Control: retitle -1 unblock tnftp/20130505-3 Control: reopen -1 On Sat, 2014-11-15 11:00:16 +0000, Jonathan Wiltshire wrote: > > Changing compat level just to add hardening is not a good solution. > Other subtle changes are made in the packaging when that happens. > Please find a way to apply the hardening flags without changing compat > level. Done. Below is the debdiff between 20130505-1 in testing and 20130505-3 in unstable. Thank you! debdiff tnftp_20130505-1.dsc tnftp_20130505-3.dsc diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog --- tnftp-20130505/debian/changelog 2013-05-26 01:01:45.000000000 +0100 +++ tnftp-20130505/debian/changelog 2014-11-17 06:51:20.000000000 +0000 @@ -1,3 +1,26 @@ +tnftp (20130505-3) unstable; urgency=medium + + * Revert DH compatibility level to 7. + * Set hardening options. + + -- Anibal Monsalve Salazar <anibal@debian.org> Mon, 17 Nov 2014 06:51:16 +0000 + +tnftp (20130505-2) unstable; urgency=medium + + * Only trust filenames with special meaning if they came from + the command line. CVE-2014-8517. + Add upstream patch CVE-2014-8517.patch. + Closes: #767171. + * Run dh-autoreconf to update for new architectures. + Patch by Brahadambal Srinivasan <latha@linux.vnet.ibm.com>. + Closes: 759467. + * Standards Version is 3.9.6. + * Fix uses-deprecated-compression-for-data-tarball. + * Fix build-depends-on-obsolete-package. + build-depends: hardening-wrapper => use dpkg-buildflags instead. + + -- Anibal Monsalve Salazar <anibal@debian.org> Thu, 06 Nov 2014 10:42:01 +0000 + tnftp (20130505-1) unstable; urgency=low * New upstream version 20130505 diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control --- tnftp-20130505/debian/control 2013-05-26 00:04:41.000000000 +0100 +++ tnftp-20130505/debian/control 2014-11-17 06:31:39.000000000 +0000 @@ -2,8 +2,8 @@ Section: net Priority: optional Maintainer: Anibal Monsalve Salazar <anibal@debian.org> -Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev -Standards-Version: 3.9.4 +Build-Depends: debhelper (>= 7), libncurses5-dev, libssl-dev, autotools-dev +Standards-Version: 3.9.6 Homepage: http://en.wikipedia.org/wiki/Tnftp Package: tnftp diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch tnftp-20130505/debian/patches/CVE-2014-8517.patch --- tnftp-20130505/debian/patches/CVE-2014-8517.patch 1970-01-01 01:00:00.000000000 +0100 +++ tnftp-20130505/debian/patches/CVE-2014-8517.patch 2014-11-06 10:24:25.000000000 +0000 @@ -0,0 +1,92 @@ +Date: Sun, 26 Oct 2014 12:21:59 -0400 +From: Christos Zoulas <christos@...bsd.org> +To: source-changes-full@...bsd.org +Subject: CVS commit: src/usr.bin/ftp +X-Mailer: log_accum + +Module Name: src +Committed By: christos +Date: Sun Oct 26 16:21:59 UTC 2014 + +Modified Files: + src/usr.bin/ftp: fetch.c + +Log Message: + don't pay attention to special characters if they don't come from the command + line (from jmcneill) + +http://security-tracker.debian.org/tracker/CVE-2014-8517 +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171 +http://www.openwall.com/lists/oss-security/2014/10/28/4 + +Index: tnftp-20130505/src/fetch.c +=================================================================== +--- tnftp-20130505.orig/src/fetch.c ++++ tnftp-20130505/src/fetch.c +@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p + url_decode(decodedpath); + + if (outfile) +- savefile = ftp_strdup(outfile); ++ savefile = outfile; + else { + cp = strrchr(decodedpath, '/'); /* find savefile */ + if (cp != NULL) +@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p + rangestart = rangeend = entitylen = -1; + mtime = -1; + if (restartautofetch) { +- if (strcmp(savefile, "-") != 0 && *savefile != '|' && +- stat(savefile, &sb) == 0) ++ if (stat(savefile, &sb) == 0) + restart_point = sb.st_size; + } + if (urltype == FILE_URL_T) { /* file:// URLs */ +@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p + } + } /* end of ftp:// or http:// specific setup */ + +- /* Open the output file. */ +- if (strcmp(savefile, "-") == 0) { +- fout = stdout; +- } else if (*savefile == '|') { +- oldintp = xsignal(SIGPIPE, SIG_IGN); +- fout = popen(savefile + 1, "w"); +- if (fout == NULL) { +- warn("Can't execute `%s'", savefile + 1); +- goto cleanup_fetch_url; ++ /* Open the output file. */ ++ ++ /* ++ * Only trust filenames with special meaning if they came from ++ * the command line ++ */ ++ if (outfile == savefile) { ++ if (strcmp(savefile, "-") == 0) { ++ fout = stdout; ++ } else if (*savefile == '|') { ++ oldintp = xsignal(SIGPIPE, SIG_IGN); ++ fout = popen(savefile + 1, "w"); ++ if (fout == NULL) { ++ warn("Can't execute `%s'", savefile + 1); ++ goto cleanup_fetch_url; ++ } ++ closefunc = pclose; + } +- closefunc = pclose; +- } else { ++ } ++ if (fout == NULL) { + if ((rangeend != -1 && rangeend <= restart_point) || + (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { + /* already done */ +@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p + (*closefunc)(fout); + if (res0) + freeaddrinfo(res0); +- FREEPTR(savefile); ++ if (savefile != outfile) ++ FREEPTR(savefile); + FREEPTR(uuser); + if (pass != NULL) + memset(pass, 0, strlen(pass)); diff -Nru tnftp-20130505/debian/patches/series tnftp-20130505/debian/patches/series --- tnftp-20130505/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ tnftp-20130505/debian/patches/series 2014-11-06 09:28:13.000000000 +0000 @@ -0,0 +1 @@ +CVE-2014-8517.patch diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules --- tnftp-20130505/debian/rules 2013-05-26 00:56:53.000000000 +0100 +++ tnftp-20130505/debian/rules 2014-11-17 06:49:10.000000000 +0000 @@ -5,15 +5,16 @@ # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 -# Make use of security features through hardening-wrapper -export DEB_BUILD_HARDENING=1 +export CFLAGS+="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security" +export LDFLAGS+="-Wl,-z,relro" build-arch: build build-indep: build build: build-stamp build-stamp: dh_testdir - ./configure --prefix=/usr --mandir=\$${prefix}/share/man + dh_autotools-dev_updateconfig + ./configure --prefix=/usr --mandir=\$${prefix}/share/man CFLAGS=$(CFLAGS) LDFLAGS=$(LDFLAGS) $(MAKE) touch build-stamp @@ -22,6 +23,7 @@ dh_testroot rm -f build-stamp [ ! -f Makefile ] || $(MAKE) distclean + dh_autotools-dev_restoreconfig dh_clean install: build @@ -63,7 +65,7 @@ dh_gencontrol dh_lintian dh_md5sums - dh_builddeb -- -Zbzip2 -z9 + dh_builddeb binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary install diff -Nru tnftp-20130505/debian/source/options tnftp-20130505/debian/source/options --- tnftp-20130505/debian/source/options 2009-11-23 10:37:44.000000000 +0000 +++ tnftp-20130505/debian/source/options 1970-01-01 01:00:00.000000000 +0100 @@ -1,2 +0,0 @@ -compression = "bzip2" -compression-level = 9
Attachment:
signature.asc
Description: Digital signature