!72 fix CVE-2024-48651

From: @li_ning_jie Reviewed-by: @wk333 Signed-off-by: @wk333
fix CVE-2024-48651
2024-12-02 06:24:27 +00:00 · 2024-12-02 11:27:59 +08:00 · 2024-01-08 01:57:07 +00:00 · 2024-01-05 16:54:19 +08:00 · 2024-01-02 07:15:24 +00:00 · 2023-12-29 09:39:06 +08:00
12 changed files with 482 additions and 291 deletions
--- a/CVE-2021-46854.patch
+++ b/CVE-2021-46854.patch
@ -1,43 +0,0 @@
 From 10a227b4d50e0a2cd2faf87926f58d865da44e43 Mon Sep 17 00:00:00 2001
 From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
 Date: Tue, 3 Aug 2021 21:53:28 +0200
 Subject: [PATCH] mod_radius: copy _only_ the password
 ---
 contrib/mod_radius.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)
 diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c
 index 5092ca5e05..028c364ffd 100644
 --- a/contrib/mod_radius.c
 +++ b/contrib/mod_radius.c
@@ -2324,21 +2324,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type,
   pwlen = strlen((const char *) passwd);
 +  /* Clear the buffers. */
 +  memset(pwhash, '\0', sizeof(pwhash));
 +
   if (pwlen == 0) {
     pwlen = RADIUS_PASSWD_LEN;
   } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) {
 +    /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */
 +    memcpy(pwhash, passwd, pwlen);
     /* Round up the length. */
     pwlen += (RADIUS_PASSWD_LEN - 1);
     /* Truncate the length, as necessary. */
     pwlen &= ~(RADIUS_PASSWD_LEN - 1);
 +  } else {
 +    /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */
 +    memcpy(pwhash, passwd, pwlen);
   }
 -  /* Clear the buffers. */
 -  memset(pwhash, '\0', sizeof(pwhash));
 -  memcpy(pwhash, passwd, pwlen);
   /* Find the password attribute. */
   attrib = radius_get_attrib(packet, RADIUS_PASSWORD);
--- a/backport-CVE-2024-48651.patch
+++ b/backport-CVE-2024-48651.patch
@ -0,0 +1,319 @@
 From cec01cc0a2523453e5da5a486bc6d977c3768db1 Mon Sep 17 00:00:00 2001
 From: TJ Saunders <tj@castaglia.org>
 Date: Wed, 13 Nov 2024 06:33:35 -0800
 Subject: [PATCH] Issue #1830: When no supplemental groups are provided by the
 underlying authentication providers, fall back to using the primary
 group/GID. (#1835)
 This prevents surprise due to inheritance of the parent processes' supplemental group membership, which might inadvertently provided undesired access.
 ---
 contrib/mod_sftp/auth.c                       |  14 +-
 modules/mod_auth.c                            |  19 +-
 src/auth.c                                    |  14 +-
 .../ProFTPD/Tests/Modules/mod_sql_sqlite.pm   | 174 ++++++++++++++++++
 4 files changed, 209 insertions(+), 12 deletions(-)
 diff --git a/contrib/mod_sftp/auth.c b/contrib/mod_sftp/auth.c
 index c7a694e..6196fec 100644
 --- a/contrib/mod_sftp/auth.c
 +++ b/contrib/mod_sftp/auth.c
@@ -388,8 +388,20 @@ static int setup_env(pool *p, const char *user) {
       session.groups == NULL) {
     res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups);
     if (res < 1) {
 +      /* If no supplemental groups are provided, default to using the process
 +       * primary GID as the supplemental group.  This prevents access
 +       * regressions as seen in Issue #1830.
 +       */
       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
 -        "no supplemental groups found for user '%s'", pw->pw_name);
 +        "no supplemental groups found for user '%s', "
 +        "using primary group %s (GID %lu)", pw->pw_name, session.group,
 +        (unsigned long) session.login_gid);
 +
 +      session.gids = make_array(p, 2, sizeof(gid_t));
 +      session.groups = make_array(p, 2, sizeof(char *));
 +
 +      *((gid_t *) push_array(session.gids)) = session.login_gid;
 +      *((char **) push_array(session.groups)) = pstrdup(p, session.group);
     }
   }
 diff --git a/modules/mod_auth.c b/modules/mod_auth.c
 index a85be06..9eb9b48 100644
 --- a/modules/mod_auth.c
 +++ b/modules/mod_auth.c
@@ -1113,8 +1113,8 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) {
     session.groups = NULL;
   }
 -  if (!session.gids &&
 -      !session.groups) {
 +  if (session.gids == NULL &&
 +      session.groups == NULL) {
     /* Get the supplemental groups.  Note that we only look up the
      * supplemental group credentials if we have not cached the group
      * credentials before, in session.gids and session.groups.  
@@ -1124,8 +1124,19 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) {
      */
      res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups);
      if (res < 1) {
 -       pr_log_debug(DEBUG5, "no supplemental groups found for user '%s'",
 -         pw->pw_name);
 +       /* If no supplemental groups are provided, default to using the process
 +        * primary GID as the supplemental group.  This prevents access
 +        * regressions as seen in Issue #1830.
 +        */
 +       pr_log_debug(DEBUG5, "no supplemental groups found for user '%s', "
 +         "using primary group %s (GID %lu)", pw->pw_name, session.group,
 +         (unsigned long) session.login_gid);
 +
 +       session.gids = make_array(p, 2, sizeof(gid_t));
 +       session.groups = make_array(p, 2, sizeof(char *));
 +
 +       *((gid_t *) push_array(session.gids)) = session.login_gid;
 +       *((char **) push_array(session.groups)) = pstrdup(p, session.group);
      }
   }
 diff --git a/src/auth.c b/src/auth.c
 index b90fe41..af39fc0 100644
 --- a/src/auth.c
 +++ b/src/auth.c
@@ -1471,12 +1471,12 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
   }
   /* Allocate memory for the array_headers of GIDs and group names. */
 -  if (group_ids) {
 -    *group_ids = make_array(permanent_pool, 2, sizeof(gid_t));
 +  if (group_ids != NULL) {
 +    *group_ids = make_array(p, 2, sizeof(gid_t));
   }
 -  if (group_names) {
 -    *group_names = make_array(permanent_pool, 2, sizeof(char *));
 +  if (group_names != NULL) {
 +    *group_names = make_array(p, 2, sizeof(char *));
   }
   cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL,
@@ -1495,7 +1495,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
      * for the benefit of auth_getgroup() implementors.
      */
 -    if (group_ids) {
 +    if (group_ids != NULL) {
       register unsigned int i;
       char *strgids = "";
       gid_t *gids = (*group_ids)->elts;
@@ -1511,7 +1511,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
         *strgids ? strgids : "(None; corrupted group file?)");
     }
 -    if (group_names) {
 +    if (group_names != NULL) {
       register unsigned int i;
       char *strgroups = ""; 
       char **groups = (*group_names)->elts;
@@ -1527,7 +1527,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
     }
   }
 -  if (cmd->tmp_pool) {
 +  if (cmd->tmp_pool != NULL) {
     destroy_pool(cmd->tmp_pool);
     cmd->tmp_pool = NULL;
   }
 diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm
 index 08c1542..42ba967 100644
 --- a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm
 +++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm
@@ -467,6 +467,11 @@ my $TESTS = {
     order => ++$order,
     test_class => [qw(forking bug mod_tls)],
   },
 +
 +  sql_user_info_no_suppl_groups_issue1830 => {
 +    order => ++$order,
 +    test_class => [qw(forking bug rootprivs)],
 +  },
 };
 sub new {
@@ -15764,4 +15769,173 @@ EOC
   test_cleanup($setup->{log_file}, $ex);
 }
 +sub sql_user_info_no_suppl_groups_issue1830 {
 +  my $self = shift;
 +  my $tmpdir = $self->{tmpdir};
 +  my $setup = test_setup($tmpdir, 'sqlite');
 +
 +  my $db_file = File::Spec->rel2abs("$tmpdir/proftpd.db");
 +
 +  # Build up sqlite3 command to create users, groups tables and populate them
 +  my $db_script = File::Spec->rel2abs("$tmpdir/proftpd.sql");
 +
 +  if (open(my $fh, "> $db_script")) {
 +    print $fh <<EOS;
 +CREATE TABLE users (
 +  userid TEXT,
 +  passwd TEXT,
 +  uid INTEGER,
 +  gid INTEGER,
 +  homedir TEXT,
 +  shell TEXT
 +);
 +INSERT INTO users (userid, passwd, uid, gid, homedir, shell) VALUES ('$setup->{user}', '$setup->{passwd}', $setup->{uid}, $setup->{gid}, '$setup->{home_dir}', '/bin/bash');
 +
 +CREATE TABLE groups (
 +  groupname TEXT,
 +  gid INTEGER,
 +  members TEXT
 +);
 +INSERT INTO groups (groupname, gid, members) VALUES ('$setup->{group}', $setup->{gid}, '$setup->{user}');
 +EOS
 +
 +    unless (close($fh)) {
 +      die("Can't write $db_script: $!");
 +    }
 +
 +  } else {
 +    die("Can't open $db_script: $!");
 +  }
 +
 +  my $cmd = "sqlite3 $db_file < $db_script";
 +  build_db($cmd, $db_script);
 +
 +  # Make sure that, if we're running as root, the database file has
 +  # the permissions/privs set for use by proftpd
 +  if ($< == 0) {
 +    unless (chmod(0666, $db_file)) {
 +      die("Can't set perms on $db_file to 0666: $!");
 +    }
 +  }
 +
 +  my $config = {
 +    PidFile => $setup->{pid_file},
 +    ScoreboardFile => $setup->{scoreboard_file},
 +    SystemLog => $setup->{log_file},
 +    TraceLog => $setup->{log_file},
 +    Trace => 'auth:20 sql:20',
 +
 +    # Required for logging the expected message
 +    DebugLevel => 5,
 +
 +    IfModules => {
 +      'mod_delay.c' => {
 +        DelayEngine => 'off',
 +      },
 +
 +      'mod_sql.c' => {
 +        AuthOrder => 'mod_sql.c',
 +
 +        SQLAuthenticate => 'users',
 +        SQLAuthTypes => 'plaintext',
 +        SQLBackend => 'sqlite3',
 +        SQLConnectInfo => $db_file,
 +        SQLLogFile => $setup->{log_file},
 +
 +        # Set these, so that our lower UID/GID will be used
 +        SQLMinUserUID => 100,
 +        SQLMinUserGID => 100,
 +      },
 +    },
 +  };
 +
 +  my ($port, $config_user, $config_group) = config_write($setup->{config_file},
 +    $config);
 +
 +  # Open pipes, for use between the parent and child processes.  Specifically,
 +  # the child will indicate when it's done with its test by writing a message
 +  # to the parent.
 +  my ($rfh, $wfh);
 +  unless (pipe($rfh, $wfh)) {
 +    die("Can't open pipe: $!");
 +  }
 +
 +  my $ex;
 +
 +  # Fork child
 +  $self->handle_sigchld();
 +  defined(my $pid = fork()) or die("Can't fork: $!");
 +  if ($pid) {
 +    eval {
 +      sleep(2);
 +
 +      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
 +      $client->login($setup->{user}, $setup->{passwd});
 +
 +      my $resp_msgs = $client->response_msgs();
 +      my $nmsgs = scalar(@$resp_msgs);
 +
 +      my $expected = 1;
 +      $self->assert($expected == $nmsgs,
 +        test_msg("Expected $expected, got $nmsgs"));
 +
 +      $expected = "User $setup->{user} logged in";
 +      $self->assert($expected eq $resp_msgs->[0],
 +        test_msg("Expected response '$expected', got '$resp_msgs->[0]'"));
 +
 +      $client->quit();
 +    };
 +    if ($@) {
 +      $ex = $@;
 +    }
 +
 +    $wfh->print("done\n");
 +    $wfh->flush();
 +
 +  } else {
 +    eval { server_wait($setup->{config_file}, $rfh) };
 +    if ($@) {
 +      warn($@);
 +      exit 1;
 +    }
 +
 +    exit 0;
 +  }
 +
 +  # Stop server
 +  server_stop($setup->{pid_file});
 +  $self->assert_child_ok($pid);
 +
 +  eval {
 +    if (open(my $fh, "< $setup->{log_file}")) {
 +      my $ok = 0;
 +
 +      while (my $line = <$fh>) {
 +        chomp($line);
 +
 +        if ($ENV{TEST_VERBOSE}) {
 +          print STDERR "# $line\n";
 +        }
 +
 +        if ($line =~ /no supplemental groups found for user '$setup->{user}', using primary group/) {
 +          $ok = 1;
 +          last;
 +        }
 +      }
 +
 +      close($fh);
 +
 +      $self->assert($ok, test_msg("Did not see expected log message"));
 +
 +    } else {
 +      die("Can't read $setup->{log_file}: $!");
 +    }
 +  };
 +  if ($@) {
 +    $ex = $@ unless $ex;
 +  }
 +
 +  test_cleanup($setup->{log_file}, $ex);
 +}
 +
 1;
 -- 
 2.33.0
--- a/modules.conf
+++ b/modules.conf
@ -171,6 +171,10 @@ LoadModule mod_vroot.c
  LoadModule                    mod_qos.c
 </IfDefine>
 # Attempt to generate a unique ID for every FTP session
 # (http://www.proftpd.org/docs/contrib/mod_unique_id.html)
 #   LoadModule mod_unique_id.c
 #
 # Provide a flexible way of specifying that certain configuration directives
 # only apply to certain sessions, based on credentials such as connection
 # class, user, or group membership
--- a/proftpd-1.3.7a-check-api.patch
+++ b/proftpd-1.3.7a-check-api.patch
@ -1,120 +0,0 @@
 --- tests/api/env.c
 +++ tests/api/env.c
@@ -61,11 +61,11 @@ START_TEST (env_get_test) {
   pr_env_unset(p, key);
   res = pr_env_get(p, key);
 -  fail_unless(res == NULL);
 +  fail_unless(res == NULL, "Unexpectedly found foo in environment");
   /* XXX PATH should always be set in the environment, right? */
   res = pr_env_get(p, "PATH");
 -  fail_unless(res != NULL);
 +  fail_unless(res != NULL, "Failed to find PATH in environment");
 #else
   res = pr_env_get(p, key);
 --- tests/api/sets.c
 +++ tests/api/sets.c
@@ -97,20 +97,20 @@ START_TEST (set_create_test) {
   fail_unless(errno == EPERM, "Failed to set errno to EPERM");
   res = xaset_create(p, NULL);
 -  fail_unless(res != NULL);
 +  fail_unless(res != NULL, "Failed with valid pool and NULL compare item");
   fail_unless(res->pool == p, "Expected %p, got %p", p, res->pool);
   permanent_pool = make_sub_pool(p);
   res = xaset_create(NULL, NULL);
 -  fail_unless(res != NULL);
 +  fail_unless(res != NULL, "Failed to handle null arguments");
   fail_unless(res->pool == permanent_pool, "Expected %p, got %p",
     permanent_pool, res->pool);
   fail_unless(res->xas_compare == NULL, "Expected NULL, got %p",
     res->xas_compare);
   res = xaset_create(p, (XASET_COMPARE) item_cmp);
 -  fail_unless(res != NULL);
 +  fail_unless(res != NULL, "Failed with valid pool and compare items");
   fail_unless(res->pool == p, "Expected %p, got %p", p, res->pool);
   fail_unless(res->xas_compare == (XASET_COMPARE) item_cmp,
     "Expected %p, got %p", item_cmp, res->xas_compare);
@@ -355,12 +355,12 @@ START_TEST (set_remove_test) {
   fail_unless(res == 0, "Failed to add item2");
   member = (xasetmember_t *) item1;
 -  fail_unless(member->next == NULL);
 -  fail_unless(member->prev != NULL);
 +  fail_unless(member->next == NULL, "Next pointer is not NULL");
 +  fail_unless(member->prev != NULL, "Previous pointer is NULL");
   member = (xasetmember_t *) item2;
 -  fail_unless(member->next != NULL);
 -  fail_unless(member->prev == NULL);
 +  fail_unless(member->next != NULL, "Next pointer is NULL");
 +  fail_unless(member->prev == NULL, "Previous pointer is not NULL");
   member = set->xas_list;
   fail_unless(member == (xasetmember_t *) item2,
@@ -371,8 +371,8 @@ START_TEST (set_remove_test) {
     strerror(errno));
   member = (xasetmember_t *) item2;
 -  fail_unless(member->next == NULL);
 -  fail_unless(member->prev == NULL);
 +  fail_unless(member->next == NULL, "Next pointer is not NULL");
 +  fail_unless(member->prev == NULL, "Previous pointer is not NULL");
   member = set->xas_list;
   fail_unless(member == (xasetmember_t *) item1,
@@ -383,8 +383,8 @@ START_TEST (set_remove_test) {
     strerror(errno));
   member = (xasetmember_t *) item1;
 -  fail_unless(member->next == NULL);
 -  fail_unless(member->prev == NULL);
 +  fail_unless(member->next == NULL, "Next pointer is not NULL");
 +  fail_unless(member->prev == NULL, "Previous pointer is not NULL");
   member = set->xas_list;
   fail_unless(member == NULL, "Expected list to be empty, got %p", member);
 --- tests/api/str.c
 +++ tests/api/str.c
@@ -1539,10 +1539,10 @@ START_TEST (uid2str_test) {
   const char *res;
   res = pr_uid2str(NULL, (uid_t) 1);
 -  fail_unless(strcmp(res, "1") == 0);
 +  fail_unless(strcmp(res, "1") == 0, "Failed to handle uid of 1");
   res = pr_uid2str(NULL, (uid_t) -1);
 -  fail_unless(strcmp(res, "-1") == 0);
 +  fail_unless(strcmp(res, "-1") == 0, "Failed to handle uid of -1");
 }
 END_TEST
@@ -1550,10 +1550,10 @@ START_TEST (gid2str_test) {
   const char *res;
   res = pr_gid2str(NULL, (gid_t) 1);
 -  fail_unless(strcmp(res, "1") == 0);
 +  fail_unless(strcmp(res, "1") == 0, "Failed to handle gid of 1");
   res = pr_gid2str(NULL, (gid_t) -1);
 -  fail_unless(strcmp(res, "-1") == 0);
 +  fail_unless(strcmp(res, "-1") == 0, "Failed to handle gid of -1");
 }
 END_TEST
 --- tests/api/timers.c
 +++ tests/api/timers.c
@@ -157,7 +157,7 @@ START_TEST (timer_remove_test) {
   int res;
   res = pr_timer_remove(0, NULL);
 -  fail_unless(res == 0);
 +  fail_unless(res == 0, "Non-zero response for removal with timer ID 0");
   res = pr_timer_add(1, 0, NULL, timers_test_cb, "test");
   fail_unless(res == 0, "Failed to add timer (%d): %s", res, strerror(errno));
--- a/proftpd-1.3.7a-fix-environment-sensitive-tests-failure.patch
+++ b/proftpd-1.3.7a-fix-environment-sensitive-tests-failure.patch
@ -1,84 +0,0 @@
 diff -ruNa proftpd-1.3.7a/tests/api/netacl.c proftpd-1.3.7a-fix/tests/api/netacl.c
 --- proftpd-1.3.7a/tests/api/netacl.c   2020-07-22 01:25:51.000000000 +0800
 +++ proftpd-1.3.7a-fix/tests/api/netacl.c       2021-01-13 14:44:00.679322360 +0800
@@ -773,8 +773,10 @@
   res = pr_netacl_match(acl, addr);
   if (getenv("TRAVIS") == NULL) {
 -    fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
 -      strerror(errno));
 +    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
 +      fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
 +        strerror(errno));
 +    }
   }
   if (!have_localdomain) {
@@ -790,8 +790,10 @@
   res = pr_netacl_match(acl, addr);
   if (getenv("TRAVIS") == NULL) {
 -    fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
 -      strerror(errno));
 +    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
 +      fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
 +        strerror(errno));
 +    }
   }
   acl_str = "!www.google.com";
@@ -816,8 +816,10 @@
   res = pr_netacl_match(acl, addr);
   if (getenv("TRAVIS") == NULL) {
 -    fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
 -      strerror(errno));
 +    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
 +      fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
 +        strerror(errno));
 +    }
   }
   if (!have_localdomain) {
@@ -833,8 +835,10 @@
   res = pr_netacl_match(acl, addr);
   if (getenv("TRAVIS") == NULL) {
 -    fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
 -      strerror(errno));
 +    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
 +      fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
 +        strerror(errno));
 +    }
   }
   acl_str = "!www.g*g.com";
 diff -ruNa proftpd-1.3.7a/tests/api/netaddr.c proftpd-1.3.7a-fix/tests/api/netaddr.c
 --- proftpd-1.3.7a/tests/api/netaddr.c  2021-01-13 14:30:47.467322360 +0800
 +++ proftpd-1.3.7a-fix/tests/api/netaddr.c      2021-01-13 14:42:45.851322360 +0800
@@ -417,7 +417,9 @@
   res = pr_netaddr_fnmatch(addr, "LOCAL*", flags);
   if (getenv("TRAVIS") == NULL) {
     /* This test is sensitive the environment. */
 -    fail_unless(res == TRUE, "Expected TRUE, got %d", res);
 +    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
 +      fail_unless(res == TRUE, "Expected TRUE, got %d", res);
 +    }
   }
   flags = PR_NETADDR_MATCH_IP;
@@ -879,9 +881,11 @@
    */
   if (getenv("TRAVIS") == NULL) {
     /* This test is sensitive the environment. */
 -    fail_unless(strcmp(res, "localhost") == 0 ||
 -                strcmp(res, "localhost.localdomain") == 0,
 -      "Expected '%s', got '%s'", "localhost or localhost.localdomain", res);
 +    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
 +      fail_unless(strcmp(res, "localhost") == 0 ||
 +                  strcmp(res, "localhost.localdomain") == 0,
 +        "Expected '%s', got '%s'", "localhost or localhost.localdomain", res);
 +    }
   }
 }
 END_TEST
--- a/proftpd-1.3.7a-netaddr-test.patch
+++ b/proftpd-1.3.7a-netaddr-test.patch
@ -1,22 +0,0 @@
 --- tests/api/netaddr.c
 +++ tests/api/netaddr.c
@@ -135,7 +135,8 @@ START_TEST (netaddr_get_addr_test) {
   res = pr_netaddr_get_addr(p, name, NULL);
   fail_unless(res == NULL, "Unexpected got address for '%s'", name);
 -  fail_unless(errno == ENOENT, "Expected ENOENT (%d), got %s (%d)", ENOENT,
 +  fail_unless(errno == ENOENT || errno == EAGAIN,
 +    "Expected ENOENT (%d) or EAGAIN (%d), got %s (%d)", ENOENT, EAGAIN,
     strerror(errno), errno);
   name = "localhost";
@@ -190,7 +191,8 @@ START_TEST (netaddr_get_addr_test) {
   res = pr_netaddr_get_addr(p, name, NULL);
   fail_unless(res == NULL, "Resolved '%s' unexpectedly", name);
 -  fail_unless(errno == ENOENT, "Expected ENOENT (%d), got %s (%d)", ENOENT,
 +  fail_unless(errno == ENOENT || errno == EAGAIN,
 +    "Expected ENOENT (%d) or EAGAIN (%d), got %s (%d)", ENOENT, EAGAIN,
     strerror(errno), errno);
 #if defined(PR_USE_IPV6)
--- a/proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch
+++ b/proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch
@ -0,0 +1,105 @@
 From cb0e408e8b82fa8c198d9dd95e5818d8431e9fd5 Mon Sep 17 00:00:00 2001
 From: chen-jan <chen_aka_jan@163.com>
 Date: Tue, 11 Apr 2023 16:55:34 +0800
 Subject: [PATCH] proftpd-1.3.8-fix-environment-sensitive-tests-failure
 ---
 tests/api/netacl.c  | 8 ++++++++
 tests/api/netaddr.c | 6 ++++++
 2 files changed, 14 insertions(+)
 diff --git a/tests/api/netacl.c b/tests/api/netacl.c
 index e4b0431..b91ecdb 100644
 --- a/tests/api/netacl.c
 +++ b/tests/api/netacl.c
@@ -775,8 +775,10 @@ START_TEST (netacl_match_test) {
   res = pr_netacl_match(acl, addr);
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     ck_assert_msg(res == 1, "Failed to positively match ACL to addr: %s",
       strerror(errno));
 +     }
   }
   if (!have_localdomain) {
@@ -793,8 +795,10 @@ START_TEST (netacl_match_test) {
   res = pr_netacl_match(acl, addr);
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     ck_assert_msg(res == -1, "Failed to negatively match ACL to addr: %s",
       strerror(errno));
 +     }
   }
   acl_str = "!www.google.com";
@@ -820,8 +824,10 @@ START_TEST (netacl_match_test) {
   res = pr_netacl_match(acl, addr);
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     ck_assert_msg(res == 1, "Failed to positively match ACL to addr: %s",
       strerror(errno));
 +     }
   }
   if (!have_localdomain) {
@@ -838,8 +844,10 @@ START_TEST (netacl_match_test) {
   res = pr_netacl_match(acl, addr);
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     ck_assert_msg(res == -1, "Failed to negatively match ACL to addr: %s",
       strerror(errno));
 +     }
   }
   acl_str = "!www.g*g.com";
 diff --git a/tests/api/netaddr.c b/tests/api/netaddr.c
 index e79b06c..b7dbeaf 100644
 --- a/tests/api/netaddr.c
 +++ b/tests/api/netaddr.c
@@ -424,8 +424,10 @@ START_TEST (netaddr_fnmatch_test) {
   res = pr_netaddr_fnmatch(addr, "LOCAL*", flags);
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     /* This test is sensitive the environment. */
     ck_assert_msg(res == TRUE, "Expected TRUE, got %d", res);
 +    }
   }
   flags = PR_NETADDR_MATCH_IP;
@@ -887,10 +889,12 @@ START_TEST (netaddr_get_dnsstr_test) {
    */
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     /* This test is sensitive the environment. */
     ck_assert_msg(strcmp(res, "localhost") == 0 ||
                 strcmp(res, "localhost.localdomain") == 0,
       "Expected '%s', got '%s'", "localhost or localhost.localdomain", res);
 +     }
   }
 }
 END_TEST
@@ -1011,6 +1015,7 @@ START_TEST (netaddr_get_dnsstr_ipv6_test) {
    */
   if (getenv("CI") == NULL &&
       getenv("TRAVIS") == NULL) {
 +     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
     ck_assert_msg(strcmp(res, "localhost") == 0 ||
                 strcmp(res, "localhost.localdomain") == 0 ||
                 strcmp(res, "localhost6") == 0 ||
@@ -1019,6 +1024,7 @@ START_TEST (netaddr_get_dnsstr_ipv6_test) {
                 strcmp(res, "ip6-loopback") == 0 ||
                 strcmp(res, ip) == 0,
       "Expected '%s', got '%s'", "localhost, localhost.localdomain et al", res);
 +     }
   }
 }
 END_TEST
 -- 
 2.39.1
--- a/proftpd-1.3.8-shellbang.patch
+++ b/proftpd-1.3.8-shellbang.patch
@ -4,7 +4,7 @@
 -#!/usr/bin/env perl
 +#!/usr/bin/perl
 # ---------------------------------------------------------------------------
- # Copyright (C) 2000-2020 TJ Saunders <tj@castaglia.org>
+ # Copyright (C) 2000-2021 TJ Saunders <tj@castaglia.org>
 #
 --- contrib/ftpmail
 +++ contrib/ftpmail
@ -37,4 +37,4 @@
 +#!/usr/bin/perl
 # ---------------------------------------------------------------------------
- # Copyright (C) 2008-2012 TJ Saunders <tj@castaglia.org>
+ # Copyright (C) 2008-2020 TJ Saunders <tj@castaglia.org>
--- a/proftpd-1.3.8b.tar.gz
+++ b/proftpd-1.3.8b.tar.gz
--- a/proftpd.spec
+++ b/proftpd.spec
@ -13,14 +13,14 @@
 # Do a hardened build where possible
 %global _hardened_build 1
-# Dynamic modules contain references to symbols in main dæmon, so we need to disable linker checks for undefined symbols
+# Dynamic modules contain references to symbols in main daemon, so we need to disable linker checks for undefined symbols
 %undefine _strict_symbol_defs_build
-%global mod_vroot_version 0.9.5
+%global mod_vroot_version 0.9.11
 Name:			proftpd
-Version:		1.3.7a
+Version:		1.3.8b
-Release:		2
+Release:		3
 Summary:		Flexible, stable and highly-configurable FTP server
 License:		GPLv2+
 URL:			http://www.proftpd.org/
@ -36,16 +36,14 @@ Source8:		proftpd-welcome.msg
 Source9:		proftpd.sysconfig
 Source10:		http://github.com/Castaglia/proftpd-mod_vroot/archive/v%{mod_vroot_version}.tar.gz
-Patch1:			proftpd-1.3.7-shellbang.patch
+Patch1:			proftpd-1.3.8-shellbang.patch
 Patch2:			proftpd.conf-no-memcached.patch
 Patch3:			proftpd-1.3.4rc1-mod_vroot-test.patch
 Patch4:			proftpd-1.3.6-no-mod-wrap.patch
 Patch5:			proftpd-1.3.6-no-mod-geoip.patch
 Patch6:			proftpd-1.3.7rc3-logging-not-systemd.patch
-Patch7:			proftpd-1.3.7a-check-api.patch
+Patch7:			proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch
-Patch8:			proftpd-1.3.7a-netaddr-test.patch
+Patch8:			backport-CVE-2024-48651.patch
 Patch9:                 proftpd-1.3.7a-fix-environment-sensitive-tests-failure.patch
 Patch10:                CVE-2021-46854.patch
 BuildRequires:		coreutils
 BuildRequires:		gcc
@ -59,6 +57,7 @@ BuildRequires:		openldap-devel
 BuildRequires:		openssl-devel
 BuildRequires:		pam-devel
 BuildRequires:		pcre-devel >= 7.0
 BuildRequires:		perl-generators
 BuildRequires:		perl-interpreter
 BuildRequires:		pkgconfig
 BuildRequires:		postgresql-devel
@ -66,6 +65,11 @@ BuildRequires:		sed
 BuildRequires:		sqlite-devel
 BuildRequires:		tar
 BuildRequires:		zlib-devel
 BuildRequires:		chrpath
 BuildRequires:		libidn2-devel
 BuildRequires:		libmemcached-devel >= 0.41
 BuildRequires:		pcre2-devel >= 10.30
 BuildRequires:		tcp_wrappers-devel
 # Test suite requirements
 BuildRequires:		check-devel
@ -103,6 +107,8 @@ Requires(preun):	chkconfig, initscripts
 Requires(postun):	initscripts
 %endif
 Requires:               coreutils
 Provides:		ftpserver
 %description
@ -137,6 +143,10 @@ Requires:	pkgconfig
 Requires:	postgresql-devel
 Requires:	sqlite-devel
 Requires:	zlib-devel
 Requires:	libmemcached-devel >= 0.41
 Requires:	pcre2-devel >= 10.30
 Requires:	tcp_wrappers-devel
 %description devel
 This package is required to build additional modules for ProFTPD.
@ -174,6 +184,9 @@ Summary:	ProFTPD - Additional utilities
 Requires:	%{name} = %{version}-%{release}
 Requires:	perl-interpreter
 BuildRequires:	perl(Crypt::Cracklib)
 Requires:	perl(Crypt::Cracklib)
 %description utils
 This package contains additional utilities for monitoring and configuring the
 ProFTPD server:
@ -231,15 +244,8 @@ sed -i -e '/killall/s/test.*/systemctl reload proftpd.service/' \
 %patch6
 %endif
-# Handle changed API in check 0.15
+%patch7 -p1
-# https://bugzilla.redhat.com/show_bug.cgi?id=1850198
+%patch8 -p1
 %patch7
 # getaddrinfo() can return EAGAIN in netaddr api test
 # https://github.com/proftpd/proftpd/pull/1075
 %patch8
 %patch9 -p1
 %patch10 -p1
 # Avoid docfile dependencies
 chmod -c -x contrib/xferstats.holger-preiss
@ -258,11 +264,14 @@ SMOD3=mod_ldap:mod_ban:mod_ctrls_admin:mod_facl:mod_load:mod_vroot
 SMOD4=mod_radius:mod_ratio:mod_rewrite:mod_site_misc:mod_exec:mod_shaper
 SMOD5=mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_copy:mod_deflate:mod_ifversion:mod_qos
 SMOD6=mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache
 SMOD7=mod_unique_id
 %configure \
 			--libexecdir="%{_libexecdir}/proftpd" \
 			--localstatedir="%{rundir}/proftpd" \
 			--disable-strip \
 			--enable-memcache \
 			--enable-pcre2 \
 			--enable-ctrls \
 			--enable-dso \
 			--enable-facl \
@ -276,7 +285,7 @@ SMOD6=mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_tls_shmcache
 			--with-libraries="%{_libdir}/%{mysql_lib}" \
 			--with-includes="%{_includedir}/mysql" \
 			--with-modules=mod_readme:mod_auth_pam:mod_tls \
-			--with-shared=${SMOD1}:${SMOD2}:${SMOD3}:${SMOD4}:${SMOD5}:${SMOD6}:mod_ifsession
+			--with-shared=${SMOD1}:${SMOD2}:${SMOD3}:${SMOD4}:${SMOD5}:${SMOD6}:${SMOD7}:mod_ifsession
 %make_build
 %install
@ -317,6 +326,11 @@ install -p -m 644 contrib/dist/rpm/proftpd-tmpfs.conf \
 					%{buildroot}%{_prefix}/lib/tmpfiles.d/proftpd.conf
 %endif
 chrpath -d %{buildroot}%{_sbindir}/proftpd
 mkdir -p %{buildroot}/etc/ld.so.conf.d
 echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 # Find translations
 %find_lang proftpd
@ -326,7 +340,7 @@ install -p -m 644 contrib/dist/rpm/proftpd-tmpfs.conf \
 ln ftpdctl tests/
 make check
 %else
-# API tests should always be OK
+#API tests should always be OK
 export HOSTNAME=`cat /etc/hosts | grep 127.0.0.1 | head -1| awk '{print $2}'`
 if ! make -C tests api-tests; then
 	# Diagnostics to report upstream
@ -338,6 +352,10 @@ fi
 %endif
 %post
 if [ ! -f /var/run/proftpd/proftpd.delay ]; then
  touch /var/run/proftpd/proftpd.delay
 fi
 chcon -t user_home_t /var/run/proftpd/proftpd.delay
 %if %{use_systemd}
 systemctl daemon-reload &>/dev/null || :
 %endif
@ -356,10 +374,12 @@ if [ $1 -eq 1 ]; then
 		fi
 	done
 fi
 /sbin/ldconfig
 %preun
 if [ $1 -eq 0 ]; then
 	# Package removal, not upgrade
        rm -rf /var/run/proftpd/proftpd.delay
 %if %{use_systemd}
 	systemctl --no-reload disable proftpd.service &>/dev/null || :
 	systemctl stop proftpd.service &>/dev/null || :
@ -386,6 +406,7 @@ else
 	service xinetd reload &>/dev/null || :
 %endif
 fi
 /sbin/ldconfig
 %files -f proftpd.lang
 %if 0%{?_licensedir:1}
@ -415,6 +436,7 @@ fi
 %config(noreplace) %{_sysconfdir}/proftpd/mod_qos.conf
 %config(noreplace) %{_sysconfdir}/proftpd/mod_tls.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/proftpd
 %config(noreplace) /etc/ld.so.conf.d/*
 %if %{use_systemd}
 %{_unitdir}/proftpd.service
 %{_unitdir}/proftpd.socket
@ -446,6 +468,7 @@ fi
 %{_libexecdir}/proftpd/mod_facl.so
 %{_libexecdir}/proftpd/mod_ifsession.so
 %{_libexecdir}/proftpd/mod_ifversion.so
 %{_libexecdir}/proftpd/mod_unique_id.so
 %{_libexecdir}/proftpd/mod_load.so
 %{_libexecdir}/proftpd/mod_qos.so
 %{_libexecdir}/proftpd/mod_quotatab.so
@ -507,6 +530,15 @@ fi
 %{_mandir}/man1/ftpwho.1*
 %changelog
 * Sat Nov 30 2024 liningjie <liningjie@xfusion.com> - 1.3.8b-3
 - fix CVE-2024-48651
 * Fri Jan 05 2024 Ge Wang <wang__ge@126.com> - 1.3.8b-2
 - Fix service error message due to selinux policy mismatch
 * Tue Dec 26 2023 wangkai <13474090681@163.com> - 1.3.8b-1
 - Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795
 * Thu Dec 01 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 1.3.7a-2
 - Fix CVE-2021-46854
--- a/v0.9.11.tar.gz
+++ b/v0.9.11.tar.gz
--- a/v0.9.5.tar.gz
+++ b/v0.9.5.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	021bf18c47	!72 fix CVE-2024-48651 From: @li_ning_jie Reviewed-by: @wk333 Signed-off-by: @wk333	2024-12-02 06:24:27 +00:00
李宁杰	60f688cfed	fix CVE-2024-48651	2024-12-02 11:27:59 +08:00
openeuler-ci-bot	c6ba40f528	!56 Fix service error message due to selinux policy mismatch From: @wang--ge Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2024-01-08 01:57:07 +00:00
wang--ge	4fa21c7cf2	Fix service error message due to selinux policy mismatch	2024-01-05 16:54:19 +08:00
openeuler-ci-bot	56b5e778c9	!41 Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795 From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2024-01-02 07:15:24 +00:00
wk333	372130217f	Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795	2023-12-29 09:39:06 +08:00
openeuler-ci-bot	3e3c184ec9	!38 回退 'Pull Request !29 : Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795' From: @caodongxia Reviewed-by: @small_leek Signed-off-by: @small_leek	2023-12-27 03:28:35 +00:00
caodongxia	7e83baef12	回退 'Pull Request !29 : Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795'	2023-12-27 01:36:40 +00:00
openeuler-ci-bot	75d563debe	!29 Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795 From: @wk333 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-12-26 11:33:35 +00:00
wk333	b2360469c5	Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795	2023-12-26 10:46:18 +08:00