From db28e1ee309b4344719458b47fc354a8668a46a8 Mon Sep 17 00:00:00 2001 From: HiGarfield <32226909+HiGarfield@users.noreply.github.com> Date: Mon, 23 Aug 2021 15:08:39 +0800 Subject: [PATCH] vsftpd-alt: update to 3.0.5 (#7720) --- package/lean/vsftpd-alt/Makefile | 29 +++-------- .../lean/vsftpd-alt/patches/001-destdir.patch | 2 +- .../vsftpd-alt/patches/002-find_libs.patch | 2 +- .../lean/vsftpd-alt/patches/003-chroot.patch | 2 +- .../patches/007-CVE-2015-1419.patch | 15 ++---- .../patches/010-openssl-deprecated.patch | 51 +++++++++++++++++++ .../patches/100-add-uci-auth-support.patch | 38 +++++++------- .../101-enable-chroot-on-writable-dir.patch | 23 +++++---- .../patches/102-keep-local-user-rights.patch | 2 +- 9 files changed, 98 insertions(+), 66 deletions(-) create mode 100644 package/lean/vsftpd-alt/patches/010-openssl-deprecated.patch diff --git a/package/lean/vsftpd-alt/Makefile b/package/lean/vsftpd-alt/Makefile index c8cbecdd9..dd3a356d4 100644 --- a/package/lean/vsftpd-alt/Makefile +++ b/package/lean/vsftpd-alt/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=vsftpd-alt -PKG_VERSION:=3.0.3 -PKG_RELEASE:=7 +PKG_VERSION:=3.0.5 +PKG_RELEASE:=1 PKG_SOURCE:=vsftpd-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://security.appspot.com/downloads/ -PKG_MD5SUM:=da119d084bd3f98664636ea05b5bb398 +PKG_HASH:=26b602ae454b0ba6d99ef44a09b6b9e0dfa7f67228106736df1f278c70bc91d3 PKG_LICENSE:=GPLv2 BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) @@ -32,21 +32,18 @@ define Package/vsftpd-alt/Default #+PACKAGE_libpam:libpam endef +TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto +TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed,--no-undefined,--no-allow-shlib-undefined + define Package/vsftpd-alt/conffiles /etc/vsftpd.conf endef -#EXTRA_LDFLAGS:= -lcrypt -lcrypto -lssl - define Package/vsftpd-alt/config config VSFTPD_USE_UCI_SCRIPTS bool "Uses UCI scripts" depends on PACKAGE_vsftpd-alt default y -#config VSFTPD_ENABLE_AIO -# bool "Enable async I/O (Currently Buggy)" -# depends on PACKAGE_vsftpd-alt -# default n endef ifneq ($(CONFIG_USE_MUSL),) @@ -57,23 +54,9 @@ endif TARGET_CFLAGS += -D_GNU_SOURCE -include fcntl.h -#ifdef CONFIG_PACKAGE_libpam -# EXTRA_LDFLAGS += -lpam -#endif - -#ifeq ($(CONFIG_VSFTPD_ENABLE_AIO),y) -#define Package/vsftpd-alt -#$(call Package/vsftpd-alt/Default) -# DEPENDS=+PACKAGE_libpam:libpam +libopenssl +libuci +libaio -#endef -# EXTRA_LDFLAGS += -laio -# EXTRA_CFLAGS += -DVSFTPD_ASYNC_IO -#else define Package/vsftpd-alt $(call Package/vsftpd-alt/Default) endef -#endif - define Build/Compile $(SED) 's/-lcrypt -lnsl/$(NLSSTRING)/' $(PKG_BUILD_DIR)/Makefile diff --git a/package/lean/vsftpd-alt/patches/001-destdir.patch b/package/lean/vsftpd-alt/patches/001-destdir.patch index b0274ac86..67ac02d1c 100644 --- a/package/lean/vsftpd-alt/patches/001-destdir.patch +++ b/package/lean/vsftpd-alt/patches/001-destdir.patch @@ -1,6 +1,6 @@ --- a/Makefile +++ b/Makefile -@@ -22,6 +22,8 @@ OBJS = main.o utility.o prelogin.o ftpcm +@@ -22,6 +22,8 @@ OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \ seccompsandbox.o diff --git a/package/lean/vsftpd-alt/patches/002-find_libs.patch b/package/lean/vsftpd-alt/patches/002-find_libs.patch index 4e95248ce..a6559edec 100644 --- a/package/lean/vsftpd-alt/patches/002-find_libs.patch +++ b/package/lean/vsftpd-alt/patches/002-find_libs.patch @@ -1,6 +1,6 @@ --- a/Makefile +++ b/Makefile -@@ -8,8 +8,8 @@ CFLAGS = -O2 -fPIE -fstack-protector --p +@@ -8,8 +8,8 @@ CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \ -D_FORTIFY_SOURCE=2 \ #-pedantic -Wconversion diff --git a/package/lean/vsftpd-alt/patches/003-chroot.patch b/package/lean/vsftpd-alt/patches/003-chroot.patch index 8965da417..355e219f7 100644 --- a/package/lean/vsftpd-alt/patches/003-chroot.patch +++ b/package/lean/vsftpd-alt/patches/003-chroot.patch @@ -1,6 +1,6 @@ --- a/tunables.c +++ b/tunables.c -@@ -254,7 +254,7 @@ tunables_load_defaults() +@@ -261,7 +261,7 @@ tunables_load_defaults() /* -rw------- */ tunable_chown_upload_mode = 0600; diff --git a/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch b/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch index 173027a1d..f51246887 100644 --- a/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch +++ b/package/lean/vsftpd-alt/patches/007-CVE-2015-1419.patch @@ -1,10 +1,3 @@ -Description: CVE-2015-1419: config option deny_file is not handled correctly -Author: Marcus Meissner -Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922 -Last-Update: 2015-02-24 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/ls.c +++ b/ls.c @@ -7,6 +7,7 @@ @@ -15,7 +8,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ #include "ls.h" #include "access.h" #include "defs.h" -@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct +@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, struct mystr temp_str = INIT_MYSTR; struct mystr brace_list_str = INIT_MYSTR; struct mystr new_filter_str = INIT_MYSTR; @@ -59,7 +52,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) { -@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct +@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct mystr* p_filename_str, ret = 0; } out: @@ -71,7 +64,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ str_free(&temp_str); --- a/str.c +++ b/str.c -@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_ +@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_str, char new_char) } } @@ -88,7 +81,7 @@ This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +} --- a/str.h +++ b/str.h -@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst +@@ -100,6 +100,7 @@ void str_replace_unprintable(struct mystr* p_str, char new_char); int str_atoi(const struct mystr* p_str); filesize_t str_a_to_filesize_t(const struct mystr* p_str); unsigned int str_octal_to_uint(const struct mystr* p_str); diff --git a/package/lean/vsftpd-alt/patches/010-openssl-deprecated.patch b/package/lean/vsftpd-alt/patches/010-openssl-deprecated.patch new file mode 100644 index 000000000..08ef9d227 --- /dev/null +++ b/package/lean/vsftpd-alt/patches/010-openssl-deprecated.patch @@ -0,0 +1,51 @@ +--- a/ssl.c ++++ b/ssl.c +@@ -28,6 +28,9 @@ + #include + #include + #include ++#ifndef OPENSSL_NO_EC ++#include ++#endif + #include + #include + +@@ -66,8 +69,12 @@ ssl_init(struct vsf_session* p_sess) + SSL_CTX* p_ctx; + long options; + int verify_option = 0; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_library_init(); + p_ctx = SSL_CTX_new(SSLv23_server_method()); ++#else ++ p_ctx = SSL_CTX_new(TLS_server_method()); ++#endif + if (p_ctx == NULL) + { + die("SSL: could not allocate SSL context"); +@@ -139,6 +146,7 @@ ssl_init(struct vsf_session* p_sess) + { + die("SSL: RNG is not seeded"); + } ++#ifndef OPENSSL_NO_EC + { + EC_KEY* key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + if (key == NULL) +@@ -148,6 +156,7 @@ ssl_init(struct vsf_session* p_sess) + SSL_CTX_set_tmp_ecdh(p_ctx, key); + EC_KEY_free(key); + } ++#endif + if (tunable_ssl_request_cert) + { + verify_option |= SSL_VERIFY_PEER; +@@ -685,7 +694,9 @@ ssl_cert_digest(SSL* p_ssl, struct vsf_session* p_sess, struct mystr* p_str) + static char* + get_ssl_error() + { ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + SSL_load_error_strings(); ++#endif + return ERR_error_string(ERR_get_error(), NULL); + } + diff --git a/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch b/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch index 3b805645d..dfb13a87f 100644 --- a/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch +++ b/package/lean/vsftpd-alt/patches/100-add-uci-auth-support.patch @@ -1,27 +1,27 @@ --- a/parseconf.c +++ b/parseconf.c -@@ -178,6 +178,7 @@ - { "rsa_private_key_file", &tunable_rsa_private_key_file }, +@@ -182,6 +182,7 @@ parseconf_str_array[] = { "dsa_private_key_file", &tunable_dsa_private_key_file }, { "ca_certs_file", &tunable_ca_certs_file }, + { "ssl_sni_hostname", &tunable_ssl_sni_hostname }, + { "uci_config_name", &tunable_uci_config_name }, { "cmds_denied", &tunable_cmds_denied }, { 0, 0 } }; --- a/sysdeputil.c +++ b/sysdeputil.c -@@ -175,6 +175,8 @@ +@@ -180,6 +180,8 @@ #include #include #include +/* Include uci headers */ +#include #endif - + /* Prefer libcap based capabilities over raw syscall capabilities */ -@@ -237,14 +239,24 @@ +@@ -242,14 +244,24 @@ void vsf_insert_uwtmp(const struct mystr* p_user_str, void vsf_remove_uwtmp(void); - + #ifndef VSF_SYSDEP_HAVE_PAM +static int +vsf_sysdep_check_auth_uci(struct mystr* p_user_str, @@ -45,10 +45,10 @@ if (p_pwd == NULL) { return 0; -@@ -300,6 +312,51 @@ +@@ -305,6 +317,51 @@ vsf_sysdep_check_auth(struct mystr* p_user_str, return 0; } - + +static int +vsf_sysdep_check_auth_uci(struct mystr* p_user_str, + const struct mystr* p_pass_str) @@ -95,33 +95,33 @@ +} + #else /* VSF_SYSDEP_HAVE_PAM */ - + #if (defined(__sun) || defined(__hpux)) && \ --- a/tunables.c +++ b/tunables.c -@@ -142,6 +142,7 @@ - const char* tunable_rsa_private_key_file; +@@ -146,6 +146,7 @@ const char* tunable_rsa_private_key_file; const char* tunable_dsa_private_key_file; const char* tunable_ca_certs_file; + const char* tunable_ssl_sni_hostname; +const char* tunable_uci_config_name; - + static void install_str_setting(const char* p_value, const char** p_storage); - -@@ -288,6 +289,7 @@ - install_str_setting(0, &tunable_rsa_private_key_file); + +@@ -296,6 +297,7 @@ tunables_load_defaults() install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); + install_str_setting(0, &tunable_ssl_sni_hostname); + install_str_setting(0, &tunable_uci_config_name); } - + void --- a/tunables.h +++ b/tunables.h -@@ -144,6 +144,7 @@ - extern const char* tunable_rsa_private_key_file; +@@ -148,6 +148,7 @@ extern const char* tunable_rsa_private_key_file; extern const char* tunable_dsa_private_key_file; extern const char* tunable_ca_certs_file; + extern const char* tunable_ssl_sni_hostname; +extern const char* tunable_uci_config_name; extern const char* tunable_cmds_denied; - + #endif /* VSF_TUNABLES_H */ diff --git a/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch b/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch index c7a6b05fd..f8b075af3 100644 --- a/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch +++ b/package/lean/vsftpd-alt/patches/101-enable-chroot-on-writable-dir.patch @@ -1,14 +1,19 @@ --- a/secutil.c +++ b/secutil.c -@@ -135,10 +135,12 @@ - if ((options & VSF_SECUTIL_OPTION_CHROOT) && - !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT)) +@@ -129,16 +129,5 @@ vsf_secutil_change_credentials(const struct mystr* p_user_str, { -+ /* - if (vsf_sysutil_write_access("/")) - { - die("vsftpd: refusing to run with writable root inside chroot()"); - } -+ */ + vsf_sysutil_set_no_procs(); } +- /* Misconfiguration check: don't ever chroot() to a directory writable by +- * the current user. +- */ +- if ((options & VSF_SECUTIL_OPTION_CHROOT) && +- !(options & VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT)) +- { +- if (vsf_sysutil_write_access("/")) +- { +- die("vsftpd: refusing to run with writable root inside chroot()"); +- } +- } } + diff --git a/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch b/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch index f5ee25d76..284bf19dd 100644 --- a/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch +++ b/package/lean/vsftpd-alt/patches/102-keep-local-user-rights.patch @@ -1,6 +1,6 @@ --- a/twoprocess.c +++ b/twoprocess.c -@@ -426,7 +426,7 @@ +@@ -426,7 +426,7 @@ common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str, */ vsf_set_die_if_parent_dies(); priv_sock_set_child_context(p_sess);