From 0710b8d8a873ab3ae1a6752b2d8592c0f9f6e87e Mon Sep 17 00:00:00 2001 From: vanhofen Date: Sat, 28 May 2022 15:30:53 +0200 Subject: [PATCH] - vsftp: bump version to 3.0.5; rework build --- .../vsftpd/patches/0001-utmpx-builddef.patch | 49 +++++++++++ ...419.patch => 0002-fix-CVE-2015-1419.patch} | 4 +- ...0003-Prevent-hang-in-SIGCHLD-handler.patch | 87 +++++++++++++++++++ .../patches/vsftpd-disable-capabilities.patch | 12 --- package/vsftpd/patches/vsftpd-fixchroot.patch | 40 --------- .../patches/vsftpd-login-blank-password.patch | 21 ----- package/vsftpd/vsftpd.mk | 34 ++++---- 7 files changed, 156 insertions(+), 91 deletions(-) create mode 100644 package/vsftpd/patches/0001-utmpx-builddef.patch rename package/vsftpd/patches/{vsftpd-fix-CVE-2015-1419.patch => 0002-fix-CVE-2015-1419.patch} (96%) create mode 100644 package/vsftpd/patches/0003-Prevent-hang-in-SIGCHLD-handler.patch delete mode 100644 package/vsftpd/patches/vsftpd-disable-capabilities.patch delete mode 100644 package/vsftpd/patches/vsftpd-fixchroot.patch delete mode 100644 package/vsftpd/patches/vsftpd-login-blank-password.patch diff --git a/package/vsftpd/patches/0001-utmpx-builddef.patch b/package/vsftpd/patches/0001-utmpx-builddef.patch new file mode 100644 index 00000000..07bf13c8 --- /dev/null +++ b/package/vsftpd/patches/0001-utmpx-builddef.patch @@ -0,0 +1,49 @@ +Add build option to disable utmpx update code + +On some embedded systems the libc may have utmpx support, but the +feature would be redundant. So add a build switch to disable utmpx +updating, similar to compiling on systems without utmpx support. + +Signed-off-by: Maarten ter Huurne + +diff -ru vsftpd-3.0.2.orig/builddefs.h vsftpd-3.0.2/builddefs.h +--- vsftpd-3.0.2.orig/builddefs.h 2012-04-05 05:24:56.000000000 +0200 ++++ vsftpd-3.0.2/builddefs.h 2014-09-16 14:23:36.128003245 +0200 +@@ -4,6 +4,7 @@ + #undef VSF_BUILD_TCPWRAPPERS + #define VSF_BUILD_PAM + #undef VSF_BUILD_SSL ++#define VSF_BUILD_UTMPX + + #endif /* VSF_BUILDDEFS_H */ + +diff -ru vsftpd-3.0.2.orig/sysdeputil.c vsftpd-3.0.2/sysdeputil.c +--- vsftpd-3.0.2.orig/sysdeputil.c 2012-09-16 06:18:04.000000000 +0200 ++++ vsftpd-3.0.2/sysdeputil.c 2014-09-16 14:26:42.686887724 +0200 +@@ -1158,7 +1158,7 @@ + + #endif /* !VSF_SYSDEP_NEED_OLD_FD_PASSING */ + +-#ifndef VSF_SYSDEP_HAVE_UTMPX ++#if !defined(VSF_BUILD_UTMPX) || !defined(VSF_SYSDEP_HAVE_UTMPX) + + void + vsf_insert_uwtmp(const struct mystr* p_user_str, +@@ -1173,7 +1173,7 @@ + { + } + +-#else /* !VSF_SYSDEP_HAVE_UTMPX */ ++#else /* !VSF_BUILD_UTMPX || !VSF_SYSDEP_HAVE_UTMPX */ + + /* IMHO, the pam_unix module REALLY should be doing this in its SM component */ + /* Statics */ +@@ -1238,7 +1238,7 @@ + updwtmpx(WTMPX_FILE, &s_utent); + } + +-#endif /* !VSF_SYSDEP_HAVE_UTMPX */ ++#endif /* !VSF_BUILD_UTMPX || !VSF_SYSDEP_HAVE_UTMPX */ + + void + vsf_set_die_if_parent_dies() diff --git a/package/vsftpd/patches/vsftpd-fix-CVE-2015-1419.patch b/package/vsftpd/patches/0002-fix-CVE-2015-1419.patch similarity index 96% rename from package/vsftpd/patches/vsftpd-fix-CVE-2015-1419.patch rename to package/vsftpd/patches/0002-fix-CVE-2015-1419.patch index 95ad017a..657af289 100644 --- a/package/vsftpd/patches/vsftpd-fix-CVE-2015-1419.patch +++ b/package/vsftpd/patches/0002-fix-CVE-2015-1419.patch @@ -73,7 +73,7 @@ Index: vsftpd-3.0.2/str.c =================================================================== --- vsftpd-3.0.2.orig/str.c +++ vsftpd-3.0.2/str.c -@@ -770,3 +770,14 @@ str_replace_unprintable(struct mystr* p_ +@@ -711,3 +711,14 @@ str_replace_unprintable(struct mystr* p_ } } @@ -92,7 +92,7 @@ Index: vsftpd-3.0.2/str.h =================================================================== --- vsftpd-3.0.2.orig/str.h +++ vsftpd-3.0.2/str.h -@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst +@@ -100,6 +100,7 @@ void str_replace_unprintable(struct myst int str_atoi(const struct mystr* p_str); filesize_t str_a_to_filesize_t(const struct mystr* p_str); unsigned int str_octal_to_uint(const struct mystr* p_str); diff --git a/package/vsftpd/patches/0003-Prevent-hang-in-SIGCHLD-handler.patch b/package/vsftpd/patches/0003-Prevent-hang-in-SIGCHLD-handler.patch new file mode 100644 index 00000000..60561937 --- /dev/null +++ b/package/vsftpd/patches/0003-Prevent-hang-in-SIGCHLD-handler.patch @@ -0,0 +1,87 @@ +From 1e65a0a15f819b8bf1b551bd84f71d0da1f5a00c Mon Sep 17 00:00:00 2001 +From: Martin Sehnoutka +Date: Thu, 17 Nov 2016 13:02:27 +0100 +Subject: [PATCH] Prevent hanging in SIGCHLD handler. + +vsftpd can now handle pam_exec.so in pam.d config without hanging +in SIGCHLD handler. + +[Abdelmalek: +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1198259 +Fetched from: +https://src.fedoraproject.org/cgit/rpms/vsftpd.git/plain/0026-Prevent-hanging-in-SIGCHLD-handler.patch] +Signed-off-by: Abdelmalek Benelouezzane +--- + sysutil.c | 4 ++-- + sysutil.h | 2 +- + twoprocess.c | 13 +++++++++++-- + 3 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/sysutil.c b/sysutil.c +index 6d7cb3f..099748f 100644 +--- a/sysutil.c ++++ b/sysutil.c +@@ -592,13 +592,13 @@ vsf_sysutil_exit(int exit_code) + } + + struct vsf_sysutil_wait_retval +-vsf_sysutil_wait(void) ++vsf_sysutil_wait(int hang) + { + struct vsf_sysutil_wait_retval retval; + vsf_sysutil_memclr(&retval, sizeof(retval)); + while (1) + { +- int sys_ret = wait(&retval.exit_status); ++ int sys_ret = waitpid(-1, &retval.exit_status, hang ? 0 : WNOHANG); + if (sys_ret < 0 && errno == EINTR) + { + vsf_sysutil_check_pending_actions(kVSFSysUtilUnknown, 0, 0); +diff --git a/sysutil.h b/sysutil.h +index c145bdf..13153cd 100644 +--- a/sysutil.h ++++ b/sysutil.h +@@ -175,7 +175,7 @@ struct vsf_sysutil_wait_retval + int PRIVATE_HANDS_OFF_syscall_retval; + int PRIVATE_HANDS_OFF_exit_status; + }; +-struct vsf_sysutil_wait_retval vsf_sysutil_wait(void); ++struct vsf_sysutil_wait_retval vsf_sysutil_wait(int hang); + int vsf_sysutil_wait_reap_one(void); + int vsf_sysutil_wait_get_retval( + const struct vsf_sysutil_wait_retval* p_waitret); +diff --git a/twoprocess.c b/twoprocess.c +index 33d84dc..b1891e7 100644 +--- a/twoprocess.c ++++ b/twoprocess.c +@@ -47,8 +47,17 @@ static void + handle_sigchld(void* duff) + { + +- struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(); ++ struct vsf_sysutil_wait_retval wait_retval = vsf_sysutil_wait(0); + (void) duff; ++ if (!vsf_sysutil_wait_get_exitcode(&wait_retval) && ++ !vsf_sysutil_wait_get_retval(&wait_retval)) ++ /* There was nobody to wait for, possibly caused by underlying library ++ * which created a new process through fork()/vfork() and already picked ++ * it up, e.g. by pam_exec.so or integrity check routines for libraries ++ * when FIPS mode is on (nss freebl), which can lead to calling prelink ++ * if the prelink package is installed. ++ */ ++ return; + /* Child died, so we'll do the same! Report it as an error unless the child + * exited normally with zero exit code + */ +@@ -390,7 +399,7 @@ common_do_login(struct vsf_session* p_sess, const struct mystr* p_user_str, + priv_sock_send_result(p_sess->parent_fd, PRIV_SOCK_RESULT_OK); + if (!p_sess->control_use_ssl) + { +- (void) vsf_sysutil_wait(); ++ (void) vsf_sysutil_wait(1); + } + else + { +-- +2.14.4 + diff --git a/package/vsftpd/patches/vsftpd-disable-capabilities.patch b/package/vsftpd/patches/vsftpd-disable-capabilities.patch deleted file mode 100644 index 7aa6330b..00000000 --- a/package/vsftpd/patches/vsftpd-disable-capabilities.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/sysdeputil.c -+++ b/sysdeputil.c -@@ -165,6 +165,9 @@ - #endif - /* END config */ - -+#undef VSF_SYSDEP_HAVE_CAPABILITIES -+#undef VSF_SYSDEP_HAVE_LIBCAP -+ - /* PAM support - we include our own dummy version if the system lacks this */ - #include - diff --git a/package/vsftpd/patches/vsftpd-fixchroot.patch b/package/vsftpd/patches/vsftpd-fixchroot.patch deleted file mode 100644 index 4214c45c..00000000 --- a/package/vsftpd/patches/vsftpd-fixchroot.patch +++ /dev/null @@ -1,40 +0,0 @@ ---- a/twoprocess.c -+++ b/twoprocess.c -@@ -41,7 +41,8 @@ - struct mystr* p_chroot_str, - struct mystr* p_chdir_str, - const struct mystr* p_user_str, -- const struct mystr* p_orig_user_str); -+ const struct mystr* p_orig_user_str, -+ int do_chroot); - - static void - handle_sigchld(void* duff) -@@ -454,7 +455,7 @@ - secutil_option |= VSF_SECUTIL_OPTION_ALLOW_WRITEABLE_ROOT; - } - calculate_chdir_dir(was_anon, &userdir_str, &chroot_str, &chdir_str, -- p_user_str, p_orig_user_str); -+ p_user_str, p_orig_user_str, do_chroot); - vsf_secutil_change_credentials(p_user_str, &userdir_str, &chroot_str, - 0, secutil_option); - if (!str_isempty(&chdir_str)) -@@ -522,7 +523,8 @@ - struct mystr* p_chroot_str, - struct mystr* p_chdir_str, - const struct mystr* p_user_str, -- const struct mystr* p_orig_user_str) -+ const struct mystr* p_orig_user_str, -+ int do_chroot) - { - if (!anon_login) - { -@@ -542,7 +544,7 @@ - { - str_alloc_text(p_chroot_str, tunable_anon_root); - } -- else if (!anon_login && tunable_local_root) -+ else if (!anon_login && tunable_local_root && !do_chroot) - { - str_alloc_text(p_chroot_str, tunable_local_root); - if (tunable_user_sub_token) diff --git a/package/vsftpd/patches/vsftpd-login-blank-password.patch b/package/vsftpd/patches/vsftpd-login-blank-password.patch deleted file mode 100644 index 27c84b73..00000000 --- a/package/vsftpd/patches/vsftpd-login-blank-password.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- a/sysdeputil.c -+++ b/sysdeputil.c -@@ -270,6 +270,9 @@ - } - } - #endif -+ /* Blank entry = anyone can login. Now what was that "s" in vsftpd? */ -+ if (!p_pwd->pw_passwd || !(*p_pwd->pw_passwd)) -+ return 1; - #ifdef VSF_SYSDEP_HAVE_SHADOW - { - const struct spwd* p_spwd = getspnam(str_getbuf(p_user_str)); -@@ -287,6 +290,8 @@ - { - return 0; - } -+ if (!p_spwd->sp_pwdp || !(*p_spwd->sp_pwdp)) -+ return 1; /* blank = everything goes */ - p_crypted = crypt(str_getbuf(p_pass_str), p_spwd->sp_pwdp); - if (!vsf_sysutil_strcmp(p_crypted, p_spwd->sp_pwdp)) - { diff --git a/package/vsftpd/vsftpd.mk b/package/vsftpd/vsftpd.mk index a7d88d30..2fd74240 100644 --- a/package/vsftpd/vsftpd.mk +++ b/package/vsftpd/vsftpd.mk @@ -4,32 +4,34 @@ # ################################################################################ -VSFTPD_VERSION = 3.0.3 +VSFTPD_VERSION = 3.0.5 VSFTPD_DIR = vsftpd-$(VSFTPD_VERSION) VSFTPD_SOURCE = vsftpd-$(VSFTPD_VERSION).tar.gz VSFTPD_SITE = https://security.appspot.com/downloads -$(DL_DIR)/$(VSFTPD_SOURCE): - $(download) $(VSFTPD_SITE)/$(VSFTPD_SOURCE) +VSFTPD_DEPENDENCIES = openssl VSFTPD_LIBS += -lcrypt $$($(PKG_CONFIG) --libs libssl libcrypto) -VSFTPD_DEPENDENCIES = openssl +define VSFTPD_PATCH_BUILDDEFS_H + $(SED) 's/.*VSF_BUILD_PAM/#undef VSF_BUILD_PAM/' $(PKG_BUILD_DIR)/builddefs.h + $(SED) 's/.*VSF_BUILD_SSL/#define VSF_BUILD_SSL/' $(PKG_BUILD_DIR)/builddefs.h +endef +VSFTPD_POST_PATCH_HOOKS += VSFTPD_PATCH_BUILDDEFS_H -vsftpd: $(VSFTPD_DEPENDENCIES) $(DL_DIR)/$(VSFTPD_SOURCE) | $(TARGET_DIR) - $(REMOVE)/$(PKG_DIR) - $(UNTAR)/$(PKG_SOURCE) - $(call APPLY_PATCHES,$(PKG_PATCHES_DIR)) - $(CHDIR)/$(PKG_DIR); \ - $(SED) 's/.*VSF_BUILD_PAM/#undef VSF_BUILD_PAM/' builddefs.h; \ - $(SED) 's/.*VSF_BUILD_SSL/#define VSF_BUILD_SSL/' builddefs.h; \ - $(MAKE) clean; \ - $(MAKE) $(TARGET_CONFIGURE_ENV) LIBS="$($(PKG)_LIBS)"; \ - $(INSTALL_EXEC) -D vsftpd $(TARGET_sbindir)/vsftpd +define VSFTPD_INSTALL_FILES $(INSTALL) -d $(TARGET_datadir)/empty $(INSTALL_DATA) -D $(PKG_FILES_DIR)/vsftpd.conf $(TARGET_sysconfdir)/vsftpd.conf $(INSTALL_DATA) -D $(PKG_FILES_DIR)/vsftpd.chroot_list $(TARGET_sysconfdir)/vsftpd.chroot_list $(INSTALL_EXEC) -D $(PKG_FILES_DIR)/vsftpd.init $(TARGET_sysconfdir)/init.d/vsftpd $(UPDATE-RC.D) vsftpd defaults 75 25 - $(REMOVE)/$(PKG_DIR) - $(TOUCH) +endef +VSFTPD_PRE_FOLLOWUP_HOOKS += VSFTPD_INSTALL_FILES + +vsftpd: | $(TARGET_DIR) + $(call PREPARE) + $(CHDIR)/$($(PKG)_DIR); \ + $(MAKE) clean; \ + $(MAKE) $(TARGET_CONFIGURE_ENV) LIBS="$($(PKG)_LIBS)"; \ + $(INSTALL_EXEC) -D vsftpd $(TARGET_sbindir)/vsftpd + $(call TARGET_FOLLOWUP)