The net-ftp/proftpd-1.3.5-r2 ebuild gets an error applying patch CVE-2015-3306.patch. It can't find any files to patch. Manually applying the patch with 'patch -p0 < /usr/portage/net-ftp/files/CVE-2015-3306.patch' is successful for mod_copy.c but not the mod_copy.html Reproducible: Always Steps to Reproduce: 1.emerge net-ftp/proftpd 2. 3. Actual Results: ebuild fails Expected Results: ebuild succeeds
Created attachment 404172 [details] emerge --info
Created attachment 404174 [details] build.log
Created attachment 404176 [details] emerge -pqv
Created attachment 404178 [details] CVE-2015-2206.patch.out
yeah, this part of patch clearly looks like misexpanded CVS keywords: @@ -118,13 +136,8 @@ <p> <hr><br> -Author: <i>$Author: idella4 $</i><br> -Last Updated: <i>$Date: 2015/05/27 05:40:59 $</i><br> - -<br><hr> - <font size=2><b><i> -© Copyright 2009-2010 TJ Saunders<br> +© Copyright 2009-2015 TJ Saunders<br> All Rights Reserved<br> </i></b></font>
This also suggests that patch is incomplete: mod_copy.c: In function ‘copy_cpfr’: mod_copy.c:587:5: warning: implicit declaration of function ‘pr_cmd_set_errno’ [-Wimplicit-function-declaration] pr_cmd_set_errno(cmd, EPERM); ^
Pushed as: > 29 May 2015; Sergei Trofimovich <slyfox@gentoo.org> files/CVE-2015-3306.patch: > Removed CVS expansion patch damage, but it does not fix USE=copy build failure > yet. Assigned to Ian who wants to fix it. Make sure you test USE=copy case.
(In reply to Sergei Trofimovich from comment #7) > > Assigned to Ian who wants to fix it. Make sure you test USE=copy case. And someone told you this? I found this left unattended and spent hours rebasing the first two files from the patches. They worked though I didn't test with USE=copy, granted. 1. It is you who is listed as maintainer in metadata.xml 2. It is therefore you who along with the other 2 proxy maintainers who did not prepare and submit workable patches for this sec bug. 3. And from this you conclude I want to fix it. I attempted to work a bug that had gone 6 weeks untouched out of a willingness to help contribute asking no questions of any of the listed maintainers re their inaction. I have authority and place as a member of the proxy-maint project or herd. Now this. 1. I have never come across a case of CVS expansion patch damage therefore 2. I don't know the first thing about it. 3. The patch still has my 'date of manufacture' details and the contrib/mod_copy.c has been modified to --- a/contrib/mod_copy.c +++ b/contrib/mod_copy.c which I am guessing is part of the "Removed CVS expansion patch damage" which is fine. While I am not refusing to participate / contribute in the completion of this patch and its compromised state, I am genuinely perplexed as to how and why you have relieved yourself of completing it and simply assign it to me. I am guessing because I picked up the baton in the first place. You have not totally excused yourself since you have done this removal of damage from the patch as it stands now. It makes it difficult not sharing a common knowledge base that you appear to possess. I have hundreds of emails still to plough through in the inbox to pursue; python and proxy-maint open bugs. I was not desperate to take this on, then nor did I expect it to misfire. I think it is the first security patch which I have committed that has.
(In reply to Ian Delaney from comment #8) > (In reply to Sergei Trofimovich from comment #7) > > > > > Assigned to Ian who wants to fix it. Make sure you test USE=copy case. > > And someone told you this? I don't blame you at all. I'm glad you tried to fix it, but wanted to make sure you are aware it does not compile for users that even don't use mod_copy. I didn't finish it exactly because it's harder to do, than just tweak some lines. It's my fault and i don't blame anyone to do it.
Pushed as: > 30 May 2015; Sergei Trofimovich <slyfox@gentoo.org> > -files/CVE-2015-3306-test.patch, -files/CVE-2015-3306.patch, > -proftpd-1.3.5-r2.ebuild: > Drop incorrectly backported patches: bug #550644 by Todd Goodman. Thanks!
ok that's fine. (In reply to Sergei Trofimovich from comment #9) > > (In reply to Sergei Trofimovich from comment #7) > I don't blame you at all. I'm glad you tried to fix it, but wanted to make > sure you are aware it does not compile for users that even don't use > mod_copy. > Perfectly legitimate > I didn't finish it exactly because it's harder to do, than just tweak some > lines. It's my fault and i don't blame anyone to do it. Well I'm not here to throw around blame. I'm here to help do bugs. On my part I re-based the patches which was the real hard part and got the ball rolling. That you then finished it off to me is fine. How the patch was corrupted by cvs was a bug surprise and new, and by rights I ought to have tested with the use flag(s). According to you final solution I might not have figured that anyway. Glad you were able to resolve it. I still think net-ftp/proftpd needs a new release considering the time and the changes in master
> I still think net-ftp/proftpd needs a new > release considering the time and the changes in master Yeah, it's how security bugs are best to fix: http://www.proftpd.org/docs/NEWS-1.3.5a https://bugs.gentoo.org/show_bug.cgi?id=546644#c4
