--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock tnftp/20130505-2
debdiff tnftp_20130505-1.dsc tnftp_20130505-2.dsc
diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog
--- tnftp-20130505/debian/changelog 2013-05-26 01:01:45.000000000 +0100
+++ tnftp-20130505/debian/changelog 2014-11-06 10:42:07.000000000 +0000
@@ -1,3 +1,19 @@
+tnftp (20130505-2) unstable; urgency=medium
+
+ * Only trust filenames with special meaning if they came from
+ the command line. CVE-2014-8517.
+ Add upstream patch CVE-2014-8517.patch.
+ Closes: #767171.
+ * Run dh-autoreconf to update for new architectures.
+ Patch by Brahadambal Srinivasan <latha@linux.vnet.ibm.com>.
+ Closes: 759467.
+ * Standards Version is 3.9.6.
+ * Fix uses-deprecated-compression-for-data-tarball.
+ * Fix build-depends-on-obsolete-package.
+ build-depends: hardening-wrapper => use dpkg-buildflags instead.
+
+ -- Anibal Monsalve Salazar <anibal@debian.org> Thu, 06 Nov 2014 10:42:01 +0000
+
tnftp (20130505-1) unstable; urgency=low
* New upstream version 20130505
diff -Nru tnftp-20130505/debian/compat tnftp-20130505/debian/compat
--- tnftp-20130505/debian/compat 2009-04-06 01:20:42.000000000 +0100
+++ tnftp-20130505/debian/compat 2014-11-06 09:57:48.000000000 +0000
@@ -1 +1 @@
-7
+9
diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control
--- tnftp-20130505/debian/control 2013-05-26 00:04:41.000000000 +0100
+++ tnftp-20130505/debian/control 2014-11-06 10:02:59.000000000 +0000
@@ -2,8 +2,8 @@
Section: net
Priority: optional
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
-Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev
-Standards-Version: 3.9.4
+Build-Depends: debhelper (>= 9), libncurses5-dev, libssl-dev, autotools-dev
+Standards-Version: 3.9.6
Homepage: http://en.wikipedia.org/wiki/Tnftp
Package: tnftp
diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch tnftp-20130505/debian/patches/CVE-2014-8517.patch
--- tnftp-20130505/debian/patches/CVE-2014-8517.patch 1970-01-01 01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/CVE-2014-8517.patch 2014-11-06 10:24:25.000000000 +0000
@@ -0,0 +1,92 @@
+Date: Sun, 26 Oct 2014 12:21:59 -0400
+From: Christos Zoulas <christos@...bsd.org>
+To: source-changes-full@...bsd.org
+Subject: CVS commit: src/usr.bin/ftp
+X-Mailer: log_accum
+
+Module Name: src
+Committed By: christos
+Date: Sun Oct 26 16:21:59 UTC 2014
+
+Modified Files:
+ src/usr.bin/ftp: fetch.c
+
+Log Message:
+ don't pay attention to special characters if they don't come from the command
+ line (from jmcneill)
+
+http://security-tracker.debian.org/tracker/CVE-2014-8517
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171
+http://www.openwall.com/lists/oss-security/2014/10/28/4
+
+Index: tnftp-20130505/src/fetch.c
+===================================================================
+--- tnftp-20130505.orig/src/fetch.c
++++ tnftp-20130505/src/fetch.c
+@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p
+ url_decode(decodedpath);
+
+ if (outfile)
+- savefile = ftp_strdup(outfile);
++ savefile = outfile;
+ else {
+ cp = strrchr(decodedpath, '/'); /* find savefile */
+ if (cp != NULL)
+@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p
+ rangestart = rangeend = entitylen = -1;
+ mtime = -1;
+ if (restartautofetch) {
+- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+- stat(savefile, &sb) == 0)
++ if (stat(savefile, &sb) == 0)
+ restart_point = sb.st_size;
+ }
+ if (urltype == FILE_URL_T) { /* file:// URLs */
+@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p
+ }
+ } /* end of ftp:// or http:// specific setup */
+
+- /* Open the output file. */
+- if (strcmp(savefile, "-") == 0) {
+- fout = stdout;
+- } else if (*savefile == '|') {
+- oldintp = xsignal(SIGPIPE, SIG_IGN);
+- fout = popen(savefile + 1, "w");
+- if (fout == NULL) {
+- warn("Can't execute `%s'", savefile + 1);
+- goto cleanup_fetch_url;
++ /* Open the output file. */
++
++ /*
++ * Only trust filenames with special meaning if they came from
++ * the command line
++ */
++ if (outfile == savefile) {
++ if (strcmp(savefile, "-") == 0) {
++ fout = stdout;
++ } else if (*savefile == '|') {
++ oldintp = xsignal(SIGPIPE, SIG_IGN);
++ fout = popen(savefile + 1, "w");
++ if (fout == NULL) {
++ warn("Can't execute `%s'", savefile + 1);
++ goto cleanup_fetch_url;
++ }
++ closefunc = pclose;
+ }
+- closefunc = pclose;
+- } else {
++ }
++ if (fout == NULL) {
+ if ((rangeend != -1 && rangeend <= restart_point) ||
+ (rangestart == -1 && filesize != -1 && filesize <= restart_point)) {
+ /* already done */
+@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p
+ (*closefunc)(fout);
+ if (res0)
+ freeaddrinfo(res0);
+- FREEPTR(savefile);
++ if (savefile != outfile)
++ FREEPTR(savefile);
+ FREEPTR(uuser);
+ if (pass != NULL)
+ memset(pass, 0, strlen(pass));
diff -Nru tnftp-20130505/debian/patches/series tnftp-20130505/debian/patches/series
--- tnftp-20130505/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/series 2014-11-06 09:28:13.000000000 +0000
@@ -0,0 +1 @@
+CVE-2014-8517.patch
diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules
--- tnftp-20130505/debian/rules 2013-05-26 00:56:53.000000000 +0100
+++ tnftp-20130505/debian/rules 2014-11-06 10:41:48.000000000 +0000
@@ -5,15 +5,13 @@
# Uncomment this to turn on verbose mode.
export DH_VERBOSE=1
-# Make use of security features through hardening-wrapper
-export DEB_BUILD_HARDENING=1
-
build-arch: build
build-indep: build
build: build-stamp
build-stamp:
dh_testdir
- ./configure --prefix=/usr --mandir=\$${prefix}/share/man
+ dh_autotools-dev_updateconfig
+ ./configure --prefix=/usr --mandir=\$${prefix}/share/man $(shell dpkg-buildflags --export=configure)
$(MAKE)
touch build-stamp
@@ -22,6 +20,7 @@
dh_testroot
rm -f build-stamp
[ ! -f Makefile ] || $(MAKE) distclean
+ dh_autotools-dev_restoreconfig
dh_clean
install: build
@@ -63,7 +62,7 @@
dh_gencontrol
dh_lintian
dh_md5sums
- dh_builddeb -- -Zbzip2 -z9
+ dh_builddeb
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install
diff -Nru tnftp-20130505/debian/source/options tnftp-20130505/debian/source/options
--- tnftp-20130505/debian/source/options 2009-11-23 10:37:44.000000000 +0000
+++ tnftp-20130505/debian/source/options 1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-compression = "bzip2"
-compression-level = 9
--- End Message ---