Bug#769206: marked as done (unblock tnftp/20130505-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#769206: marked as done (unblock tnftp/20130505-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 18 Nov 2014 07:00:05 +0000
Message-id: <[🔎] handler.769206.D769206.141629386912334.ackdone@bugs.debian.org>
References: <546AEDD7.6040808@thykier.net> <[🔎] 20141112063424.GA7236@master.debian.org>

Your message dated Tue, 18 Nov 2014 07:57:27 +0100
with message-id <546AEDD7.6040808@thykier.net>
and subject line Re: Bug#769206: unblock tnftp/20130505-3
has caused the Debian Bug report #769206,
regarding unblock tnftp/20130505-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
769206: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769206
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock tnftp/20130505-2
From: Aníbal Monsalve Salazar <anibal@debian.org>
Date: Wed, 12 Nov 2014 06:34:24 +0000
Message-id: <[🔎] 20141112063424.GA7236@master.debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock tnftp/20130505-2

debdiff tnftp_20130505-1.dsc tnftp_20130505-2.dsc
diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog
--- tnftp-20130505/debian/changelog	2013-05-26 01:01:45.000000000 +0100
+++ tnftp-20130505/debian/changelog	2014-11-06 10:42:07.000000000 +0000
@@ -1,3 +1,19 @@
+tnftp (20130505-2) unstable; urgency=medium
+
+  * Only trust filenames with special meaning if they came from
+    the command line. CVE-2014-8517.
+    Add upstream patch CVE-2014-8517.patch.
+    Closes: #767171.
+  * Run dh-autoreconf to update for new architectures.
+    Patch by Brahadambal Srinivasan <latha@linux.vnet.ibm.com>.
+    Closes: 759467.
+  * Standards Version is 3.9.6.
+  * Fix uses-deprecated-compression-for-data-tarball.
+  * Fix build-depends-on-obsolete-package.
+    build-depends: hardening-wrapper => use dpkg-buildflags instead.
+
+ -- Anibal Monsalve Salazar <anibal@debian.org>  Thu, 06 Nov 2014 10:42:01 +0000
+
 tnftp (20130505-1) unstable; urgency=low
 
   * New upstream version 20130505
diff -Nru tnftp-20130505/debian/compat tnftp-20130505/debian/compat
--- tnftp-20130505/debian/compat	2009-04-06 01:20:42.000000000 +0100
+++ tnftp-20130505/debian/compat	2014-11-06 09:57:48.000000000 +0000
@@ -1 +1 @@
-7
+9
diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control
--- tnftp-20130505/debian/control	2013-05-26 00:04:41.000000000 +0100
+++ tnftp-20130505/debian/control	2014-11-06 10:02:59.000000000 +0000
@@ -2,8 +2,8 @@
 Section: net
 Priority: optional
 Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
-Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev
-Standards-Version: 3.9.4
+Build-Depends: debhelper (>= 9), libncurses5-dev, libssl-dev, autotools-dev
+Standards-Version: 3.9.6
 Homepage: http://en.wikipedia.org/wiki/Tnftp
 
 Package: tnftp
diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch tnftp-20130505/debian/patches/CVE-2014-8517.patch
--- tnftp-20130505/debian/patches/CVE-2014-8517.patch	1970-01-01 01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/CVE-2014-8517.patch	2014-11-06 10:24:25.000000000 +0000
@@ -0,0 +1,92 @@
+Date: Sun, 26 Oct 2014 12:21:59 -0400
+From: Christos Zoulas <christos@...bsd.org>
+To: source-changes-full@...bsd.org
+Subject: CVS commit: src/usr.bin/ftp
+X-Mailer: log_accum
+
+Module Name:    src
+Committed By:   christos
+Date:           Sun Oct 26 16:21:59 UTC 2014
+
+Modified Files:
+    src/usr.bin/ftp: fetch.c
+
+Log Message:
+    don't pay attention to special characters if they don't come from the command
+    line (from jmcneill)
+
+http://security-tracker.debian.org/tracker/CVE-2014-8517
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171
+http://www.openwall.com/lists/oss-security/2014/10/28/4
+
+Index: tnftp-20130505/src/fetch.c
+===================================================================
+--- tnftp-20130505.orig/src/fetch.c
++++ tnftp-20130505/src/fetch.c
+@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p
+ 	url_decode(decodedpath);
+ 
+ 	if (outfile)
+-		savefile = ftp_strdup(outfile);
++		savefile = outfile;
+ 	else {
+ 		cp = strrchr(decodedpath, '/');		/* find savefile */
+ 		if (cp != NULL)
+@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p
+ 	rangestart = rangeend = entitylen = -1;
+ 	mtime = -1;
+ 	if (restartautofetch) {
+-		if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+-		    stat(savefile, &sb) == 0)
++		if (stat(savefile, &sb) == 0)
+ 			restart_point = sb.st_size;
+ 	}
+ 	if (urltype == FILE_URL_T) {		/* file:// URLs */
+@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p
+ 		}
+ 	}		/* end of ftp:// or http:// specific setup */
+ 
+-			/* Open the output file. */
+-	if (strcmp(savefile, "-") == 0) {
+-		fout = stdout;
+-	} else if (*savefile == '|') {
+-		oldintp = xsignal(SIGPIPE, SIG_IGN);
+-		fout = popen(savefile + 1, "w");
+-		if (fout == NULL) {
+-			warn("Can't execute `%s'", savefile + 1);
+-			goto cleanup_fetch_url;
++	/* Open the output file. */
++
++	/*
++	 * Only trust filenames with special meaning if they came from
++	 * the command line
++	 */
++	if (outfile == savefile) {
++		if (strcmp(savefile, "-") == 0) {
++			fout = stdout;
++		} else if (*savefile == '|') {
++			oldintp = xsignal(SIGPIPE, SIG_IGN);
++			fout = popen(savefile + 1, "w");
++			if (fout == NULL) {
++				warn("Can't execute `%s'", savefile + 1);
++				goto cleanup_fetch_url;
++			}
++			closefunc = pclose;
+ 		}
+-		closefunc = pclose;
+-	} else {
++	}
++	if (fout == NULL) {
+ 		if ((rangeend != -1 && rangeend <= restart_point) ||
+ 		    (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
+ 			/* already done */
+@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p
+ 		(*closefunc)(fout);
+ 	if (res0)
+ 		freeaddrinfo(res0);
+-	FREEPTR(savefile);
++	if (savefile != outfile)
++		FREEPTR(savefile);
+ 	FREEPTR(uuser);
+ 	if (pass != NULL)
+ 		memset(pass, 0, strlen(pass));
diff -Nru tnftp-20130505/debian/patches/series tnftp-20130505/debian/patches/series
--- tnftp-20130505/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/series	2014-11-06 09:28:13.000000000 +0000
@@ -0,0 +1 @@
+CVE-2014-8517.patch
diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules
--- tnftp-20130505/debian/rules	2013-05-26 00:56:53.000000000 +0100
+++ tnftp-20130505/debian/rules	2014-11-06 10:41:48.000000000 +0000
@@ -5,15 +5,13 @@
 # Uncomment this to turn on verbose mode.
 export DH_VERBOSE=1
 
-# Make use of security features through hardening-wrapper
-export DEB_BUILD_HARDENING=1
-
 build-arch: build
 build-indep: build
 build: build-stamp
 build-stamp:
 	dh_testdir
-	./configure --prefix=/usr --mandir=\$${prefix}/share/man
+	dh_autotools-dev_updateconfig
+	./configure --prefix=/usr --mandir=\$${prefix}/share/man $(shell dpkg-buildflags --export=configure)
 	$(MAKE)
 	touch build-stamp
 
@@ -22,6 +20,7 @@
 	dh_testroot
 	rm -f build-stamp
 	[ ! -f Makefile ] || $(MAKE) distclean
+	dh_autotools-dev_restoreconfig
 	dh_clean
 
 install: build
@@ -63,7 +62,7 @@
 	dh_gencontrol
 	dh_lintian
 	dh_md5sums
-	dh_builddeb -- -Zbzip2 -z9
+	dh_builddeb
 
 binary: binary-indep binary-arch
 .PHONY: build clean binary-indep binary-arch binary install
diff -Nru tnftp-20130505/debian/source/options tnftp-20130505/debian/source/options
--- tnftp-20130505/debian/source/options	2009-11-23 10:37:44.000000000 +0000
+++ tnftp-20130505/debian/source/options	1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-compression = "bzip2"
-compression-level = 9

--- End Message ---

--- Begin Message ---

To: Aníbal Monsalve Salazar <anibal@debian.org>, 769206-done@bugs.debian.org

Subject: Re: Bug#769206: unblock tnftp/20130505-3

From: Niels Thykier <niels@thykier.net>

Date: Tue, 18 Nov 2014 07:57:27 +0100

Message-id: <546AEDD7.6040808@thykier.net>

In-reply-to: <[🔎] 20141117074344.GA1545@master.debian.org>

References: <[🔎] 20141112063424.GA7236@master.debian.org> <20141112190314.GB21455@lupin.home.powdarrmonkey.net> <20141112204831.GA8507@master.debian.org> <[🔎] 20141115110016.GA8147@lupin.home.powdarrmonkey.net> <[🔎] 20141117074344.GA1545@master.debian.org>
On 2014-11-17 08:43, Aníbal Monsalve Salazar wrote:
> Control: retitle -1 unblock tnftp/20130505-3
> Control: reopen -1
> 
> On Sat, 2014-11-15 11:00:16 +0000, Jonathan Wiltshire wrote:
>>
>> Changing compat level just to add hardening is not a good solution.
>> Other subtle changes are made in the packaging when that happens.
>> Please find a way to apply the hardening flags without changing compat
>> level.
> 
> Done.
> 
> Below is the debdiff between 20130505-1 in testing and 20130505-3 in
> unstable.
> 
> Thank you!
> 
> [...]

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#769206: unblock tnftp/20130505-2
  - From: Aníbal Monsalve Salazar <anibal@debian.org>

Prev by Date: Processed: Re: Bug#769203: unblock: angular.js/1.2.26-1
Next by Date: Bug#770003: unblock lilypond/2.18.2-4
Previous by thread: Processed: Re: Bug#769206: unblock tnftp/20130505-3
Next by thread: Bug#769207: unblock: stdeb/8.2-4
Index(es):
- Date
- Thread