Hey, a few days ago ProFTPD 1.3.2 (stable) was released [1]. As you can see in the release notes in [2] and in the NEWS file [3] it has a lot bugfixes and a important security fix [4] which is exploitable [5]. This is *NOT* the security hole CVE-2008-4242 which was discussed in [6] and fixed in proftpd-1.3.2_rc2-r2 and proftpd-1.3.1-r1 at the 09 Nov 2008. Unfortunately the 1.3.2 stable release and the 1.3.2rc2 development version have a wtmp logging bug [7] which was closed in CVS and I add a patch for that problem to the ebuild (proftpd-1.3.2-upstream-bug-3183.patch). Futhermore this ebuild solves Gentoo Bug #234003 [8] in allowing of building ProFTPD with both SQL backend modules MySQL and Postgres. Then you can use the directive 'SQLBackend' [9] to specify the used SQL backend. Per default the MySQL backend is used. As this stable release solves a expoitable security bug the ebuild should be added very soon to the portage. Best regards. [1] http://proftpd.org/ [2] http://proftpd.org/docs/RELEASE_NOTES-1.3.2 [3] http://proftpd.org/docs/NEWS-1.3.2 [4] http://bugs.proftpd.org/show_bug.cgi?id=3173 [5] http://www.heise-online.co.uk/news/SQL-injection-vulnerability-in-ProFTPD-closed--/112632 [6] http://bugs.gentoo.org/238762 [7] http://bugs.proftpd.org/show_bug.cgi?id=3183 [8] https://bugs.gentoo.org/show_bug.cgi?id=234003 [9] http://proftpd.org/docs/directives/linked/config_ref_SQLBackend.html
Created attachment 181863 [details] proftpd 1.3.2 ebuild
Created attachment 181865 [details, diff] proftpd 1.3.2 upstream bug 3183 patch
Furthermore this ebuild bumps the modules mod_deflate from 0.3 to 0.3.1, the mod_shaper 0.6.4 to 0.6.5 and the mod_vroot from 0.7.2 to 0.8.3. Sorry, I forgot to mension that above.
Created attachment 181874 [details] Slight modified ebuild to fix bug 226907 as well. I've got some problems with parallel build, but compiles fine with MAKEOPTS="-j1"
In order to serve a regression-free and stable version 1.3.1 of ProFTPD (although ProFTPD 1.3.2 would be stable, too) I will attach the proftpd-1.3.1-r2 ebuild which just applies the patch ("proftpd-1.3.1-upstream-security-bug-3173.patch", [2]) to close the security hole [1]. [1] http://bugs.proftpd.org/show_bug.cgi?id=3173 [2] http://bugs.proftpd.org/attachment.cgi?id=2946&action=view
Created attachment 181875 [details] proftpd 1.3.1-r2 ebuild
Created attachment 181876 [details, diff] proftpd 1.3.1 upstream security bug 3173 patch
Dustin, your ebuild works fine for me. But I could build both ebuilds of ProFTPD 1.3.2 on an x86 system (i686) with MAKEOPTS="-j2" and USE="nls pam ssl". Do you know which module has problems with parallel building? Which arch do you use?
Doesn't seem to be a duplicate of bug #258450.
Bernd, thanks a lot for your work preparing the ebuilds. Please take note that there are two distinct bugs both unfixed in our latest stable (1.3.2rc2), both of which are handled in bug 258450 (from the standpoint of the security team, at least). However, since your bug contains valuable information for the package maintainers to bump the package, I am reassigning it to them.
I'm sorry. Did not see bug #258450 when I created this one here. From my unterstanding the ProFTPD 1.3.2 (stable) release fixes all known security bugs and hence it should be added very soon to portage. But in #258450 a second security bug [1] (duplicate of [2]) is discussed which is closed in both proftpd-1.3.2 ebuilds but not in proftpd-1.3.1-r2.ebuild. Therefore I will attach a patch ("proftpd-1.3.1-upstream-security-bug-3124.patch", [3] from [2]) and a new version of the proftpd-1.3.1-r2 ebuild. Hopefully now all security holes are fixed in the regression-free and stable 1.3.1 version. But maybe it would be better to add the proftpd-1.3.2.ebuild very soon to the portage and stabilize it very fast to get a stable and at the moment free of security hole version into portage. Some (or all) security holes are easily exploitable and should be fixed very fast for all stable gentoo users. [1] http://bugs.proftpd.org/show_bug.cgi?id=3180 [2] http://bugs.proftpd.org/show_bug.cgi?id=3124 [3] http://bugs.proftpd.org/attachment.cgi?id=2885
Created attachment 181980 [details, diff] proftpd 1.3.1 upstream security bug 3124 patch
Created attachment 181982 [details] proftpd 1.3.1-r2 ebuild
(In reply to comment #8) > Dustin, your ebuild works fine for me. > But I could build both ebuilds of ProFTPD 1.3.2 on an x86 system (i686) with > MAKEOPTS="-j2" and USE="nls pam ssl". Do you know which module has problems > with parallel building? Which arch do you use? > Sometimes it compiles, somtimes not with MAKEOPTS="-j5". Seems to be a race condition. Here is the relevant excerpt from build log when failing: ---8><-------- x86_64-pc-linux-gnu-gcc -L./lib -Wl,-O1 -Wl,--as-needed -o ftpcount utils/ftpcount.o utils/scoreboard.o utils/misc.o -lsupp -lcrypt -lresolv /usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lsupp collect2: ld returned 1 exit status make: *** [ftpcount] Error 1 make: *** Waiting for unfinished jobs.... x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -DLINUX -I.. -I../include -march=nocona -O2 -pipe -ggdb -DUSE_LDAP_TLS -Wall -c pwgrent.c x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -DLINUX -I.. -I../include -march=nocona -O2 -pipe -ggdb -DUSE_LDAP_TLS -Wall -c str.c x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -DLINUX -I.. -I../include -march=nocona -O2 -pipe -ggdb -DUSE_LDAP_TLS -Wall -c mod_auth.c x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -DLINUX -I.. -I../include -march=nocona -O2 -pipe -ggdb -DUSE_LDAP_TLS -Wall -c mod_ls.c x86_64-pc-linux-gnu-ar rc libsupp.a pr_fnmatch.o sstrncpy.o strsep.o vsnprintf.o glibc-glob.o glibc-hstrerror.o glibc-mkstemp.o pr-syslog.o pwgrent.o x86_64-pc-linux-gnu-ranlib libsupp.a ---><8-------- As you can see, libsupp is finishing after the link call of ftpcount, which tries to link against libsupp.
(In reply to comment #8) > Which arch do you use? For comleteness: Portage 2.1.6.4 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.26-gentoo_dazuko-patch-r4-stable x86_64) ================================================================= System uname: Linux-2.6.26-gentoo_dazuko-patch-r4-stable-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-glibc2.2.5 Timestamp of tree: Mon, 16 Feb 2009 07:45:02 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.6-r1 dev-lang/python: 2.5.2-r7 dev-util/cmake: 2.4.8 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O2 -pipe -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/bin/mygenkernel /usr/sbin/run-crons" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=nocona -O2 -pipe -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks fixpackages multilib-strict parallel-fetch protect-owned sandbox sfperms splitdebug strict test unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://gd.tuwien.ac.at/opsys/linux/gentoo/ ftp://gentoo.inode.at/source/ ftp://pandemonium.tiscali.de/pub/gentoo/" LANG="C" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en de" MAKEOPTS="-j5" PKGDIR="/home/ftp/binpkg/" PORTAGE_COMPRESS="" PORTAGE_RSYNC_EXTRA_OPTS="--timeout=500" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/alon-barlev /usr/portage/local/layman/sunrise /usr/portage/local/layman/science /usr/portage/local/modified /usr/portage/local/own" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X Xaw3d a52 aac aalib accessibility acl acpi alsa amd64 amr amrnb amrr amrwb apm async audacious audiofile bash-completion battery berkdb bindist bl bluetooth branding bzip2 cairo cardbus cdinstall cjk cli cpufreq cracklib crypt css ctype cups dbus dga directfb divx dri dts dv dvd dvdr dvdread eds encode evo exif exiv2 fam fame fbcon fbcondecor fbsplash ffmpeg flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif gimp glade glitz gmedia gmp gnutls gphoto2 gs gsm gstreamer gtk gtkhtml guile hal hddtemp hdf5 iconv icq icu idn ieee1394 imagemagick imap imlib iproute2 isdnlog jack java javascript jikes jpeg jpeg2k kerberos keyscrub kino kpathsea lame laptop latex lcms ldap libcaca libnotify libsamplerate libv4l2 libwww live lm_sensors logrotate loop-aes lzma lzo mad memlimit midi mikmod mime mjpeg mmx mmxext mng motif mp2 mp3 mp4 mpeg mplayer mudflap multilib musepack ncurses nls nntp nowin nptl nptlonly nsplugin ntp nuv nvidia ogg opengl openmp opensslcrypto pam pch pcmcia pcre pda pdf perl plotutils png posix ppds pppd print python quicktime readline realmedia reflection rtsp ruby rubytests samba sasl sdl server session simplexml slang sndfile soap sockets sou speex spell spl sse sse2 ssl ssse3 startup-notification stream svg swat sysfs syslog tcpd tetex tga theora threads tiff truetype unicode usb userlocales v4l v4l2 vcd vim-syntax vim-with-x vorbis wifi winbind wma wmf wmp wxwindows x264 xanim xcomposite xinetd xml xmp xorg xpm xsl xulrunner xv xvid xvmc zlib" ALSA_CARDS="hda-intel mpu401" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="fuji ptp2" ELIBC="glibc" INPUT_DEVICES="keyboard mouse ps2mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS_FLAGS
Thanks. Honestly I am not an expert for Makefiles and the auto* tools, but I will attach a patch which hopefully solves this parallel building issue. It defines some dependencies between the linking process of some binaries in the "utils" directory and the "lib" directory. Please try this patch and give me some feedback. Thank you.
Created attachment 182237 [details, diff] experimental patch to solve some parallel building issues
(In reply to comment #16) > Thanks. Honestly I am not an expert for Makefiles and the auto* tools, but I > will attach a patch which hopefully solves this parallel building issue. It > defines some dependencies between the linking process of some binaries in the > "utils" directory and the "lib" directory. Please try this patch and give me > some feedback. Thank you. Compiled proftpd several times and it always finished successfully. Works for me, thanks.
Dustin, Bernd, thanks a lot for your work! I've added 1.3.2 (based on old ebuild) in CVS for security stabling, but I'll soon add a -r1 with the other fixes from this bug (and a few other open ones).
(In reply to comment #19) > Dustin, Bernd, thanks a lot for your work! > > I've added 1.3.2 (based on old ebuild) in CVS for security stabling, but I'll > soon add a -r1 with the other fixes from this bug (and a few other open ones). voyageur, thanks for taking care of this. I know you are not the maintainer of this package but I was wondering why append-ldflags was used at all in the ebuild. Maybe adding a comment would make maintenance easier in the future. BR, Dustin
From what I've seen, it was used since append-ldflags is an easy way to add the needed libraries (and probably added before flameeeyes added a check in append-ldflags itself). I left it in 1.3.2 to minimize the risk of breaking it all, but 1.3.2-r1 will have your patch :) (as appending libs with it is incorrect and breaks --as-needed for example)
OK proftpd-1.3.2-r1 is in tree now, and includes all fixes listed in this bug. If I forgot one, yell at me and please reopen ;)
voyageur, thanks for adding the changes to the portage tree. As I can see all fixes out of this bug report are in this ebuild. Futhermore I posted the parallel building patch to the ProFTPD Bugzilla [1] and they added the patch as it is to their CVS. So both patches ("proftpd-1.3.2-upstream-bug-3183.patch" and "proftpd-1.3.2-parallel-build.patch") should be in the next offical ProFTPD release which should be 1.3.3r1. Thanks a lot. [1] http://bugs.proftpd.org/show_bug.cgi?id=3189
Found a small typo in the new proftpd-1.3.2-r1.ebuild. See at line 19 [1]: < SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/}.tar.bz2 > SRC_URI="ftp://ftp.proftpd.org/distrib/source/${P/_/w²}.tar.bz2 I think that "w²" should not be there. Just a typo? [1] http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/proftpd/proftpd-1.3.2-r1.ebuild?view=annotate
Yes, typo indeed, thanks for spotting it, this would have caused a few surprises when using the ebuild in a rc release revision bump (as this would have replace the "_" in the uri by "w²"). Fixed in CVS! And it's good news that the parallel build patch is already accepted committed upstream indeed :)
