Your message dated Fri, 14 Nov 2014 11:50:58 +0100 with message-id <20141114105058.GA6479@betterave.cristau.org> and subject line Re: Bug#769206: unblock tnftp/20130505-2 has caused the Debian Bug report #769206, regarding unblock tnftp/20130505-2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 769206: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769206 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock tnftp/20130505-2
- From: Aníbal Monsalve Salazar <anibal@debian.org>
- Date: Wed, 12 Nov 2014 06:34:24 +0000
- Message-id: <[🔎] 20141112063424.GA7236@master.debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock tnftp/20130505-2 debdiff tnftp_20130505-1.dsc tnftp_20130505-2.dsc diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog --- tnftp-20130505/debian/changelog 2013-05-26 01:01:45.000000000 +0100 +++ tnftp-20130505/debian/changelog 2014-11-06 10:42:07.000000000 +0000 @@ -1,3 +1,19 @@ +tnftp (20130505-2) unstable; urgency=medium + + * Only trust filenames with special meaning if they came from + the command line. CVE-2014-8517. + Add upstream patch CVE-2014-8517.patch. + Closes: #767171. + * Run dh-autoreconf to update for new architectures. + Patch by Brahadambal Srinivasan <latha@linux.vnet.ibm.com>. + Closes: 759467. + * Standards Version is 3.9.6. + * Fix uses-deprecated-compression-for-data-tarball. + * Fix build-depends-on-obsolete-package. + build-depends: hardening-wrapper => use dpkg-buildflags instead. + + -- Anibal Monsalve Salazar <anibal@debian.org> Thu, 06 Nov 2014 10:42:01 +0000 + tnftp (20130505-1) unstable; urgency=low * New upstream version 20130505 diff -Nru tnftp-20130505/debian/compat tnftp-20130505/debian/compat --- tnftp-20130505/debian/compat 2009-04-06 01:20:42.000000000 +0100 +++ tnftp-20130505/debian/compat 2014-11-06 09:57:48.000000000 +0000 @@ -1 +1 @@ -7 +9 diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control --- tnftp-20130505/debian/control 2013-05-26 00:04:41.000000000 +0100 +++ tnftp-20130505/debian/control 2014-11-06 10:02:59.000000000 +0000 @@ -2,8 +2,8 @@ Section: net Priority: optional Maintainer: Anibal Monsalve Salazar <anibal@debian.org> -Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev -Standards-Version: 3.9.4 +Build-Depends: debhelper (>= 9), libncurses5-dev, libssl-dev, autotools-dev +Standards-Version: 3.9.6 Homepage: http://en.wikipedia.org/wiki/Tnftp Package: tnftp diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch tnftp-20130505/debian/patches/CVE-2014-8517.patch --- tnftp-20130505/debian/patches/CVE-2014-8517.patch 1970-01-01 01:00:00.000000000 +0100 +++ tnftp-20130505/debian/patches/CVE-2014-8517.patch 2014-11-06 10:24:25.000000000 +0000 @@ -0,0 +1,92 @@ +Date: Sun, 26 Oct 2014 12:21:59 -0400 +From: Christos Zoulas <christos@...bsd.org> +To: source-changes-full@...bsd.org +Subject: CVS commit: src/usr.bin/ftp +X-Mailer: log_accum + +Module Name: src +Committed By: christos +Date: Sun Oct 26 16:21:59 UTC 2014 + +Modified Files: + src/usr.bin/ftp: fetch.c + +Log Message: + don't pay attention to special characters if they don't come from the command + line (from jmcneill) + +http://security-tracker.debian.org/tracker/CVE-2014-8517 +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171 +http://www.openwall.com/lists/oss-security/2014/10/28/4 + +Index: tnftp-20130505/src/fetch.c +=================================================================== +--- tnftp-20130505.orig/src/fetch.c ++++ tnftp-20130505/src/fetch.c +@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p + url_decode(decodedpath); + + if (outfile) +- savefile = ftp_strdup(outfile); ++ savefile = outfile; + else { + cp = strrchr(decodedpath, '/'); /* find savefile */ + if (cp != NULL) +@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p + rangestart = rangeend = entitylen = -1; + mtime = -1; + if (restartautofetch) { +- if (strcmp(savefile, "-") != 0 && *savefile != '|' && +- stat(savefile, &sb) == 0) ++ if (stat(savefile, &sb) == 0) + restart_point = sb.st_size; + } + if (urltype == FILE_URL_T) { /* file:// URLs */ +@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p + } + } /* end of ftp:// or http:// specific setup */ + +- /* Open the output file. */ +- if (strcmp(savefile, "-") == 0) { +- fout = stdout; +- } else if (*savefile == '|') { +- oldintp = xsignal(SIGPIPE, SIG_IGN); +- fout = popen(savefile + 1, "w"); +- if (fout == NULL) { +- warn("Can't execute `%s'", savefile + 1); +- goto cleanup_fetch_url; ++ /* Open the output file. */ ++ ++ /* ++ * Only trust filenames with special meaning if they came from ++ * the command line ++ */ ++ if (outfile == savefile) { ++ if (strcmp(savefile, "-") == 0) { ++ fout = stdout; ++ } else if (*savefile == '|') { ++ oldintp = xsignal(SIGPIPE, SIG_IGN); ++ fout = popen(savefile + 1, "w"); ++ if (fout == NULL) { ++ warn("Can't execute `%s'", savefile + 1); ++ goto cleanup_fetch_url; ++ } ++ closefunc = pclose; + } +- closefunc = pclose; +- } else { ++ } ++ if (fout == NULL) { + if ((rangeend != -1 && rangeend <= restart_point) || + (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { + /* already done */ +@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p + (*closefunc)(fout); + if (res0) + freeaddrinfo(res0); +- FREEPTR(savefile); ++ if (savefile != outfile) ++ FREEPTR(savefile); + FREEPTR(uuser); + if (pass != NULL) + memset(pass, 0, strlen(pass)); diff -Nru tnftp-20130505/debian/patches/series tnftp-20130505/debian/patches/series --- tnftp-20130505/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ tnftp-20130505/debian/patches/series 2014-11-06 09:28:13.000000000 +0000 @@ -0,0 +1 @@ +CVE-2014-8517.patch diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules --- tnftp-20130505/debian/rules 2013-05-26 00:56:53.000000000 +0100 +++ tnftp-20130505/debian/rules 2014-11-06 10:41:48.000000000 +0000 @@ -5,15 +5,13 @@ # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 -# Make use of security features through hardening-wrapper -export DEB_BUILD_HARDENING=1 - build-arch: build build-indep: build build: build-stamp build-stamp: dh_testdir - ./configure --prefix=/usr --mandir=\$${prefix}/share/man + dh_autotools-dev_updateconfig + ./configure --prefix=/usr --mandir=\$${prefix}/share/man $(shell dpkg-buildflags --export=configure) $(MAKE) touch build-stamp @@ -22,6 +20,7 @@ dh_testroot rm -f build-stamp [ ! -f Makefile ] || $(MAKE) distclean + dh_autotools-dev_restoreconfig dh_clean install: build @@ -63,7 +62,7 @@ dh_gencontrol dh_lintian dh_md5sums - dh_builddeb -- -Zbzip2 -z9 + dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install diff -Nru tnftp-20130505/debian/source/options tnftp-20130505/debian/source/options --- tnftp-20130505/debian/source/options 2009-11-23 10:37:44.000000000 +0000 +++ tnftp-20130505/debian/source/options 1970-01-01 01:00:00.000000000 +0100 @@ -1,2 +0,0 @@ -compression = "bzip2" -compression-level = 9
--- End Message ---
--- Begin Message ---
- To: Aníbal Monsalve Salazar <anibal@debian.org>
- Cc: 769206-done@bugs.debian.org
- Subject: Re: Bug#769206: unblock tnftp/20130505-2
- From: Julien Cristau <jcristau@debian.org>
- Date: Fri, 14 Nov 2014 11:50:58 +0100
- Message-id: <20141114105058.GA6479@betterave.cristau.org>
- In-reply-to: <20141114033756.GA25393@master.debian.org>
- References: <[🔎] 20141112063424.GA7236@master.debian.org> <20141112190314.GB21455@lupin.home.powdarrmonkey.net> <20141112204831.GA8507@master.debian.org> <20141114033756.GA25393@master.debian.org>
On Fri, Nov 14, 2014 at 03:37:56 +0000, Aníbal Monsalve Salazar wrote: > reopen 769206 > stop > Err, no, don't get to do that without explanation. Closing again... Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---