vsftpd-alt: update to 3.0.5 (#7720)

package/lean/vsftpd-alt/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=vsftpd-alt
-PKG_VERSION:=3.0.3
-PKG_RELEASE:=7
+PKG_VERSION:=3.0.5
+PKG_RELEASE:=1
 
 PKG_SOURCE:=vsftpd-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://security.appspot.com/downloads/
-PKG_MD5SUM:=da119d084bd3f98664636ea05b5bb398
+PKG_HASH:=26b602ae454b0ba6d99ef44a09b6b9e0dfa7f67228106736df1f278c70bc91d3
 PKG_LICENSE:=GPLv2
 
 BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
@@ -32,21 +32,18 @@ define Package/vsftpd-alt/Default
   #+PACKAGE_libpam:libpam 
 endef
 
+TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
+TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed,--no-undefined,--no-allow-shlib-undefined
+
 define Package/vsftpd-alt/conffiles
 /etc/vsftpd.conf
 endef
 
-#EXTRA_LDFLAGS:= -lcrypt -lcrypto -lssl
-
 define Package/vsftpd-alt/config
 config VSFTPD_USE_UCI_SCRIPTS
 	bool "Uses UCI scripts"
 	depends on PACKAGE_vsftpd-alt
 	default y
-#config VSFTPD_ENABLE_AIO
-#	bool "Enable async I/O (Currently Buggy)"
-#	depends on PACKAGE_vsftpd-alt
-#	default n
 endef
 
 ifneq ($(CONFIG_USE_MUSL),)
@@ -57,23 +54,9 @@ endif
 
 TARGET_CFLAGS += -D_GNU_SOURCE -include fcntl.h
 
-#ifdef CONFIG_PACKAGE_libpam
-#  EXTRA_LDFLAGS += -lpam
-#endif
-
-#ifeq ($(CONFIG_VSFTPD_ENABLE_AIO),y)
-#define Package/vsftpd-alt
-#$(call Package/vsftpd-alt/Default)
-#  DEPENDS=+PACKAGE_libpam:libpam +libopenssl +libuci +libaio
-#endef
-#  EXTRA_LDFLAGS += -laio
-#  EXTRA_CFLAGS += -DVSFTPD_ASYNC_IO
-#else
 define Package/vsftpd-alt
 $(call Package/vsftpd-alt/Default)
 endef
-#endif
-
 
 define Build/Compile
 	$(SED) 's/-lcrypt -lnsl/$(NLSSTRING)/' $(PKG_BUILD_DIR)/Makefile

package/lean/vsftpd-alt/patches/001-destdir.patch

@@ -1,6 +1,6 @@
 --- a/Makefile
 +++ b/Makefile
-@@ -22,6 +22,8 @@ OBJS	=	main.o utility.o prelogin.o ftpcm
+@@ -22,6 +22,8 @@ OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
      seccompsandbox.o
  
  

package/lean/vsftpd-alt/patches/002-find_libs.patch

@@ -1,6 +1,6 @@
 --- a/Makefile
 +++ b/Makefile
-@@ -8,8 +8,8 @@ CFLAGS	=	-O2 -fPIE -fstack-protector --p
+@@ -8,8 +8,8 @@ CFLAGS	=	-O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
  	-D_FORTIFY_SOURCE=2 \
  	#-pedantic -Wconversion
  

package/lean/vsftpd-alt/patches/003-chroot.patch

@@ -1,6 +1,6 @@
 --- a/tunables.c
 +++ b/tunables.c
-@@ -254,7 +254,7 @@ tunables_load_defaults()
+@@ -261,7 +261,7 @@ tunables_load_defaults()
    /* -rw------- */
    tunable_chown_upload_mode = 0600;
  

package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch

@@ -1,10 +1,3 @@
-Description: CVE-2015-1419: config option deny_file is not handled correctly
-Author: Marcus Meissner <meissner@suse.com>
-Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
-Last-Update: 2015-02-24
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 --- a/ls.c
 +++ b/ls.c
 @@ -7,6 +7,7 @@
@@ -15,7 +8,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
  #include "ls.h"
  #include "access.h"
  #include "defs.h"
-@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
+@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
    struct mystr temp_str = INIT_MYSTR;
    struct mystr brace_list_str = INIT_MYSTR;
    struct mystr new_filter_str = INIT_MYSTR;
@@ -59,7 +52,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
  
    while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
    {
-@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
+@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str,
      ret = 0;
    }
  out:
@@ -71,7 +64,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
    str_free(&temp_str);
 --- a/str.c
 +++ b/str.c
-@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_
+@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_str, char new_char)
    }
  }
  
@@ -88,7 +81,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 +}
 --- a/str.h
 +++ b/str.h
-@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst
+@@ -100,6 +100,7 @@ void str_replace_unprintable(struct mystr* p_str, char new_char);
  int str_atoi(const struct mystr* p_str);
  filesize_t str_a_to_filesize_t(const struct mystr* p_str);
  unsigned int str_octal_to_uint(const struct mystr* p_str);

package/lean/vsftpd-alt/patches/010-openssl-deprecated.patch

@@ -0,0 +1,51 @@
+--- a/ssl.c
++++ b/ssl.c
+@@ -28,6 +28,9 @@
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/bio.h>
++#ifndef OPENSSL_NO_EC
++#include <openssl/ec.h>
++#endif
+ #include <errno.h>
+ #include <limits.h>
+ 
+@@ -66,8 +69,12 @@ ssl_init(struct vsf_session* p_sess)
+     SSL_CTX* p_ctx;
+     long options;
+     int verify_option = 0;
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     SSL_library_init();
+     p_ctx = SSL_CTX_new(SSLv23_server_method());
++#else
++    p_ctx = SSL_CTX_new(TLS_server_method());
++#endif
+     if (p_ctx == NULL)
+     {
+       die("SSL: could not allocate SSL context");
+@@ -139,6 +146,7 @@ ssl_init(struct vsf_session* p_sess)
+     {
+       die("SSL: RNG is not seeded");
+     }
++#ifndef OPENSSL_NO_EC
+     {
+       EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+       if (key == NULL)
+@@ -148,6 +156,7 @@ ssl_init(struct vsf_session* p_sess)
+       SSL_CTX_set_tmp_ecdh(p_ctx, key);
+       EC_KEY_free(key);
+     }
++#endif
+     if (tunable_ssl_request_cert)
+     {
+       verify_option |= SSL_VERIFY_PEER;
+@@ -685,7 +694,9 @@ ssl_cert_digest(SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str)
+ static char*
+ get_ssl_error()
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+   SSL_load_error_strings();
++#endif
+   return ERR_error_string(ERR_get_error(), NULL);
+ }
+ 

package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch

@@ -1,27 +1,27 @@
 --- a/parseconf.c
 +++ b/parseconf.c
-@@ -178,6 +178,7 @@
-   { "rsa_private_key_file", &tunable_rsa_private_key_file },
+@@ -182,6 +182,7 @@ parseconf_str_array[] =
    { "dsa_private_key_file", &tunable_dsa_private_key_file },
    { "ca_certs_file", &tunable_ca_certs_file },
+   { "ssl_sni_hostname", &tunable_ssl_sni_hostname },
 +  { "uci_config_name", &tunable_uci_config_name },
    { "cmds_denied", &tunable_cmds_denied },
    { 0, 0 }
  };
 --- a/sysdeputil.c
 +++ b/sysdeputil.c
-@@ -175,6 +175,8 @@
+@@ -180,6 +180,8 @@
  #include <pwd.h>
  #include <unistd.h>
  #include <crypt.h>
 +/* Include uci headers */
 +#include <uci.h>
  #endif
-
+ 
  /* Prefer libcap based capabilities over raw syscall capabilities */
-@@ -237,14 +239,24 @@
+@@ -242,14 +244,24 @@ void vsf_insert_uwtmp(const struct mystr* p_user_str,
  void vsf_remove_uwtmp(void);
-
+ 
  #ifndef VSF_SYSDEP_HAVE_PAM
 +static int
 +vsf_sysdep_check_auth_uci(struct mystr* p_user_str,
@@ -45,10 +45,10 @@
    if (p_pwd == NULL)
    {
      return 0;
-@@ -300,6 +312,51 @@
+@@ -305,6 +317,51 @@ vsf_sysdep_check_auth(struct mystr* p_user_str,
    return 0;
  }
-
+ 
 +static int
 +vsf_sysdep_check_auth_uci(struct mystr* p_user_str,
 +                      const struct mystr* p_pass_str)
@@ -95,33 +95,33 @@
 +}
 +
  #else /* VSF_SYSDEP_HAVE_PAM */
-
+ 
  #if (defined(__sun) || defined(__hpux)) && \
 --- a/tunables.c
 +++ b/tunables.c
-@@ -142,6 +142,7 @@
- const char* tunable_rsa_private_key_file;
+@@ -146,6 +146,7 @@ const char* tunable_rsa_private_key_file;
  const char* tunable_dsa_private_key_file;
  const char* tunable_ca_certs_file;
+ const char* tunable_ssl_sni_hostname;
 +const char* tunable_uci_config_name;
-
+ 
  static void install_str_setting(const char* p_value, const char** p_storage);
-
-@@ -288,6 +289,7 @@
-   install_str_setting(0, &tunable_rsa_private_key_file);
+ 
+@@ -296,6 +297,7 @@ tunables_load_defaults()
    install_str_setting(0, &tunable_dsa_private_key_file);
    install_str_setting(0, &tunable_ca_certs_file);
+   install_str_setting(0, &tunable_ssl_sni_hostname);
 +  install_str_setting(0, &tunable_uci_config_name);
  }
-
+ 
  void
 --- a/tunables.h
 +++ b/tunables.h
-@@ -144,6 +144,7 @@
- extern const char* tunable_rsa_private_key_file;
+@@ -148,6 +148,7 @@ extern const char* tunable_rsa_private_key_file;
  extern const char* tunable_dsa_private_key_file;
  extern const char* tunable_ca_certs_file;
+ extern const char* tunable_ssl_sni_hostname;
 +extern const char* tunable_uci_config_name;
  extern const char* tunable_cmds_denied;
-
+ 
  #endif /* VSF_TUNABLES_H */

package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch

@@ -1,14 +1,19 @@
 --- a/secutil.c
 +++ b/secutil.c
-@@ -135,10 +135,12 @@
-   if ((options & VSF_SECUTIL_OPTION_CHROOT) &&
-       !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT))
+@@ -129,16 +129,5 @@ vsf_secutil_change_credentials(const struct mystr* p_user_str,
    {
-+  /*
-     if (vsf_sysutil_write_access("/"))
-     {
-       die("vsftpd: refusing to run with writable root inside chroot()");
-     }
-+  */
+     vsf_sysutil_set_no_procs();
    }
+-  /* Misconfiguration check: don't ever chroot() to a directory writable by
+-   * the current user.
+-   */
+-  if ((options & VSF_SECUTIL_OPTION_CHROOT) &&
+-      !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT))
+-  {
+-    if (vsf_sysutil_write_access("/"))
+-    {
+-      die("vsftpd: refusing to run with writable root inside chroot()");
+-    }
+-  }
  }
+ 

package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch

@@ -1,6 +1,6 @@
 --- a/twoprocess.c
 +++ b/twoprocess.c
-@@ -426,7 +426,7 @@
+@@ -426,7 +426,7 @@ common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str,
       */
      vsf_set_die_if_parent_dies();
      priv_sock_set_child_context(p_sess);