include Config
-VER = 2.3.4
+VER = 3.0.5
THISAPP = vsftpd-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = vsftpd
-PAK_VER = 8
-
-DEPS = ""
+PAK_VER = 9
###############################################################################
# Top-level Rules
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 2ea5d19978710527bb7444d93b67767a
+$(DL_FILE)_BLAKE2 = c197a070f7eef8c97ef0adc1ebb883520e7613d67ba0eabb1380b3adaae272f4ef79110e79ce4aad5ddebd6100fb059308d905203249c5445d3ea64c29dc5ec2
install : $(TARGET)
download :$(patsubst %,$(DIR_DL)/%,$(objects))
-md5 : $(subst %,%_MD5,$(objects))
+b2 : $(subst %,%_BLAKE2,$(objects))
dist:
$(PAK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
-$(subst %,%_MD5,$(objects)) :
- @$(MD5)
+$(subst %,%_BLAKE2,$(objects)) :
+ @$(B2SUM)
###############################################################################
# Installation Details
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && echo "#define VSF_BUILD_SSL" >>builddefs.h
+
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/CVE-2015-1419.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/config-disable-anonymous-access-by-default.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/config-set-PAM-service-name-to-vsftpd.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/build-with-SSL-support.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/adjust-usr-share-empty-to-var-empty.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-make-to-respect-distro-flags.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-build-with-openssl-1.1.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-handle-AUTH_TLS-reply-to-FEAT-for-all-TLS-varian.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-ssl_tlsv-documentation-and-config-tunables.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/vsftpd/fix-seccomp-rules.patch
+
+ # Don't link against libnsl
+ cd $(DIR_APP) && sed "/lnsl/d" -i vsf_findlibs.sh
+
cd $(DIR_APP) && install -v -d -m 0755 /var/ftp/empty
cd $(DIR_APP) && install -v -d -m 0755 /home/ftp
chown vsftpd.vsftpd /home/ftp
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && install -v -m 755 vsftpd /usr/sbin/vsftpd
cd $(DIR_APP) && install -v -m 644 vsftpd.8 /usr/share/man/man8
cd $(DIR_APP) && install -v -m 644 vsftpd.conf.5 /usr/share/man/man5
--- /dev/null
+Description: CVE-2015-1419: config option deny_file is not handled correctly
+Author: Marcus Meissner <meissner@suse.com>
+Origin: https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-1419
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776922
+Last-Update: 2015-02-24
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/ls.c
+===================================================================
+--- trunk.orig/ls.c
++++ trunk/ls.c
+@@ -7,6 +7,7 @@
+ * Would you believe, code to handle directory listing.
+ */
+
++#include <stdlib.h>
+ #include "ls.h"
+ #include "access.h"
+ #include "defs.h"
+@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
+ struct mystr temp_str = INIT_MYSTR;
+ struct mystr brace_list_str = INIT_MYSTR;
+ struct mystr new_filter_str = INIT_MYSTR;
++ struct mystr normalize_filename_str = INIT_MYSTR;
++ const char *normname;
++ const char *path;
+ int ret = 0;
+ char last_token = 0;
+ int must_match_at_current_pos = 1;
++
+ str_copy(&filter_remain_str, p_filter_str);
+- str_copy(&name_remain_str, p_filename_str);
++
++ /* normalize filepath */
++ path = str_strdup(p_filename_str);
++ normname = realpath(path, NULL);
++ if (normname == NULL)
++ goto out;
++ str_alloc_text(&normalize_filename_str, normname);
++
++ if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
++ if (str_get_char_at(p_filter_str, 0) == '/') {
++ if (str_get_char_at(&normalize_filename_str, 0) != '/') {
++ str_getcwd (&name_remain_str);
++
++ if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
++ str_append_char (&name_remain_str, '/');
++
++ str_append_str (&name_remain_str, &normalize_filename_str);
++ }
++ else
++ str_copy (&name_remain_str, &normalize_filename_str);
++ } else {
++ if (str_get_char_at(p_filter_str, 0) != '{')
++ str_basename (&name_remain_str, &normalize_filename_str);
++ else
++ str_copy (&name_remain_str, &normalize_filename_str);
++ }
++ } else
++ str_copy(&name_remain_str, &normalize_filename_str);
+
+ while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
+ {
+@@ -379,6 +411,9 @@ vsf_filename_passes_filter(const struct
+ ret = 0;
+ }
+ out:
++ free((char*) normname);
++ free((char*) path);
++ str_free(&normalize_filename_str);
+ str_free(&filter_remain_str);
+ str_free(&name_remain_str);
+ str_free(&temp_str);
+Index: trunk/str.c
+===================================================================
+--- trunk.orig/str.c
++++ trunk/str.c
+@@ -723,3 +723,14 @@ str_replace_unprintable(struct mystr* p_
+ }
+ }
+
++void
++str_basename (struct mystr* d_str, const struct mystr* path)
++{
++ static struct mystr tmp;
++
++ str_copy (&tmp, path);
++ str_split_char_reverse(&tmp, d_str, '/');
++
++ if (str_isempty(d_str))
++ str_copy (d_str, path);
++}
+Index: trunk/str.h
+===================================================================
+--- trunk.orig/str.h
++++ trunk/str.h
+@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
+ int str_atoi(const struct mystr* p_str);
+ filesize_t str_a_to_filesize_t(const struct mystr* p_str);
+ unsigned int str_octal_to_uint(const struct mystr* p_str);
++void str_basename (struct mystr* d_str, const struct mystr* path);
+
+ /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
+ * buffer, starting at character position 'p_pos'. The extracted line will
--- /dev/null
+From fa4bb925ab76b629952db58557a12008de59ca25 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 20:15:33 +0100
+Subject: [PATCH] adjust /usr/share/empty to /var/empty
+
+---
+ INSTALL | 6 +++---
+ tunables.c | 2 +-
+ vsftpd.conf.5 | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/INSTALL b/INSTALL
+index 4f811aa..d76d79a 100644
+--- a/INSTALL
++++ b/INSTALL
+@@ -27,11 +27,11 @@ user in case it does not already exist. e.g.:
+ [root@localhost root]# useradd nobody
+ useradd: user nobody exists
+
+-2b) vsftpd needs the (empty) directory /usr/share/empty in the default
++2b) vsftpd needs the (empty) directory /var/empty in the default
+ configuration. Add this directory in case it does not already exist. e.g.:
+
+-[root@localhost root]# mkdir /usr/share/empty/
+-mkdir: cannot create directory `/usr/share/empty': File exists
++[root@localhost root]# mkdir /var/empty/
++mkdir: cannot create directory `/var/empty': File exists
+
+ 2c) For anonymous FTP, you will need the user "ftp" to exist, and have a
+ valid home directory (which is NOT owned or writable by the user "ftp").
+diff --git a/tunables.c b/tunables.c
+index 069160a..59ae493 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -261,7 +261,7 @@ tunables_load_defaults()
+ /* -rw------- */
+ tunable_chown_upload_mode = 0600;
+
+- install_str_setting("/usr/share/empty", &tunable_secure_chroot_dir);
++ install_str_setting("/var/empty", &tunable_secure_chroot_dir);
+ install_str_setting("ftp", &tunable_ftp_username);
+ install_str_setting("root", &tunable_chown_username);
+ install_str_setting("/var/log/xferlog", &tunable_xferlog_file);
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 9e85785..8d469e9 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -993,7 +993,7 @@ This option should be the name of a directory which is empty. Also, the
+ directory should not be writable by the ftp user. This directory is used
+ as a secure chroot() jail at times vsftpd does not require filesystem access.
+
+-Default: /usr/share/empty
++Default: /var/empty
+ .TP
+ .B ssl_ciphers
+ This option can be used to select which SSL ciphers vsftpd will allow for
+--
+2.43.0
+
--- /dev/null
+From e2812fffd47d001478ef73ec7c5f1f0322b88684 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 23:30:47 +0100
+Subject: [PATCH] build with SSL support
+
+---
+ builddefs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/builddefs.h b/builddefs.h
+index e908352..63cc62b 100644
+--- a/builddefs.h
++++ b/builddefs.h
+@@ -3,7 +3,7 @@
+
+ #undef VSF_BUILD_TCPWRAPPERS
+ #define VSF_BUILD_PAM
+-#undef VSF_BUILD_SSL
++#define VSF_BUILD_SSL
+
+ #endif /* VSF_BUILDDEFS_H */
+
+--
+2.43.0
+
--- /dev/null
+From c6e03f208c85288b81a780f26967b98ace976e60 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 23:44:34 +0100
+Subject: [PATCH] config: disable anonymous access by default
+
+---
+ vsftpd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vsftpd.conf b/vsftpd.conf
+index cc1c607..f613efe 100644
+--- a/vsftpd.conf
++++ b/vsftpd.conf
+@@ -9,7 +9,7 @@
+ # capabilities.
+ #
+ # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+-anonymous_enable=YES
++anonymous_enable=NO
+ #
+ # Uncomment this to allow local users to log in.
+ #local_enable=YES
+--
+2.43.0
+
--- /dev/null
+From efe3fa360454f86800ed60eab403c00713cf8e92 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 23:48:42 +0100
+Subject: [PATCH] config: set PAM service name to vsftpd
+
+---
+ vsftpd.conf | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/vsftpd.conf b/vsftpd.conf
+index f613efe..ce9d10a 100644
+--- a/vsftpd.conf
++++ b/vsftpd.conf
+@@ -115,3 +115,7 @@ listen=YES
+ # sockets, you must run two copies of vsftpd with two configuration files.
+ # Make sure, that one of the listen options is commented !!
+ #listen_ipv6=YES
++
++# Set own PAM service name to detect authentication settings specified
++# for vsftpd by the system package.
++pam_service_name=vsftpd
+--
+2.43.0
+
--- /dev/null
+From 4dd04b995fd51dbbeadd3d6ad0417f128924a932 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 20:27:51 +0100
+Subject: [PATCH] fix: build with openssl 1.1
+
+---
+ vsf_findlibs.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vsf_findlibs.sh b/vsf_findlibs.sh
+index 4538685..6e65e2e 100755
+--- a/vsf_findlibs.sh
++++ b/vsf_findlibs.sh
+@@ -66,7 +66,7 @@ locate_library /usr/shlib/librt.so && echo "-lrt";
+ locate_library /usr/lib/libsendfile.so && echo "-lsendfile";
+
+ # OpenSSL
+-if find_func SSL_library_init ssl.o; then
++if find_func SSL_CTX_new ssl.o; then
+ echo "-lssl -lcrypto";
+ elif find_func SSL_new ssl.o; then
+ echo "-lssl -lcrypto";
+--
+2.43.0
+
--- /dev/null
+From 2f22333b5d39651cf0b2b973396faca510317d6c Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 23:01:59 +0100
+Subject: [PATCH] fix: handle AUTH_TLS reply to FEAT for all TLS variants
+
+Send 'AUTH SSL' in reply to the FEAT command when any of the TLS
+versions is enabled.
+---
+ features.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/features.c b/features.c
+index 1212980..3a60b88 100644
+--- a/features.c
++++ b/features.c
+@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
+ {
+ vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+ }
+- if (tunable_tlsv1)
++ if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
+ {
+ vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+ }
+--
+2.43.0
+
--- /dev/null
+From a23e8d016cbc4d5a9d3c3f28893c34f0dc6a6618 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 20:57:57 +0100
+Subject: [PATCH] fix: make to respect distro flags
+
+---
+ Makefile | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index c63ed1b..2e84bb5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -3,14 +3,13 @@ CC = gcc
+ INSTALL = install
+ IFLAGS = -idirafter dummyinc
+ #CFLAGS = -g
+-CFLAGS = -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
++CFLAGS ?= -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
+ -Wall -W -Wshadow -Werror -Wformat-security \
+ -D_FORTIFY_SOURCE=2 \
+ #-pedantic -Wconversion
+
+ LIBS = `./vsf_findlibs.sh`
+-LINK = -Wl,-s
+-LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now
++LDFLAGS ?= -fPIE -pie -Wl,-z,relro -Wl,-z,now
+
+ OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
+ tunables.o ftpdataio.o secbuf.o ls.o \
+@@ -23,10 +22,10 @@ OBJS = main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
+
+
+ .c.o:
+- $(CC) -c $*.c $(CFLAGS) $(IFLAGS)
++ $(CC) -c $*.c $(CFLAGS) $(CPPFLAGS) $(IFLAGS)
+
+ vsftpd: $(OBJS)
+- $(CC) -o vsftpd $(OBJS) $(LINK) $(LDFLAGS) $(LIBS)
++ $(CC) -o vsftpd $(OBJS) $(LDFLAGS) $(LIBS)
+
+ install:
+ if [ -x /usr/local/sbin ]; then \
+--
+2.43.0
+
--- /dev/null
+From 1cedb8fee186895d6828423ce4f7ca33d30ea7ad Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 19:56:20 +0100
+Subject: [PATCH] fix: seccomp rules
+
+---
+ seccompsandbox.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/seccompsandbox.c b/seccompsandbox.c
+index bcd96a0..a265f93 100644
+--- a/seccompsandbox.c
++++ b/seccompsandbox.c
+@@ -307,14 +307,20 @@ seccomp_sandbox_setup_base()
+ allow_nr_1_arg_mask(__NR_mprotect, 3, PROT_READ);
+ allow_nr(__NR_munmap);
+ allow_nr(__NR_brk);
++ allow_nr(__NR_sysinfo);
++ allow_nr(__NR_getdents64);
+ /* glibc falls back gracefully if mremap() fails during realloc(). */
+ reject_nr(__NR_mremap, ENOSYS);
+
+ /* Misc simple low-risk calls. */
+ allow_nr(__NR_gettimeofday); /* Used by logging. */
++ allow_nr(__NR_clock_gettime); /* Used by logging. */
+ allow_nr(__NR_rt_sigreturn); /* Used to handle SIGPIPE. */
+ allow_nr(__NR_restart_syscall);
+ allow_nr(__NR_close);
++ allow_nr(__NR_alarm);
++ allow_nr(__NR_wait4);
++
+
+ /* Always need to be able to exit ! */
+ allow_nr(__NR_exit_group);
+@@ -343,6 +349,7 @@ seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
+ allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
+ allow_nr(__NR_getpid); /* Used by logging. */
+ allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
++ allow_nr(__NR_getrandom); /* Used by OpenSSL in SSL_accept. */
+ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
+ /* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
+ * Also, sockets are O_RDWR.
+@@ -367,6 +374,7 @@ seccomp_sandbox_setup_prelogin(const struct vsf_session* p_sess)
+ {
+ allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+ allow_nr_2_arg_match(__NR_setsockopt, 2, IPPROTO_TCP, 3, TCP_NODELAY);
++ allow_nr_2_arg_match(__NR_setsockopt, 2, SOL_TCP, 3, TCP_ULP);
+ }
+ if (tunable_syslog_enable)
+ {
+--
+2.43.0
+
--- /dev/null
+From ca9a5c7719f6c1a285ab80d0660e1b1fd9d0d8a3 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente@leventepolyak.net>
+Date: Sat, 27 Jan 2024 20:13:59 +0100
+Subject: [PATCH] fix: ssl_tlsv documentation and config tunables
+
+---
+ README.ssl | 4 ++--
+ vsftpd.conf.5 | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/README.ssl b/README.ssl
+index 2ec70cb..5327679 100644
+--- a/README.ssl
++++ b/README.ssl
+@@ -35,6 +35,6 @@ go to that directory and type e.g. "make vsftpd.pem". Then answer the
+ questions you are asked. Alternatively, read the man page for "openssl".
+ - Also be aware of the following SSL related parameters. Read the vsftpd.conf.5
+ manual page to learn about them: allow_anon_ssl, force_local_logins_ssl,
+-force_local_data_ssl, ssl_sslv2, ssl_sslv3, ssl_tlsv1, rsa_cert_file,
+-dsa_cert_file, ssl_ciphers.
++force_local_data_ssl, ssl_sslv2, ssl_sslv3, ssl_tlsv1, ssl_tlsv11, ssl_tlsv12,
++ssl_tlsv13, rsa_cert_file, dsa_cert_file, ssl_ciphers.
+
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 8d469e9..56ab251 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -499,7 +499,7 @@ TLS v1.2+ connections are preferred.
+
+ Default: NO
+ .TP
+-.B ssl_tlsv1_1
++.B ssl_tlsv11
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+@@ -507,7 +507,7 @@ TLS v1.2+ connections are preferred.
+
+ Default: NO
+ .TP
+-.B ssl_tlsv1_2
++.B ssl_tlsv12
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+@@ -515,7 +515,7 @@ TLS v1.2+ connections are preferred.
+
+ Default: YES
+ .TP
+-.B ssl_tlsv1_3
++.B ssl_tlsv13
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.3 protocol connections.
+--
+2.43.0
+
projects / people / ms / ipfire-2.x.git / commitdiff
