tar.gz )"
+HOMEPAGE="http://www.proftpd.org/
+		http://www.castaglia.org/proftpd/
+		http://www.uglyboxindustries.com/open-source.php"
+
+SLOT="0"
+LICENSE="GPL-2"
+
+DEPEND="acl? ( sys-apps/acl sys-apps/attr )
+		clamav? ( app-antivirus/clamav )
+		ldap? ( >=net-nds/openldap-1.2.11 )
+		mysql? ( virtual/mysql )
+		ncurses? ( sys-libs/ncurses )
+		opensslcrypt? ( >=dev-libs/openssl-0.9.6f )
+		pam? ( virtual/pam )
+		postgres? ( >=dev-db/postgresql-7.3 )
+		ssl? ( >=dev-libs/openssl-0.9.6f )
+		tcpd? ( >=sys-apps/tcp-wrappers-7.6-r3 )
+		xinetd? ( sys-apps/xinetd )"
+
+RDEPEND="${DEPEND}
+		net-ftp/ftpbase
+		selinux? ( sec-policy/selinux-ftpd )"
+
+pkg_setup() {
+	# Add the proftpd user to make the default config
+	# work out-of-the-box
+	enewgroup proftpd
+	enewuser proftpd -1 -1 -1 proftpd
+}
+
+src_unpack() {
+	unpack ${P}.tar.bz2
+
+	cd "${S}"
+
+	# Fix stripping of files
+	sed -e "s| @INSTALL_STRIP@||g" -i Make*
+
+	# Fix bug #147654, patch by upstream
+	epatch "${FILESDIR}/${PN}-1.3.0-mod_ctrls_sighup.patch"
+
+	# Fix bug #156503, patch by OpenPKG
+	epatch "${FILESDIR}/${PN}-1.3.0-mod_tls_overflow.patch"
+
+	# Fix bug #154650, patch by upstream
+	epatch "${FILESDIR}/${PN}-1.3.0-main_commandbuf.patch"
+
+	# Fix bug in SQL/MySQL module
+	epatch "${FILESDIR}/${PN}-1.3.0-mod_sql_mysql.patch"
+
+	if use shaper ; then
+		unpack ${PN}-mod-shaper-${SHAPER_VER}.tar.gz
+		cp -f mod_shaper/mod_shaper.c contrib/
+	fi
+
+	if use clamav ; then
+		cp -f "${DISTDIR}/mod_clamav_new.c" contrib/mod_clamav.c
+		cp -f "${DISTDIR}/mod_clamav_new.html" doc/mod_clamav.html
+	fi
+
+	if use vroot ; then
+		unpack ${PN}-mod-vroot-${VROOT_VER}.tar.gz
+		cp -f mod_vroot/mod_vroot.c contrib/
+		cp -f mod_vroot/mod_vroot.html doc/
+	fi
+}
+
+src_compile() {
+	addpredict /etc/krb5.conf
+	local modules myconf
+
+	modules="mod_ratio:mod_readme"
+	use acl && modules="${modules}:mod_facl"
+	use clamav && modules="${modules}:mod_clamav"
+	use pam && modules="${modules}:mod_auth_pam"
+	use radius && modules="${modules}:mod_radius"
+	use rewrite && modules="${modules}:mod_rewrite"
+	use shaper && modules="${modules}:mod_shaper"
+	use sitemisc && modules="${modules}:mod_site_misc"
+	use ssl && modules="${modules}:mod_tls"
+	use tcpd && modules="${modules}:mod_wrap"
+	use vroot && modules="${modules}:mod_vroot"
+
+	# pam needs to be explicitely disabled
+	use pam || myconf="${myconf} --enable-auth-pam=no"
+
+	if use ldap ; then
+		modules="${modules}:mod_ldap"
+		append-ldflags "-lresolv"
+	fi
+
+	if use opensslcrypt ; then
+		append-ldflags "-lcrypto"
+		myconf="${myconf} --with-includes=/usr/include/openssl"
+		CFLAGS="${CFLAGS} -DHAVE_OPENSSL"
+	fi
+
+	if use mysql && use postgres ; then
+		ewarn "ProFTPD only supports either the MySQL or PostgreSQL modules."
+		ewarn "Presently this ebuild defaults to mysql. If you would like to"
+		ewarn "change the default behaviour, merge ProFTPD with:"
+		ewarn "USE='-mysql postgres' emerge proftpd"
+		epause 5
+	fi
+
+	if use mysql ; then
+		modules="${modules}:mod_sql:mod_sql_mysql"
+		myconf="${myconf} --with-includes=/usr/include/mysql"
+	elif use postgres ; then
+		modules="${modules}:mod_sql:mod_sql_postgres"
+		myconf="${myconf} --with-includes=/usr/include/postgresql"
+	fi
+
+	if use softquota ; then
+		modules="${modules}:mod_quotatab"
+		if use mysql || use postgres ; then
+			modules="${modules}:mod_quotatab_sql"
+		fi
+		if use ldap ; then
+			modules="${modules}:mod_quotatab_file:mod_quotatab_ldap"
+		else
+			modules="${modules}:mod_quotatab_file"
+		fi
+	fi
+
+	# mod_ifsession should be the last module in the --with-modules list
+	# see http://www.castaglia.org/proftpd/modules/mod_ifsession.html#Installation
+	use ifsession && modules="${modules}:mod_ifsession"
+
+	# bug #30359
+	use hardened && echo > lib/libcap/cap_sys.c
+	gcc-specs-pie && echo > lib/libcap/cap_sys.c
+
+	if use noauthunix ; then
+		myconf="${myconf} --disable-auth-unix"
+	else
+		myconf="${myconf} --enable-auth-unix"
+	fi
+
+	econf \
+		--sbindir=/usr/sbin \
+		--localstatedir=/var/run \
+		--sysconfdir=/etc/proftpd \
+		--enable-shadow \
+		--enable-autoshadow \
+		--enable-ctrls \
+		--with-modules=${modules} \
+		$(use_enable acl facl) \
+		$(use_enable authfile auth-file) \
+		$(use_enable ipv6) \
+		$(use_enable ncurses) \
+		${myconf} || die "econf failed"
+
+	emake || die "emake failed"
+}
+
+src_install() {
+	# Note rundir needs to be specified to avoid sandbox violation
+	# on initial install. See Make.rules
+	emake DESTDIR="${D}" install || die "emake install failed"
+
+	keepdir /var/run/proftpd
+
+	dodoc "${FILESDIR}/proftpd.conf" \
+		COPYING CREDITS ChangeLog NEWS README* \
+		doc/license.txt
+	dohtml doc/*.html
+
+	use shaper && dohtml mod_shaper/mod_shaper.html
+
+	docinto rfc
+	dodoc doc/rfc/*.txt
+
+	mv -f "${D}/etc/proftpd/proftpd.conf" "${D}/etc/proftpd/proftpd.conf.distrib"
+
+	insinto /etc/proftpd
+	newins "${FILESDIR}/proftpd.conf" proftpd.conf.sample
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/proftpd.xinetd" proftpd
+	fi
+
+	newinitd "${FILESDIR}/proftpd.rc6" proftpd
+}
+
+pkg_postinst() {
+	einfo
+	einfo "You can find the config files in /etc/proftpd"
+	einfo
+	ewarn "With the introduction of net-ftp/ftpbase the ftp user is now ftp."
+	ewarn "Remember to change that in the configuration file."
+	einfo
+	if use clamav ; then
+		ewarn "mod_clamav was updated to a new version, which uses Clamd"
+		ewarn "only for virus scanning, so you'll have to set Clamd up"
+		ewarn "and start it, also re-check the mod_clamav docs."
+		einfo
+	fi
+}
author	Luca Longinotti <chtekk@gentoo.org>	2006-11-28 17:06:14 +0000
committer	Luca Longinotti <chtekk@gentoo.org>	2006-11-28 17:06:14 +0000
commit	4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1 (patch)
tree	da6e99bb36bed79b245512a534253bd278128948 /net-ftp
parent	Updated homepage. (diff)
download	gentoo-2-4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1.tar.gz gentoo-2-4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1.tar.bz2 gentoo-2-4214e21e5d762cdbb0dcde7aaa31a80fdb6e23a1.zip