[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#769206: unblock tnftp/20130505-3

Control: retitle -1 unblock tnftp/20130505-3
Control: reopen -1

On Sat, 2014-11-15 11:00:16 +0000, Jonathan Wiltshire wrote:
> 
> Changing compat level just to add hardening is not a good solution.
> Other subtle changes are made in the packaging when that happens.
> Please find a way to apply the hardening flags without changing compat
> level.

Done.

Below is the debdiff between 20130505-1 in testing and 20130505-3 in
unstable.

Thank you!

debdiff tnftp_20130505-1.dsc tnftp_20130505-3.dsc
diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog
--- tnftp-20130505/debian/changelog	2013-05-26 01:01:45.000000000 +0100
+++ tnftp-20130505/debian/changelog	2014-11-17 06:51:20.000000000 +0000
@@ -1,3 +1,26 @@
+tnftp (20130505-3) unstable; urgency=medium
+
+  * Revert DH compatibility level to 7.
+  * Set hardening options.
+
+ -- Anibal Monsalve Salazar <anibal@debian.org>  Mon, 17 Nov 2014 06:51:16 +0000
+
+tnftp (20130505-2) unstable; urgency=medium
+
+  * Only trust filenames with special meaning if they came from
+    the command line. CVE-2014-8517.
+    Add upstream patch CVE-2014-8517.patch.
+    Closes: #767171.
+  * Run dh-autoreconf to update for new architectures.
+    Patch by Brahadambal Srinivasan <latha@linux.vnet.ibm.com>.
+    Closes: 759467.
+  * Standards Version is 3.9.6.
+  * Fix uses-deprecated-compression-for-data-tarball.
+  * Fix build-depends-on-obsolete-package.
+    build-depends: hardening-wrapper => use dpkg-buildflags instead.
+
+ -- Anibal Monsalve Salazar <anibal@debian.org>  Thu, 06 Nov 2014 10:42:01 +0000
+
 tnftp (20130505-1) unstable; urgency=low
 
   * New upstream version 20130505
diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control
--- tnftp-20130505/debian/control	2013-05-26 00:04:41.000000000 +0100
+++ tnftp-20130505/debian/control	2014-11-17 06:31:39.000000000 +0000
@@ -2,8 +2,8 @@
 Section: net
 Priority: optional
 Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
-Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev
-Standards-Version: 3.9.4
+Build-Depends: debhelper (>= 7), libncurses5-dev, libssl-dev, autotools-dev
+Standards-Version: 3.9.6
 Homepage: http://en.wikipedia.org/wiki/Tnftp
 
 Package: tnftp
diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch tnftp-20130505/debian/patches/CVE-2014-8517.patch
--- tnftp-20130505/debian/patches/CVE-2014-8517.patch	1970-01-01 01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/CVE-2014-8517.patch	2014-11-06 10:24:25.000000000 +0000
@@ -0,0 +1,92 @@
+Date: Sun, 26 Oct 2014 12:21:59 -0400
+From: Christos Zoulas <christos@...bsd.org>
+To: source-changes-full@...bsd.org
+Subject: CVS commit: src/usr.bin/ftp
+X-Mailer: log_accum
+
+Module Name:    src
+Committed By:   christos
+Date:           Sun Oct 26 16:21:59 UTC 2014
+
+Modified Files:
+    src/usr.bin/ftp: fetch.c
+
+Log Message:
+    don't pay attention to special characters if they don't come from the command
+    line (from jmcneill)
+
+http://security-tracker.debian.org/tracker/CVE-2014-8517
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171
+http://www.openwall.com/lists/oss-security/2014/10/28/4
+
+Index: tnftp-20130505/src/fetch.c
+===================================================================
+--- tnftp-20130505.orig/src/fetch.c
++++ tnftp-20130505/src/fetch.c
+@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p
+ 	url_decode(decodedpath);
+ 
+ 	if (outfile)
+-		savefile = ftp_strdup(outfile);
++		savefile = outfile;
+ 	else {
+ 		cp = strrchr(decodedpath, '/');		/* find savefile */
+ 		if (cp != NULL)
+@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p
+ 	rangestart = rangeend = entitylen = -1;
+ 	mtime = -1;
+ 	if (restartautofetch) {
+-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+-		    stat(savefile, &sb) == 0)
++		if (stat(savefile, &sb) == 0)
+ 			restart_point = sb.st_size;
+ 	}
+ 	if (urltype == FILE_URL_T) {		/* file:// URLs */
+@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p
+ 		}
+ 	}		/* end of ftp:// or http:// specific setup */
+ 
+-			/* Open the output file. */
+-	if (strcmp(savefile, "-") == 0) {
+-		fout = stdout;
+-	} else if (*savefile == '|') {
+-		oldintp = xsignal(SIGPIPE, SIG_IGN);
+-		fout = popen(savefile + 1, "w");
+-		if (fout == NULL) {
+-			warn("Can't execute `%s'", savefile + 1);
+-			goto cleanup_fetch_url;
++	/* Open the output file. */
++
++	/*
++	 * Only trust filenames with special meaning if they came from
++	 * the command line
++	 */
++	if (outfile == savefile) {
++		if (strcmp(savefile, "-") == 0) {
++			fout = stdout;
++		} else if (*savefile == '|') {
++			oldintp = xsignal(SIGPIPE, SIG_IGN);
++			fout = popen(savefile + 1, "w");
++			if (fout == NULL) {
++				warn("Can't execute `%s'", savefile + 1);
++				goto cleanup_fetch_url;
++			}
++			closefunc = pclose;
+ 		}
+-		closefunc = pclose;
+-	} else {
++	}
++	if (fout == NULL) {
+ 		if ((rangeend != -1 && rangeend <= restart_point) ||
+ 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
+ 			/* already done */
+@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p
+ 		(*closefunc)(fout);
+ 	if (res0)
+ 		freeaddrinfo(res0);
+-	FREEPTR(savefile);
++	if (savefile != outfile)
++		FREEPTR(savefile);
+ 	FREEPTR(uuser);
+ 	if (pass != NULL)
+ 		memset(pass, 0, strlen(pass));
diff -Nru tnftp-20130505/debian/patches/series tnftp-20130505/debian/patches/series
--- tnftp-20130505/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/series	2014-11-06 09:28:13.000000000 +0000
@@ -0,0 +1 @@
+CVE-2014-8517.patch
diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules
--- tnftp-20130505/debian/rules	2013-05-26 00:56:53.000000000 +0100
+++ tnftp-20130505/debian/rules	2014-11-17 06:49:10.000000000 +0000
@@ -5,15 +5,16 @@
 # Uncomment this to turn on verbose mode.
 export DH_VERBOSE=1
 
-# Make use of security features through hardening-wrapper
-export DEB_BUILD_HARDENING=1
+export CFLAGS+="-g -O2 -fstack-protector-strong -Wformat -Werror=format-security"
+export LDFLAGS+="-Wl,-z,relro"
 
 build-arch: build
 build-indep: build
 build: build-stamp
 build-stamp:
 	dh_testdir
-	./configure --prefix=/usr --mandir=\$${prefix}/share/man
+	dh_autotools-dev_updateconfig
+	./configure --prefix=/usr --mandir=\$${prefix}/share/man CFLAGS=$(CFLAGS) LDFLAGS=$(LDFLAGS)
 	$(MAKE)
 	touch build-stamp
 
@@ -22,6 +23,7 @@
 	dh_testroot
 	rm -f build-stamp
 	[ ! -f Makefile ] || $(MAKE) distclean
+	dh_autotools-dev_restoreconfig
 	dh_clean
 
 install: build
@@ -63,7 +65,7 @@
 	dh_gencontrol
 	dh_lintian
 	dh_md5sums
-	dh_builddeb -- -Zbzip2 -z9
+	dh_builddeb
 
 binary: binary-indep binary-arch
 .PHONY: build clean binary-indep binary-arch binary install
diff -Nru tnftp-20130505/debian/source/options tnftp-20130505/debian/source/options
--- tnftp-20130505/debian/source/options	2009-11-23 10:37:44.000000000 +0000
+++ tnftp-20130505/debian/source/options	1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-compression = "bzip2"
-compression-level = 9

Attachment: signature.asc
Description: Digital signature

Reply to: