summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Deutschmann <whissi@gentoo.org>2020-03-25 19:43:39 +0100
committerThomas Deutschmann <whissi@gentoo.org>2020-03-25 19:44:01 +0100
commit21b5c196ee853f0900754eab49fee2906747f567 (patch)
treeaa78d321fedea2f320199ee1b2b40646955023c0
parentsys-apps/heirloom-tools: remove patrick as maintainer (diff)
downloadgentoo-21b5c196ee853f0900754eab49fee2906747f567.tar.gz
gentoo-21b5c196ee853f0900754eab49fee2906747f567.tar.bz2
gentoo-21b5c196ee853f0900754eab49fee2906747f567.zip
net-ftp/pure-ftpd: security cleanup (bug #711124)
Bug: https://bugs.gentoo.org/711124 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
-rw-r--r--net-ftp/pure-ftpd/Manifest1
-rw-r--r--net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch22
-rw-r--r--net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch46
-rw-r--r--net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch22
-rw-r--r--net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch21
-rw-r--r--net-ftp/pure-ftpd/metadata.xml1
-rw-r--r--net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild144
-rw-r--r--net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild148
8 files changed, 0 insertions, 405 deletions
diff --git a/net-ftp/pure-ftpd/Manifest b/net-ftp/pure-ftpd/Manifest
index 746be8280a0..2892703c30e 100644
--- a/net-ftp/pure-ftpd/Manifest
+++ b/net-ftp/pure-ftpd/Manifest
@@ -1,2 +1 @@
-DIST pure-ftpd-1.0.47.tar.bz2 489177 BLAKE2B 06e71ead47b87dedf47a84e488b2de127fcd297c2e9ca7a617c2ee2760cf55b816884763721826c512558d016cbd38a87a11ca0e8c2334d93145edc6f88d9287 SHA512 c1920a3f67f04635fde600fe226a7730b801e7e64658b25f1d9f9c0b35a704664be4adfb0b291594f7e0f10beade25eae9a5e6cc3b6777a3b413f3c2d9574e63
DIST pure-ftpd-1.0.49.tar.bz2 487958 BLAKE2B bd5f10a49b533eb6c257032659e97aa7ae16ec9402704d8ee06c92938e217b748b390ccf0e31b3640f41cb7a93f85b29c8ddcdc296f214391b1d92da9d701a7c SHA512 b44896d6fe2cda9169b1db93c5260bb892af14a173f2d25e60dd6530afe85d8e9156985609e35da7e5550dc123afb42bc5012beb9fca9011054cf0ed8b2eddef
diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch
deleted file mode 100644
index a9ad0a30b9b..00000000000
--- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 27a5c200f9643ce907118aad169279b3a66a9e8a Mon Sep 17 00:00:00 2001
-From: Frank Denis <github@pureftpd.org>
-Date: Sat, 4 Nov 2017 20:46:16 +0100
-Subject: [PATCH] Increase MAX_DATA_SIZE due to Argon2id requirements
-
----
- src/ftpd.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/ftpd.h b/src/ftpd.h
-index 1beeab8..5bb1f6b 100644
---- a/src/ftpd.h
-+++ b/src/ftpd.h
-@@ -557,7 +557,7 @@ Your platform has a very large PATH_MAX, we should not trust it.
-
- #ifndef MAX_DATA_SIZE
- # ifdef HAVE_LIBSODIUM
--# define MAX_DATA_SIZE (40 * 1024 * 1024)
-+# define MAX_DATA_SIZE (70 * 1024 * 1024)
- # elif defined(WITH_LDAP) || defined(WITH_MYSQL) || defined(WITH_PGSQL)
- # define MAX_DATA_SIZE (16 * 1024 * 1024) /* Max memory usage - SQL/LDAP need more */
- # else
diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch
deleted file mode 100644
index 65f19bf49da..00000000000
--- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 4a495c61ce22c893aed5ee57f6ce0b43c3be59ad Mon Sep 17 00:00:00 2001
-From: Frank Denis <github@pureftpd.org>
-Date: Wed, 19 Sep 2018 23:53:45 +0200
-Subject: [PATCH] TLS1.3 compatibility
-
-Fixes #94
----
- src/tls.c | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/src/tls.c b/src/tls.c
-index c693d3b..f383ed9 100644
---- a/src/tls.c
-+++ b/src/tls.c
-@@ -228,7 +228,16 @@ static void ssl_info_cb(const SSL *cnx, int where, int ret)
- if ((where & SSL_CB_HANDSHAKE_START) != 0) {
- if ((cnx == tls_cnx && tls_cnx_handshook != 0) ||
- (cnx == tls_data_cnx && tls_data_cnx_handshook != 0)) {
-- die(400, LOG_ERR, "TLS renegociation");
-+ const SSL_CIPHER *cipher;
-+ const char *cipher_version;
-+ if ((cipher = SSL_get_current_cipher(cnx)) == NULL ||
-+ (cipher_version = SSL_CIPHER_get_version(cipher)) == NULL) {
-+ die(400, LOG_ERR, "No cipher");
-+ }
-+ if (strcmp(cipher_version, "TLSv1.3") != 0) {
-+ die(400, LOG_ERR, "TLS renegociation");
-+ return;
-+ }
- }
- return;
- }
-@@ -264,10 +273,10 @@ int tls_init_library(void)
- OpenSSL_add_all_algorithms();
- # else
- OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS |
-- OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
-+ OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
-- OPENSSL_INIT_ADD_ALL_DIGESTS |
-- OPENSSL_INIT_LOAD_CONFIG, NULL);
-+ OPENSSL_INIT_ADD_ALL_DIGESTS |
-+ OPENSSL_INIT_LOAD_CONFIG, NULL);
- # endif
- while (RAND_status() == 0) {
- rnd = zrand();
diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch
deleted file mode 100644
index cd4532bb97a..00000000000
--- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.1.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From aa68b2d620ef0c83c7f52213c7e6093722b0b8bd Mon Sep 17 00:00:00 2001
-From: Frank Denis <github@pureftpd.org>
-Date: Wed, 24 Oct 2018 19:19:26 +0200
-Subject: [PATCH] Disable TLSv1_1
-
----
- src/tls.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tls.c b/src/tls.c
-index f383ed9..c4e2a1b 100644
---- a/src/tls.c
-+++ b/src/tls.c
-@@ -297,7 +297,7 @@ int tls_init_library(void)
- SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1);
- # endif
- # ifdef SSL_OP_NO_TLSv1_1
-- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_1);
-+ SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_1);
- # endif
- # ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);
diff --git a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch b/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch
deleted file mode 100644
index cbe9c8bdcb8..00000000000
--- a/net-ftp/pure-ftpd/files/pure-ftpd-1.0.47-disable-TLSv1.3.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Temporarily disable TLSv1.3 support
-
-Disable TLSv1.3 until support for it is fixed in pure-ftpd. This is a
-workaround for the following issue:
-https://github.com/jedisct1/pure-ftpd/issues/102
-
---- a/src/tls.c
-+++ b/src/tls.c
-@@ -301,6 +301,10 @@ int tls_init_library(void)
- # endif
- # ifdef SSL_OP_NO_TLSv1_2
- SSL_CTX_clear_options(tls_ctx, SSL_OP_NO_TLSv1_2);
-+# endif
-+ /* Disable TLSv1.3 support until it works properly in pure-ftpd */
-+# ifdef SSL_OP_NO_TLSv1_3
-+ SSL_CTX_set_options(tls_ctx, SSL_OP_NO_TLSv1_3);
- # endif
- if (tlsciphersuite != NULL) {
- if (SSL_CTX_set_cipher_list(tls_ctx, tlsciphersuite) != 1) {
---
-2.20.1
diff --git a/net-ftp/pure-ftpd/metadata.xml b/net-ftp/pure-ftpd/metadata.xml
index 5ee42de87ae..35a92292178 100644
--- a/net-ftp/pure-ftpd/metadata.xml
+++ b/net-ftp/pure-ftpd/metadata.xml
@@ -11,7 +11,6 @@
<flag name="anonperm">Permit anonymous to change file permissions</flag>
<flag name="anonren">Permit anonymous to rename files</flag>
<flag name="anonres">Permit anonymous to resume file transfers</flag>
- <flag name="charconv">Enables charset conversion</flag>
<flag name="implicittls">Enable TLS on Port 990</flag>
<flag name="noiplog">Disables logging of IP addresses</flag>
<flag name="paranoidmsg">Display paranoid messages instead of normal
diff --git a/net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild b/net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild
deleted file mode 100644
index de299a33183..00000000000
--- a/net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild
+++ /dev/null
@@ -1,144 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit flag-o-matic
-
-KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ia64 ppc ppc64 sparc x86"
-
-DESCRIPTION="Fast, production-quality, standard-conformant FTP server"
-HOMEPAGE="http://www.pureftpd.org/"
-SRC_URI="ftp://ftp.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2
- http://download.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2"
-
-LICENSE="BSD"
-SLOT="0"
-
-IUSE="anondel anonperm anonren anonres caps charconv implicittls ldap libressl mysql noiplog pam paranoidmsg postgres resolveids selinux ssl sysquota vchroot xinetd"
-
-REQUIRED_USE="implicittls? ( ssl )"
-
-DEPEND="caps? ( sys-libs/libcap )
- charconv? ( virtual/libiconv )
- ldap? ( >=net-nds/openldap-2.0.25 )
- mysql? ( || (
- dev-db/mariadb-connector-c
- dev-db/mysql-connector-c
- ) )
- pam? ( sys-libs/pam )
- postgres? ( dev-db/postgresql:= )
- ssl? (
- !libressl? ( >=dev-libs/openssl-0.9.6g:0=[-bindist] )
- libressl? ( dev-libs/libressl:= )
- )
- sysquota? ( sys-fs/quota[-rpc] )
- xinetd? ( virtual/inetd )"
-
-RDEPEND="${DEPEND}
- dev-libs/libsodium:=
- net-ftp/ftpbase
- selinux? ( sec-policy/selinux-ftp )"
-
-PATCHES=(
- "${FILESDIR}/${PN}-1.0.28-pam.patch"
- "${FILESDIR}/${PN}-1.0.47-MAX_DATA_SIZE.patch"
- "${FILESDIR}/${PN}-1.0.47-TLSv1.3.patch"
- "${FILESDIR}/${PN}-1.0.47-disable-TLSv1.3.patch"
- "${FILESDIR}/${PN}-1.0.47-disable-TLSv1.1.patch"
-)
-
-src_configure() {
- # adjust max user length to something more appropriate
- # for virtual hosts. See bug #62472 for details.
- sed -e "s:# define MAX_USER_LENGTH 32U:# define MAX_USER_LENGTH 127U:" \
- -i "${S}/src/ftpd.h" || die "sed failed"
-
- # Those features are only configurable like this, see bug #179375.
- use anondel && append-cppflags -DANON_CAN_DELETE
- use anonperm && append-cppflags -DANON_CAN_CHANGE_PERMS
- use anonren && append-cppflags -DANON_CAN_RENAME
- use anonres && append-cppflags -DANON_CAN_RESUME
- use resolveids && append-cppflags -DALWAYS_RESOLVE_IDS
-
- # Do not auto-use SSP -- let the user select this.
- export ax_cv_check_cflags___fstack_protector_all=no
-
- local myeconfargs=(
- --enable-largefile
- --with-altlog
- --with-cookie
- --with-diraliases
- --with-extauth
- --with-ftpwho
- --with-language=${PUREFTPD_LANG:=english}
- --with-peruserlimits
- --with-privsep
- --with-puredb
- --with-quotas
- --with-ratios
- --with-throttling
- --with-uploadscript
- --with-virtualhosts
- $(use_with charconv rfc2640)
- $(use_with ldap)
- $(use_with mysql)
- $(use_with pam)
- $(use_with paranoidmsg)
- $(use_with postgres pgsql)
- $(use_with ssl tls)
- $(use_with implicittls)
- $(use_with vchroot virtualchroot)
- $(use_with sysquota sysquotas)
- $(usex caps '' '--without-capabilities')
- $(usex noiplog '--without-iplogging' '')
- $(usex xinetd '' '--without-inetd')
- )
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- local DOCS=( AUTHORS CONTACT ChangeLog FAQ HISTORY INSTALL README* NEWS )
-
- default
-
- newinitd "${FILESDIR}/pure-ftpd.rc11" ${PN}
- newconfd "${FILESDIR}/pure-ftpd.conf_d-3" ${PN}
-
- if use implicittls ; then
- sed -i '/^SERVER/s@21@990@' "${ED}"/etc/conf.d/${PN} \
- || die "Adjusting default server port for implicittls usage failed!"
- fi
-
- keepdir /var/lib/run/${PN}
-
- if use xinetd ; then
- insinto /etc/xinetd.d
- newins "${FILESDIR}/pure-ftpd.xinetd" ${PN}
- fi
-
- if use ldap ; then
- insinto /etc/openldap/schema
- doins pureftpd.schema
- insinto /etc/openldap
- insopts -m 0600
- doins pureftpd-ldap.conf
- fi
-}
-
-pkg_postinst() {
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- # This is a new installation
- elog
- elog "Before starting Pure-FTPd, you have to edit the /etc/conf.d/pure-ftpd file!"
- elog
- ewarn "It's *really* important to read the README provided with Pure-FTPd!"
- ewarn "Check out http://download.pureftpd.org/pub/pure-ftpd/doc/README for general info"
- ewarn "and http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for SSL/TLS info."
- ewarn
- if use charconv ; then
- ewarn "Charset conversion is an *experimental* feature!"
- ewarn "Remember to set a valid charset for your filesystem in the configuration!"
- fi
- fi
-}
diff --git a/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild b/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild
deleted file mode 100644
index d1be10cc99f..00000000000
--- a/net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild
+++ /dev/null
@@ -1,148 +0,0 @@
-# Copyright 1999-2019 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit flag-o-matic
-
-DESCRIPTION="Fast, production-quality, standard-conformant FTP server"
-HOMEPAGE="http://www.pureftpd.org/"
-if [[ "${PV}" == 9999 ]] ; then
- inherit autotools git-r3
- EGIT_REPO_URI="https://github.com/jedisct1/pure-ftpd.git"
-else
- SRC_URI="ftp://ftp.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2
- http://download.pureftpd.org/pub/${PN}/releases/${P}.tar.bz2"
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
-fi
-
-LICENSE="BSD"
-SLOT="0"
-
-IUSE="anondel anonperm anonren anonres caps implicittls ldap libressl mysql noiplog pam paranoidmsg postgres resolveids selinux ssl sysquota vchroot xinetd"
-
-REQUIRED_USE="implicittls? ( ssl )"
-
-DEPEND="caps? ( sys-libs/libcap )
- ldap? ( >=net-nds/openldap-2.0.25 )
- mysql? ( || (
- dev-db/mariadb-connector-c
- dev-db/mysql-connector-c
- ) )
- pam? ( sys-libs/pam )
- postgres? ( dev-db/postgresql:= )
- ssl? (
- !libressl? ( >=dev-libs/openssl-0.9.6g:0=[-bindist] )
- libressl? ( dev-libs/libressl:= )
- )
- sysquota? ( sys-fs/quota[-rpc] )
- xinetd? ( virtual/inetd )"
-
-RDEPEND="${DEPEND}
- dev-libs/libsodium:=
- net-ftp/ftpbase
- selinux? ( sec-policy/selinux-ftp )"
-
-PATCHES=(
- "${FILESDIR}/${PN}-1.0.28-pam.patch"
-)
-
-src_prepare() {
- default
- [[ "${PV}" == 9999 ]] && eautoreconf
-}
-
-src_configure() {
- # adjust max user length to something more appropriate
- # for virtual hosts. See bug #62472 for details.
- sed -e "s:# define MAX_USER_LENGTH 32U:# define MAX_USER_LENGTH 127U:" \
- -i "${S}/src/ftpd.h" || die "sed failed"
-
- # Those features are only configurable like this, see bug #179375.
- use anondel && append-cppflags -DANON_CAN_DELETE
- use anonperm && append-cppflags -DANON_CAN_CHANGE_PERMS
- use anonren && append-cppflags -DANON_CAN_RENAME
- use anonres && append-cppflags -DANON_CAN_RESUME
- use resolveids && append-cppflags -DALWAYS_RESOLVE_IDS
-
- # Do not auto-use SSP -- let the user select this.
- export ax_cv_check_cflags___fstack_protector_all=no
-
- local myeconfargs=(
- --enable-largefile
- # Required for correct pid file location.
- # pure-ftpd appends "/run/pure-ftpd.pid" to the localstatedir
- # path, and tries to write to that file even when being
- # started in foreground. So we need to pin this to /
- --localstatedir="${EPREFIX}"/
- --with-altlog
- --with-cookie
- --with-diraliases
- --with-extauth
- --with-ftpwho
- --with-language=${PUREFTPD_LANG:=english}
- --with-peruserlimits
- --with-privsep
- --with-puredb
- --with-quotas
- --with-ratios
- --with-throttling
- --with-uploadscript
- --with-virtualhosts
- $(use_with ldap)
- $(use_with mysql)
- $(use_with pam)
- $(use_with paranoidmsg)
- $(use_with postgres pgsql)
- $(use_with ssl tls)
- $(use_with implicittls)
- $(use_with vchroot virtualchroot)
- $(use_with sysquota sysquotas)
- $(usex caps '' '--without-capabilities')
- $(usex noiplog '--without-iplogging' '')
- $(usex xinetd '' '--without-inetd')
- )
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- local DOCS=( AUTHORS ChangeLog FAQ HISTORY README* NEWS )
-
- default
-
- newinitd "${FILESDIR}/pure-ftpd.rc11" ${PN}
- newconfd "${FILESDIR}/pure-ftpd.conf_d-3" ${PN}
-
- if use implicittls ; then
- sed -i '/^SERVER/s@21@990@' "${ED}"/etc/conf.d/${PN} \
- || die "Adjusting default server port for implicittls usage failed!"
- fi
-
- keepdir /var/lib/run/${PN}
-
- if use xinetd ; then
- insinto /etc/xinetd.d
- newins "${FILESDIR}/pure-ftpd.xinetd" ${PN}
- fi
-
- if use ldap ; then
- insinto /etc/openldap/schema
- doins pureftpd.schema
- insinto /etc/openldap
- insopts -m 0600
- doins pureftpd-ldap.conf
- fi
-}
-
-pkg_postinst() {
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- # This is a new installation
- elog
- elog "Before starting Pure-FTPd, you have to edit the /etc/conf.d/pure-ftpd file!"
- elog
- ewarn "It's *really* important to read the README provided with Pure-FTPd!"
- ewarn "Check out http://download.pureftpd.org/pub/pure-ftpd/doc/README for general info"
- ewarn "and http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS for SSL/TLS info."
- ewarn
- fi
-}