Your message dated Tue, 18 Nov 2014 07:57:27 +0100
with message-id <546aedd7.6040...@thykier.net>
and subject line Re: Bug#769206: unblock tnftp/20130505-3
has caused the Debian Bug report #769206,
regarding unblock tnftp/20130505-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
769206: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock tnftp/20130505-2
debdiff tnftp_20130505-1.dsc tnftp_20130505-2.dsc
diff -Nru tnftp-20130505/debian/changelog tnftp-20130505/debian/changelog
--- tnftp-20130505/debian/changelog 2013-05-26 01:01:45.000000000 +0100
+++ tnftp-20130505/debian/changelog 2014-11-06 10:42:07.000000000 +0000
@@ -1,3 +1,19 @@
+tnftp (20130505-2) unstable; urgency=medium
+
+ * Only trust filenames with special meaning if they came from
+ the command line. CVE-2014-8517.
+ Add upstream patch CVE-2014-8517.patch.
+ Closes: #767171.
+ * Run dh-autoreconf to update for new architectures.
+ Patch by Brahadambal Srinivasan <la...@linux.vnet.ibm.com>.
+ Closes: 759467.
+ * Standards Version is 3.9.6.
+ * Fix uses-deprecated-compression-for-data-tarball.
+ * Fix build-depends-on-obsolete-package.
+ build-depends: hardening-wrapper => use dpkg-buildflags instead.
+
+ -- Anibal Monsalve Salazar <ani...@debian.org> Thu, 06 Nov 2014 10:42:01
+0000
+
tnftp (20130505-1) unstable; urgency=low
* New upstream version 20130505
diff -Nru tnftp-20130505/debian/compat tnftp-20130505/debian/compat
--- tnftp-20130505/debian/compat 2009-04-06 01:20:42.000000000 +0100
+++ tnftp-20130505/debian/compat 2014-11-06 09:57:48.000000000 +0000
@@ -1 +1 @@
-7
+9
diff -Nru tnftp-20130505/debian/control tnftp-20130505/debian/control
--- tnftp-20130505/debian/control 2013-05-26 00:04:41.000000000 +0100
+++ tnftp-20130505/debian/control 2014-11-06 10:02:59.000000000 +0000
@@ -2,8 +2,8 @@
Section: net
Priority: optional
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
-Build-Depends: debhelper (>= 7), hardening-wrapper, libncurses5-dev, libssl-dev
-Standards-Version: 3.9.4
+Build-Depends: debhelper (>= 9), libncurses5-dev, libssl-dev, autotools-dev
+Standards-Version: 3.9.6
Homepage: http://en.wikipedia.org/wiki/Tnftp
Package: tnftp
diff -Nru tnftp-20130505/debian/patches/CVE-2014-8517.patch
tnftp-20130505/debian/patches/CVE-2014-8517.patch
--- tnftp-20130505/debian/patches/CVE-2014-8517.patch 1970-01-01
01:00:00.000000000 +0100
+++ tnftp-20130505/debian/patches/CVE-2014-8517.patch 2014-11-06
10:24:25.000000000 +0000
@@ -0,0 +1,92 @@
+Date: Sun, 26 Oct 2014 12:21:59 -0400
+From: Christos Zoulas <chris...@...bsd.org>
+To: source-changes-f...@...bsd.org
+Subject: CVS commit: src/usr.bin/ftp
+X-Mailer: log_accum
+
+Module Name: src
+Committed By: christos
+Date: Sun Oct 26 16:21:59 UTC 2014
+
+Modified Files:
+ src/usr.bin/ftp: fetch.c
+
+Log Message:
+ don't pay attention to special characters if they don't come from the
command
+ line (from jmcneill)
+
+http://security-tracker.debian.org/tracker/CVE-2014-8517
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767171
+http://www.openwall.com/lists/oss-security/2014/10/28/4
+
+Index: tnftp-20130505/src/fetch.c
+===================================================================
+--- tnftp-20130505.orig/src/fetch.c
++++ tnftp-20130505/src/fetch.c
+@@ -571,7 +571,7 @@ fetch_url(const char *url, const char *p
+ url_decode(decodedpath);
+
+ if (outfile)
+- savefile = ftp_strdup(outfile);
++ savefile = outfile;
+ else {
+ cp = strrchr(decodedpath, '/'); /* find savefile */
+ if (cp != NULL)
+@@ -595,8 +595,7 @@ fetch_url(const char *url, const char *p
+ rangestart = rangeend = entitylen = -1;
+ mtime = -1;
+ if (restartautofetch) {
+- if (strcmp(savefile, "-") != 0 && *savefile != '|' &&
+- stat(savefile, &sb) == 0)
++ if (stat(savefile, &sb) == 0)
+ restart_point = sb.st_size;
+ }
+ if (urltype == FILE_URL_T) { /* file:// URLs */
+@@ -1140,18 +1139,26 @@ fetch_url(const char *url, const char *p
+ }
+ } /* end of ftp:// or http:// specific setup */
+
+- /* Open the output file. */
+- if (strcmp(savefile, "-") == 0) {
+- fout = stdout;
+- } else if (*savefile == '|') {
+- oldintp = xsignal(SIGPIPE, SIG_IGN);
+- fout = popen(savefile + 1, "w");
+- if (fout == NULL) {
+- warn("Can't execute `%s'", savefile + 1);
+- goto cleanup_fetch_url;
++ /* Open the output file. */
++
++ /*
++ * Only trust filenames with special meaning if they came from
++ * the command line
++ */
++ if (outfile == savefile) {
++ if (strcmp(savefile, "-") == 0) {
++ fout = stdout;
++ } else if (*savefile == '|') {
++ oldintp = xsignal(SIGPIPE, SIG_IGN);
++ fout = popen(savefile + 1, "w");
++ if (fout == NULL) {
++ warn("Can't execute `%s'", savefile + 1);
++ goto cleanup_fetch_url;
++ }
++ closefunc = pclose;
+ }
+- closefunc = pclose;
+- } else {
++ }
++ if (fout == NULL) {
+ if ((rangeend != -1 && rangeend <= restart_point) ||
+ (rangestart == -1 && filesize != -1 && filesize <=
restart_point)) {
+ /* already done */
+@@ -1362,7 +1369,8 @@ fetch_url(const char *url, const char *p
+ (*closefunc)(fout);
+ if (res0)
+ freeaddrinfo(res0);
+- FREEPTR(savefile);
++ if (savefile != outfile)
++ FREEPTR(savefile);
+ FREEPTR(uuser);
+ if (pass != NULL)
+ memset(pass, 0, strlen(pass));
diff -Nru tnftp-20130505/debian/patches/series
tnftp-20130505/debian/patches/series
--- tnftp-20130505/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ tnftp-20130505/debian/patches/series 2014-11-06 09:28:13.000000000
+0000
@@ -0,0 +1 @@
+CVE-2014-8517.patch
diff -Nru tnftp-20130505/debian/rules tnftp-20130505/debian/rules
--- tnftp-20130505/debian/rules 2013-05-26 00:56:53.000000000 +0100
+++ tnftp-20130505/debian/rules 2014-11-06 10:41:48.000000000 +0000
@@ -5,15 +5,13 @@
# Uncomment this to turn on verbose mode.
export DH_VERBOSE=1
-# Make use of security features through hardening-wrapper
-export DEB_BUILD_HARDENING=1
-
build-arch: build
build-indep: build
build: build-stamp
build-stamp:
dh_testdir
- ./configure --prefix=/usr --mandir=\$${prefix}/share/man
+ dh_autotools-dev_updateconfig
+ ./configure --prefix=/usr --mandir=\$${prefix}/share/man $(shell
dpkg-buildflags --export=configure)
$(MAKE)
touch build-stamp
@@ -22,6 +20,7 @@
dh_testroot
rm -f build-stamp
[ ! -f Makefile ] || $(MAKE) distclean
+ dh_autotools-dev_restoreconfig
dh_clean
install: build
@@ -63,7 +62,7 @@
dh_gencontrol
dh_lintian
dh_md5sums
- dh_builddeb -- -Zbzip2 -z9
+ dh_builddeb
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install
diff -Nru tnftp-20130505/debian/source/options
tnftp-20130505/debian/source/options
--- tnftp-20130505/debian/source/options 2009-11-23 10:37:44.000000000
+0000
+++ tnftp-20130505/debian/source/options 1970-01-01 01:00:00.000000000
+0100
@@ -1,2 +0,0 @@
-compression = "bzip2"
-compression-level = 9
--- End Message ---
--- Begin Message ---
On 2014-11-17 08:43, Aníbal Monsalve Salazar wrote:
> Control: retitle -1 unblock tnftp/20130505-3
> Control: reopen -1
>
> On Sat, 2014-11-15 11:00:16 +0000, Jonathan Wiltshire wrote:
>>
>> Changing compat level just to add hardening is not a good solution.
>> Other subtle changes are made in the packaging when that happens.
>> Please find a way to apply the hardening flags without changing compat
>> level.
>
> Done.
>
> Below is the debdiff between 20130505-1 in testing and 20130505-3 in
> unstable.
>
> Thank you!
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
