From 7c0626d6c4a7e178e71a4059eeed54bd4690a060 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Wed, 25 Jul 2018 13:28:40 +0200 Subject: [PATCH] Fix a segfault when running as PID 1 Also rebase the patches. --- ...-provided-script-to-locate-libraries.patch | 4 +- 0002-Enable-build-with-SSL.patch | 4 +- 0003-Enable-build-with-TCP-Wrapper.patch | 4 +- ...-dir-for-config-files-instead-of-etc.patch | 4 +- ...en-calling-PAM-authentication-module.patch | 4 +- ...err-before-listening-for-incoming-co.patch | 4 +- 0007-Make-filename-filters-smarter.patch | 4 +- 0008-Write-denied-logins-into-the-log.patch | 18 +++--- ...itespaces-when-reading-configuration.patch | 4 +- 0010-Improve-daemonizing.patch | 4 +- ...-Fix-listing-with-more-than-one-star.patch | 4 +- ...lace-syscall-__NR_clone-.-with-clone.patch | 4 +- 0013-Extend-man-pages-with-systemd-info.patch | 4 +- ...dd-support-for-square-brackets-in-ls.patch | 4 +- 0015-Listen-on-IPv6-by-default.patch | 4 +- ...e-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch | 4 +- ...-an-issue-with-timestamps-during-DST.patch | 4 +- ...he-default-log-file-in-configuration.patch | 4 +- ...troduce-reverse_lookup_enable-option.patch | 18 +++--- ...d-int-for-uid-and-gid-representation.patch | 4 +- ...-support-for-DHE-based-cipher-suites.patch | 4 +- ...upport-for-EDDHE-based-cipher-suites.patch | 4 +- ...n-for-isolate_-options.-Correct-defa.patch | 4 +- 0024-Introduce-new-return-value-450.patch | 4 +- 0025-Improve-local_max_rate-option.patch | 4 +- 0026-Prevent-hanging-in-SIGCHLD-handler.patch | 4 +- 0027-Delete-files-when-upload-fails.patch | 12 ++-- 0028-Fix-man-page-rendering.patch | 4 +- 0029-Fix-segfault-in-config-file-parser.patch | 4 +- ...g-into-syslog-when-enabled-in-config.patch | 4 +- ...on-mark-wildcard-withing-a-file-name.patch | 4 +- ...errors-from-nfs-with-quota-to-client.patch | 12 ++-- ...ntroduce-TLSv1.1-and-TLSv1.2-options.patch | 4 +- ...omp-sandbox-because-it-is-too-strict.patch | 4 +- ...ment-patch-to-build-with-OpenSSL-1.1.patch | 4 +- 0036-Redefine-VSFTP_COMMAND_FD-to-1.patch | 4 +- ...ationship-of-text_userdb_names-and-c.patch | 4 +- ...low_writeable_chroot-in-the-man-page.patch | 4 +- ...tation-of-ASCII-mode-in-the-man-page.patch | 4 +- 0040-Use-system-wide-crypto-policy.patch | 4 +- ...-default-for-ssl_ciphers-in-the-man-.patch | 4 +- ...AT-command-check-ssl_tlsv1_1-and-ssl.patch | 4 +- 0043-Enable-only-TLSv1.2-by-default.patch | 4 +- ...nymous_enable-in-default-config-file.patch | 4 +- ...on-of-ascii_-options-behaviour-in-ma.patch | 4 +- ...r-to-the-man-page-regarding-the-asci.patch | 4 +- 0047-Disable-tcp_wrappers-support.patch | 4 +- ...e-of-strict_ssl_read_eof-in-man-page.patch | 4 +- ...-generation-algorithm-for-STOU-comma.patch | 4 +- 0050-Don-t-link-with-libnsl.patch | 4 +- ...ation-of-better_stou-in-the-man-page.patch | 4 +- ...Pv6.patch => 0052-Fix-rDNS-with-IPv6.patch | 4 +- ...=> 0053-Always-do-chdir-after-chroot.patch | 4 +- ...imeo-Check-return-value-of-setsockop.patch | 4 +- ...tz-Check-the-return-value-of-syscall.patch | 4 +- ...atch => 0056-Log-die-calls-to-syslog.patch | 2 +- ...ssage-when-max-number-of-bind-attemp.patch | 4 +- ...e-max-number-of-bind-retries-tunable.patch | 2 +- ...when-running-in-a-container-as-PID-1.patch | 58 +++++++++++++++++++ vsftpd.spec | 22 ++++--- 60 files changed, 207 insertions(+), 145 deletions(-) rename 0001-Improve-documentation-of-better_stou-in-the-man-page.patch => 0051-Improve-documentation-of-better_stou-in-the-man-page.patch (92%) rename 0001-Fix-rDNS-with-IPv6.patch => 0052-Fix-rDNS-with-IPv6.patch (99%) rename 0002-Always-do-chdir-after-chroot.patch => 0053-Always-do-chdir-after-chroot.patch (91%) rename 0003-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch => 0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch (89%) rename 0004-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch => 0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch (97%) rename 0001-Log-die-calls-to-syslog.patch => 0056-Log-die-calls-to-syslog.patch (99%) rename 0002-Improve-error-message-when-max-number-of-bind-attemp.patch => 0057-Improve-error-message-when-max-number-of-bind-attemp.patch (87%) rename 0003-Make-the-max-number-of-bind-retries-tunable.patch => 0058-Make-the-max-number-of-bind-retries-tunable.patch (97%) create mode 100644 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch diff --git a/0001-Don-t-use-the-provided-script-to-locate-libraries.patch b/0001-Don-t-use-the-provided-script-to-locate-libraries.patch index fdeb69e..f4a67e3 100644 --- a/0001-Don-t-use-the-provided-script-to-locate-libraries.patch +++ b/0001-Don-t-use-the-provided-script-to-locate-libraries.patch @@ -1,7 +1,7 @@ From 7bd573d76e9c1996ad5a96f0289731a253a24301 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 6 Sep 2016 13:35:51 +0200 -Subject: [PATCH 01/33] Don't use the provided script to locate libraries. +Subject: [PATCH 01/59] Don't use the provided script to locate libraries. This branch is Fedora (RHEL) specific, so we know what libraries we have and want to use. @@ -23,5 +23,5 @@ index c63ed1b..98118dc 100644 LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now -- -2.7.4 +2.14.4 diff --git a/0002-Enable-build-with-SSL.patch b/0002-Enable-build-with-SSL.patch index 41180fa..e772099 100644 --- a/0002-Enable-build-with-SSL.patch +++ b/0002-Enable-build-with-SSL.patch @@ -1,7 +1,7 @@ From 6fe24bc56694808ac7f8038855883a971967f0fb Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 6 Sep 2016 13:40:53 +0200 -Subject: [PATCH 02/33] Enable build with SSL. +Subject: [PATCH 02/59] Enable build with SSL. --- builddefs.h | 2 +- @@ -21,5 +21,5 @@ index e908352..63cc62b 100644 #endif /* VSF_BUILDDEFS_H */ -- -2.7.4 +2.14.4 diff --git a/0003-Enable-build-with-TCP-Wrapper.patch b/0003-Enable-build-with-TCP-Wrapper.patch index baa8881..e656776 100644 --- a/0003-Enable-build-with-TCP-Wrapper.patch +++ b/0003-Enable-build-with-TCP-Wrapper.patch @@ -1,7 +1,7 @@ From 1e0e2b13836d40f5a3f4cb20f2b3ea8204115b51 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 6 Sep 2016 13:42:09 +0200 -Subject: [PATCH 03/33] Enable build with TCP Wrapper +Subject: [PATCH 03/59] Enable build with TCP Wrapper --- builddefs.h | 2 +- @@ -21,5 +21,5 @@ index 63cc62b..83de674 100644 #define VSF_BUILD_SSL -- -2.7.4 +2.14.4 diff --git a/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch b/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch index 4380365..e82cd84 100644 --- a/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch +++ b/0004-Use-etc-vsftpd-dir-for-config-files-instead-of-etc.patch @@ -1,7 +1,7 @@ From fff93602a4b252be8d674e27083dde68a7acf038 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 6 Sep 2016 13:46:03 +0200 -Subject: [PATCH 04/33] Use /etc/vsftpd/ dir for config files instead of /etc. +Subject: [PATCH 04/59] Use /etc/vsftpd/ dir for config files instead of /etc. --- EXAMPLE/INTERNET_SITE/README | 6 +++--- @@ -479,5 +479,5 @@ index fcc6022..5e46a2f 100644 .B vsftpd_log_file This option is the name of the file to which we write the vsftpd style -- -2.7.4 +2.14.4 diff --git a/0005-Use-hostname-when-calling-PAM-authentication-module.patch b/0005-Use-hostname-when-calling-PAM-authentication-module.patch index 7d8d7de..af842f5 100644 --- a/0005-Use-hostname-when-calling-PAM-authentication-module.patch +++ b/0005-Use-hostname-when-calling-PAM-authentication-module.patch @@ -1,7 +1,7 @@ From 08c49b78942d40c99fae8c40e7668aa73e1bd695 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 6 Sep 2016 15:01:23 +0200 -Subject: [PATCH 05/33] Use hostname when calling PAM authentication module. +Subject: [PATCH 05/59] Use hostname when calling PAM authentication module. Currently the vsftpd passes all logins as IP addresses into PAM. This prevents administrators from setting up @@ -71,5 +71,5 @@ index 06f01f4..b2782da 100644 if (retval != 1) { -- -2.7.4 +2.14.4 diff --git a/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch b/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch index 22af9be..f030f35 100644 --- a/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch +++ b/0006-Close-stdin-out-err-before-listening-for-incoming-co.patch @@ -1,7 +1,7 @@ From 423cbf4ddca6578b87e0f8a3fc425688cd1ca89c Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 6 Sep 2016 16:18:39 +0200 -Subject: [PATCH 06/33] Close stdin/out/err before listening for incoming +Subject: [PATCH 06/59] Close stdin/out/err before listening for incoming connections. When running vsftpd as a stand-alone FTP daemon, vsftpd @@ -31,5 +31,5 @@ index ba01ab1..e0f2d5b 100644 if (vsf_sysutil_retval_is_error(retval)) { -- -2.7.4 +2.14.4 diff --git a/0007-Make-filename-filters-smarter.patch b/0007-Make-filename-filters-smarter.patch index 21c7b78..6db2d1a 100644 --- a/0007-Make-filename-filters-smarter.patch +++ b/0007-Make-filename-filters-smarter.patch @@ -1,7 +1,7 @@ From 548375b2122f83771dc0b8571f16e5b5adabba98 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 10:04:31 +0200 -Subject: [PATCH 07/33] Make filename filters smarter. +Subject: [PATCH 07/59] Make filename filters smarter. In the original version vsftpd was not able to prevent users from downloading for instance /etc/passwd by @@ -98,5 +98,5 @@ index ab0a9a4..3a21b50 100644 /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string * buffer, starting at character position 'p_pos'. The extracted line will -- -2.7.4 +2.14.4 diff --git a/0008-Write-denied-logins-into-the-log.patch b/0008-Write-denied-logins-into-the-log.patch index 7a927ef..5e16953 100644 --- a/0008-Write-denied-logins-into-the-log.patch +++ b/0008-Write-denied-logins-into-the-log.patch @@ -1,7 +1,7 @@ From 75c172596aa9e7a9f32062579f7f98783341c924 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 10:17:17 +0200 -Subject: [PATCH 08/33] Write denied logins into the log. +Subject: [PATCH 08/59] Write denied logins into the log. This patch adds a new option 'userlist_log'. If enabled, every login denial based on the user list will be logged. @@ -127,21 +127,21 @@ diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 index 5e46a2f..9d767b1 100644 --- a/vsftpd.conf.5 +++ b/vsftpd.conf.5 -@@ -588,6 +588,14 @@ Self-signed certs do not constitute OK validation. (New in v2.0.6). +@@ -586,6 +586,14 @@ Default: NO + If set to yes, all SSL client certificates received must validate OK. + Self-signed certs do not constitute OK validation. (New in v2.0.6). - Default: NO - .TP ++Default: NO ++.TP +.B userlist_log +This option is examined if +.BR userlist_enable +is activated. If enabled, every login denial based on the user list will be +logged. + -+Default: NO -+.TP + Default: NO + .TP .B virtual_use_local_privs - If enabled, virtual users will use the same privileges as local users. By - default, virtual users will use the same privileges as anonymous users, which -- -2.7.4 +2.14.4 diff --git a/0009-Trim-whitespaces-when-reading-configuration.patch b/0009-Trim-whitespaces-when-reading-configuration.patch index 6aa8c70..97f3e4f 100644 --- a/0009-Trim-whitespaces-when-reading-configuration.patch +++ b/0009-Trim-whitespaces-when-reading-configuration.patch @@ -1,7 +1,7 @@ From d024bc27cee40f21e6a3841266062408c44e56fb Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 10:35:54 +0200 -Subject: [PATCH 09/33] Trim whitespaces when reading configuration. +Subject: [PATCH 09/59] Trim whitespaces when reading configuration. --- parseconf.c | 2 +- @@ -95,5 +95,5 @@ index c34778c..c2ddd15 100644 void vsf_sysutil_memcpy(void* p_dest, const void* p_src, const unsigned int size); -- -2.7.4 +2.14.4 diff --git a/0010-Improve-daemonizing.patch b/0010-Improve-daemonizing.patch index 366bee6..d2de767 100644 --- a/0010-Improve-daemonizing.patch +++ b/0010-Improve-daemonizing.patch @@ -1,7 +1,7 @@ From 569e7078244470ac0fcc2af3947c2735338555ec Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 11:29:29 +0200 -Subject: [PATCH 10/33] Improve daemonizing +Subject: [PATCH 10/59] Improve daemonizing Init script gets correct return code if binding fails. --- @@ -205,5 +205,5 @@ index c2ddd15..bfc92cb 100644 /* Various string functions */ unsigned int vsf_sysutil_strlen(const char* p_text); -- -2.7.4 +2.14.4 diff --git a/0011-Fix-listing-with-more-than-one-star.patch b/0011-Fix-listing-with-more-than-one-star.patch index bc56d65..a675978 100644 --- a/0011-Fix-listing-with-more-than-one-star.patch +++ b/0011-Fix-listing-with-more-than-one-star.patch @@ -1,7 +1,7 @@ From 32e6642640635d7305969f808b5badb706a11bff Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 11:36:17 +0200 -Subject: [PATCH 11/33] Fix listing with more than one star '*'. +Subject: [PATCH 11/59] Fix listing with more than one star '*'. This is a regression introduced by some previous patch. --- @@ -34,5 +34,5 @@ index f489478..616b2d9 100644 str_mid_to_end(&name_remain_str, &temp_str, indexx + str_getlen(&s_match_needed_str)); -- -2.7.4 +2.14.4 diff --git a/0012-Replace-syscall-__NR_clone-.-with-clone.patch b/0012-Replace-syscall-__NR_clone-.-with-clone.patch index de7aba4..84d01e6 100644 --- a/0012-Replace-syscall-__NR_clone-.-with-clone.patch +++ b/0012-Replace-syscall-__NR_clone-.-with-clone.patch @@ -1,7 +1,7 @@ From 0c3a1123c391995ab46cfde603fa025ff180a819 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 11:43:54 +0200 -Subject: [PATCH 12/33] Replace syscall(__NR_clone ..) with clone () +Subject: [PATCH 12/59] Replace syscall(__NR_clone ..) with clone () in order to fix incorrect order of params on s390 arch --- @@ -31,5 +31,5 @@ index b2782da..3bbabaa 100644 { if (ret == 0) -- -2.7.4 +2.14.4 diff --git a/0013-Extend-man-pages-with-systemd-info.patch b/0013-Extend-man-pages-with-systemd-info.patch index cde58f4..5dcd965 100644 --- a/0013-Extend-man-pages-with-systemd-info.patch +++ b/0013-Extend-man-pages-with-systemd-info.patch @@ -1,7 +1,7 @@ From 813a4bc45d45f4af94c699893cb2d2ba998d5d31 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 11:53:07 +0200 -Subject: [PATCH 13/33] Extend man pages with systemd info. +Subject: [PATCH 13/59] Extend man pages with systemd info. Man pages now reflect how is vsftpd used as systemd service. @@ -82,5 +82,5 @@ index 9d767b1..0744f85 100644 The format of vsftpd.conf is very simple. Each line is either a comment or a directive. Comment lines start with a # and are ignored. A directive line -- -2.7.4 +2.14.4 diff --git a/0014-Add-support-for-square-brackets-in-ls.patch b/0014-Add-support-for-square-brackets-in-ls.patch index b53b9ee..27f5374 100644 --- a/0014-Add-support-for-square-brackets-in-ls.patch +++ b/0014-Add-support-for-square-brackets-in-ls.patch @@ -1,7 +1,7 @@ From ba0520650ae7f9f63e48ba9fb3a94297aebe2d0c Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 14:22:21 +0200 -Subject: [PATCH 14/33] Add support for square brackets in ls. +Subject: [PATCH 14/59] Add support for square brackets in ls. --- ls.c | 222 +++++++++++++++++++++++++++++++++++++++++++++---------------------- @@ -273,5 +273,5 @@ index 616b2d9..b840136 100644 /* Any incoming string left means no match unless we ended on the correct * type of wildcard. -- -2.7.4 +2.14.4 diff --git a/0015-Listen-on-IPv6-by-default.patch b/0015-Listen-on-IPv6-by-default.patch index 1e7a7f6..b762b09 100644 --- a/0015-Listen-on-IPv6-by-default.patch +++ b/0015-Listen-on-IPv6-by-default.patch @@ -1,7 +1,7 @@ From c5daaedf1efe23b397a5950f5503f5cbfac871c8 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 14:25:28 +0200 -Subject: [PATCH 15/33] Listen on IPv6 by default. +Subject: [PATCH 15/59] Listen on IPv6 by default. --- vsftpd.conf | 14 +++++++++----- @@ -51,5 +51,5 @@ index 0744f85..72bb86f 100644 Default: NO .TP -- -2.7.4 +2.14.4 diff --git a/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch b/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch index 31779c2..fae6b9c 100644 --- a/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch +++ b/0016-Increase-VSFTP_AS_LIMIT-from-200UL-to-400UL.patch @@ -1,7 +1,7 @@ From 048208a4db5d7164d89ba5d7545e281d0a3472d3 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Wed, 7 Sep 2016 15:35:59 +0200 -Subject: [PATCH 16/33] Increase VSFTP_AS_LIMIT from 200UL to 400UL. +Subject: [PATCH 16/59] Increase VSFTP_AS_LIMIT from 200UL to 400UL. When using a PAM module to get users from LDAP or database the old limit was insufficient. @@ -23,5 +23,5 @@ index ca11eac..bde3232 100644 #endif /* VSF_DEFS_H */ -- -2.7.4 +2.14.4 diff --git a/0017-Fix-an-issue-with-timestamps-during-DST.patch b/0017-Fix-an-issue-with-timestamps-during-DST.patch index ec3af9f..f331433 100644 --- a/0017-Fix-an-issue-with-timestamps-during-DST.patch +++ b/0017-Fix-an-issue-with-timestamps-during-DST.patch @@ -1,7 +1,7 @@ From 5ec0b86e5c1ff060720b5a6cd1af9d93ec993650 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 29 Sep 2016 11:14:03 +0200 -Subject: [PATCH 17/33] Fix an issue with timestamps during DST. +Subject: [PATCH 17/59] Fix an issue with timestamps during DST. vsftpd now checks whether a file was uploaded during DST and adjust the timestamp accordingly. @@ -157,5 +157,5 @@ index c848356..2abdd13 100644 s_timezone *= -1; } -- -2.7.4 +2.14.4 diff --git a/0018-Change-the-default-log-file-in-configuration.patch b/0018-Change-the-default-log-file-in-configuration.patch index 990cf90..369a69c 100644 --- a/0018-Change-the-default-log-file-in-configuration.patch +++ b/0018-Change-the-default-log-file-in-configuration.patch @@ -1,7 +1,7 @@ From 61dac172bdb14c5a37713078828ea8c8f78c7eb6 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 29 Sep 2016 13:53:16 +0200 -Subject: [PATCH 18/33] Change the default log file in configuration. +Subject: [PATCH 18/59] Change the default log file in configuration. Previous "default" value was wrong. tunables.c:262 => install_str_setting("/var/log/xferlog", @@ -39,5 +39,5 @@ index ae6c6c9..39d1955 100644 # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. -- -2.7.4 +2.14.4 diff --git a/0019-Introduce-reverse_lookup_enable-option.patch b/0019-Introduce-reverse_lookup_enable-option.patch index dbf01c0..85023c1 100644 --- a/0019-Introduce-reverse_lookup_enable-option.patch +++ b/0019-Introduce-reverse_lookup_enable-option.patch @@ -1,7 +1,7 @@ From 721de88621100f6ed33f1602415bc249f3ed3219 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 10:22:32 +0100 -Subject: [PATCH 19/33] Introduce reverse_lookup_enable option. +Subject: [PATCH 19/59] Introduce reverse_lookup_enable option. vsftpd can transform IP address into hostname before PAM authentication. You can disable it to prevent @@ -88,10 +88,12 @@ diff --git a/vsftpd.conf.5 b/vsftpd.conf.5 index 72bb86f..fb6324e 100644 --- a/vsftpd.conf.5 +++ b/vsftpd.conf.5 -@@ -425,6 +425,15 @@ http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html +@@ -423,6 +423,15 @@ so you may want to disable it. For a discussion of the consequences, see + http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html + (Added in v2.1.0). - Default: YES - .TP ++Default: YES ++.TP +.B reverse_lookup_enable +Set to YES if you want vsftpd to transform the ip address into the hostname, +before pam authentication. This is useful if you use pam_access including the @@ -99,11 +101,9 @@ index 72bb86f..fb6324e 100644 +for some hostname is available and the name server doesn't respond for a while, +you should set this to NO to avoid a performance issue. + -+Default: YES -+.TP + Default: YES + .TP .B run_as_launching_user - Set to YES if you want vsftpd to run as the user which launched vsftpd. This is - useful where root access is not available. MASSIVE WARNING! Do NOT enable this -- -2.7.4 +2.14.4 diff --git a/0020-Use-unsigned-int-for-uid-and-gid-representation.patch b/0020-Use-unsigned-int-for-uid-and-gid-representation.patch index f5cd8f0..ac3ac1f 100644 --- a/0020-Use-unsigned-int-for-uid-and-gid-representation.patch +++ b/0020-Use-unsigned-int-for-uid-and-gid-representation.patch @@ -1,7 +1,7 @@ From dcaaf1e0dd3985e229a87de18b83f301d30b6ce9 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 10:31:39 +0100 -Subject: [PATCH 20/33] Use unsigned int for uid and gid representation. +Subject: [PATCH 20/59] Use unsigned int for uid and gid representation. --- ls.c | 4 ++-- @@ -246,5 +246,5 @@ index bfc92cb..79b5514 100644 void vsf_sysutil_setegid(const struct vsf_sysutil_user* p_user); void vsf_sysutil_seteuid_numeric(int uid); -- -2.7.4 +2.14.4 diff --git a/0021-Introduce-support-for-DHE-based-cipher-suites.patch b/0021-Introduce-support-for-DHE-based-cipher-suites.patch index ad7e5ba..1abe1e4 100644 --- a/0021-Introduce-support-for-DHE-based-cipher-suites.patch +++ b/0021-Introduce-support-for-DHE-based-cipher-suites.patch @@ -1,7 +1,7 @@ From 4eac1dbb5f70a652d31847eec7c28d245f36cdbb Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 10:48:28 +0100 -Subject: [PATCH 21/33] Introduce support for DHE based cipher suites. +Subject: [PATCH 21/59] Introduce support for DHE based cipher suites. --- parseconf.c | 1 + @@ -222,5 +222,5 @@ index fb6324e..ff94eca 100644 This option can be used to provide an alternate file for usage by the .BR secure_email_list_enable -- -2.7.4 +2.14.4 diff --git a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch index b4eb574..1428b86 100644 --- a/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch +++ b/0022-Introduce-support-for-EDDHE-based-cipher-suites.patch @@ -1,7 +1,7 @@ From a6d641a0ccba1033587f6faa0e5e6749fa35f5c4 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 10:49:22 +0100 -Subject: [PATCH 22/33] Introduce support for EDDHE based cipher suites. +Subject: [PATCH 22/59] Introduce support for EDDHE based cipher suites. --- parseconf.c | 1 + @@ -132,5 +132,5 @@ index ff94eca..e242873 100644 This option can be used to provide an alternate file for usage by the .BR secure_email_list_enable -- -2.7.4 +2.14.4 diff --git a/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch b/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch index 077d261..7cc0bfa 100644 --- a/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch +++ b/0023-Add-documentation-for-isolate_-options.-Correct-defa.patch @@ -1,7 +1,7 @@ From 3d02ef3be17f37baf729e786a8f36af4982f70ad Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 10:52:16 +0100 -Subject: [PATCH 23/33] Add documentation for isolate_* options. Correct +Subject: [PATCH 23/59] Add documentation for isolate_* options. Correct default values of max_clients, max_per_ip. @@ -59,5 +59,5 @@ index e242873..31d317f 100644 .B pasv_max_port The maximum port to allocate for PASV style data connections. Can be used to -- -2.7.4 +2.14.4 diff --git a/0024-Introduce-new-return-value-450.patch b/0024-Introduce-new-return-value-450.patch index f8c7b8c..86c5f8e 100644 --- a/0024-Introduce-new-return-value-450.patch +++ b/0024-Introduce-new-return-value-450.patch @@ -1,7 +1,7 @@ From 1d5cdf309387ff92988ab17d746f015d833a4b92 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 11:08:52 +0100 -Subject: [PATCH 24/33] Introduce new return value 450: +Subject: [PATCH 24/59] Introduce new return value 450: *450 Requested file action not taken. File unavailable (e.g., file busy). @@ -73,5 +73,5 @@ index 79b5514..c145bdf 100644 enum EVSFSysUtilError vsf_sysutil_get_error(void); -- -2.7.4 +2.14.4 diff --git a/0025-Improve-local_max_rate-option.patch b/0025-Improve-local_max_rate-option.patch index 3560d87..e78f825 100644 --- a/0025-Improve-local_max_rate-option.patch +++ b/0025-Improve-local_max_rate-option.patch @@ -1,7 +1,7 @@ From 386db86fe865fb552b1867af4bf4b78dbf9080cf Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 12:44:26 +0100 -Subject: [PATCH 25/33] Improve local_max_rate option. +Subject: [PATCH 25/59] Improve local_max_rate option. Now it should work as expected. --- @@ -86,5 +86,5 @@ index 956bfb7..3e8fdd5 100644 /* Details of the login */ int is_anonymous; -- -2.7.4 +2.14.4 diff --git a/0026-Prevent-hanging-in-SIGCHLD-handler.patch b/0026-Prevent-hanging-in-SIGCHLD-handler.patch index 9b186a8..f928cbc 100644 --- a/0026-Prevent-hanging-in-SIGCHLD-handler.patch +++ b/0026-Prevent-hanging-in-SIGCHLD-handler.patch @@ -1,7 +1,7 @@ From 1e65a0a15f819b8bf1b551bd84f71d0da1f5a00c Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:02:27 +0100 -Subject: [PATCH 26/33] Prevent hanging in SIGCHLD handler. +Subject: [PATCH 26/59] Prevent hanging in SIGCHLD handler. vsftpd can now handle pam_exec.so in pam.d config without hanging in SIGCHLD handler. @@ -77,5 +77,5 @@ index 33d84dc..b1891e7 100644 else { -- -2.7.4 +2.14.4 diff --git a/0027-Delete-files-when-upload-fails.patch b/0027-Delete-files-when-upload-fails.patch index 98222e1..94a00bf 100644 --- a/0027-Delete-files-when-upload-fails.patch +++ b/0027-Delete-files-when-upload-fails.patch @@ -1,7 +1,7 @@ From 6224ecc5ac209323baa775880c0602c3fde3590a Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:10:41 +0100 -Subject: [PATCH 27/33] Delete files when upload fails. +Subject: [PATCH 27/59] Delete files when upload fails. Previously the uploaded file wasn't removed when the network was disconnected. Now it is successfully deleted. @@ -104,10 +104,11 @@ diff --git a/sysutil.c b/sysutil.c index 099748f..42bcdf8 100644 --- a/sysutil.c +++ b/sysutil.c -@@ -681,6 +681,16 @@ vsf_sysutil_activate_keepalive(int fd) +@@ -680,6 +680,16 @@ vsf_sysutil_activate_keepalive(int fd) + } } - void ++void +vsf_sysutil_rcvtimeo(int fd) +{ + struct timeval tv; @@ -117,10 +118,9 @@ index 099748f..42bcdf8 100644 + setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(struct timeval)); +} + -+void + void vsf_sysutil_activate_reuseaddr(int fd) { - int reuseaddr = 1; diff --git a/sysutil.h b/sysutil.h index 13153cd..2886bbc 100644 --- a/sysutil.h @@ -134,5 +134,5 @@ index 13153cd..2886bbc 100644 void vsf_sysutil_activate_reuseaddr(int fd); void vsf_sysutil_set_nodelay(int fd); -- -2.7.4 +2.14.4 diff --git a/0028-Fix-man-page-rendering.patch b/0028-Fix-man-page-rendering.patch index 4d6e5e7..e91d6dc 100644 --- a/0028-Fix-man-page-rendering.patch +++ b/0028-Fix-man-page-rendering.patch @@ -1,7 +1,7 @@ From ea99be1a7a5973bbe8ed798b65abe5ce3b92f5df Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:12:52 +0100 -Subject: [PATCH 28/33] Fix man page rendering. +Subject: [PATCH 28/59] Fix man page rendering. --- vsftpd.conf.5 | 3 ++- @@ -22,5 +22,5 @@ index 31d317f..cf1ae34 100644 (New in v2.0.7). -- -2.7.4 +2.14.4 diff --git a/0029-Fix-segfault-in-config-file-parser.patch b/0029-Fix-segfault-in-config-file-parser.patch index 899bbd3..65cb571 100644 --- a/0029-Fix-segfault-in-config-file-parser.patch +++ b/0029-Fix-segfault-in-config-file-parser.patch @@ -1,7 +1,7 @@ From 34b9e1d10c6be736f1b20be8795c655446f38c5e Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:14:55 +0100 -Subject: [PATCH 29/33] Fix segfault in config file parser. +Subject: [PATCH 29/59] Fix segfault in config file parser. --- str.c | 2 +- @@ -21,5 +21,5 @@ index 41b27db..82b8ae4 100644 void -- -2.7.4 +2.14.4 diff --git a/0030-Fix-logging-into-syslog-when-enabled-in-config.patch b/0030-Fix-logging-into-syslog-when-enabled-in-config.patch index c828c27..04669c7 100644 --- a/0030-Fix-logging-into-syslog-when-enabled-in-config.patch +++ b/0030-Fix-logging-into-syslog-when-enabled-in-config.patch @@ -1,7 +1,7 @@ From 03ff061f18f555d7bec62fa6a597a275b4b3f1c7 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:18:22 +0100 -Subject: [PATCH 30/33] Fix logging into syslog when enabled in config. +Subject: [PATCH 30/59] Fix logging into syslog when enabled in config. --- logging.c | 2 +- @@ -21,5 +21,5 @@ index 99671b4..c4461f7 100644 if (!tunable_xferlog_enable && !tunable_dual_log_enable) { -- -2.7.4 +2.14.4 diff --git a/0031-Fix-question-mark-wildcard-withing-a-file-name.patch b/0031-Fix-question-mark-wildcard-withing-a-file-name.patch index 457404b..acc8f6d 100644 --- a/0031-Fix-question-mark-wildcard-withing-a-file-name.patch +++ b/0031-Fix-question-mark-wildcard-withing-a-file-name.patch @@ -1,7 +1,7 @@ From 0da42468ac9518a544aad57d22d7697d6bdfa969 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:25:12 +0100 -Subject: [PATCH 31/33] Fix question mark wildcard withing a file name. +Subject: [PATCH 31/59] Fix question mark wildcard withing a file name. Previously '?' worked only at the end of a file name, now it can be used anywhere. @@ -24,5 +24,5 @@ index 3c0988c..35c15c7 100644 /* Any incoming string left means no match unless we ended on the correct * type of wildcard. -- -2.7.4 +2.14.4 diff --git a/0032-Propagate-errors-from-nfs-with-quota-to-client.patch b/0032-Propagate-errors-from-nfs-with-quota-to-client.patch index 46a60c4..de56aa7 100644 --- a/0032-Propagate-errors-from-nfs-with-quota-to-client.patch +++ b/0032-Propagate-errors-from-nfs-with-quota-to-client.patch @@ -1,7 +1,7 @@ From aa9cb48373018502ef99a57aad70b69c0c75ff65 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:29:59 +0100 -Subject: [PATCH 32/33] Propagate errors from nfs with quota to client. +Subject: [PATCH 32/59] Propagate errors from nfs with quota to client. vsftpd now checks for errors when closing newly uploaded file and forward errors to the client (e.g. when file system quota was @@ -102,10 +102,11 @@ diff --git a/sysutil.c b/sysutil.c index 42bcdf8..1c0422e 100644 --- a/sysutil.c +++ b/sysutil.c -@@ -1269,6 +1269,27 @@ vsf_sysutil_close(int fd) +@@ -1268,6 +1268,27 @@ vsf_sysutil_close(int fd) + } } - int ++int +vsf_sysutil_close_errno(int fd) +{ + while (1) @@ -126,10 +127,9 @@ index 42bcdf8..1c0422e 100644 + } +} + -+int + int vsf_sysutil_close_failok(int fd) { - return close(fd); diff --git a/sysutil.h b/sysutil.h index 2886bbc..be727f5 100644 --- a/sysutil.h @@ -143,5 +143,5 @@ index 2886bbc..be727f5 100644 int vsf_sysutil_unlink(const char* p_dead); int vsf_sysutil_write_access(const char* p_filename); -- -2.7.4 +2.14.4 diff --git a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch index a7254e2..8d6228e 100644 --- a/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch +++ b/0033-Introduce-TLSv1.1-and-TLSv1.2-options.patch @@ -1,7 +1,7 @@ From 01bef55a1987700af3d43cdc5f5be88d3843ab85 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Thu, 17 Nov 2016 13:36:17 +0100 -Subject: [PATCH 33/33] Introduce TLSv1.1 and TLSv1.2 options. +Subject: [PATCH 33/59] Introduce TLSv1.1 and TLSv1.2 options. Users can now enable a specific version of TLS protocol. --- @@ -149,5 +149,5 @@ index cf1ae34..a3d569e 100644 .B user_config_dir This powerful option allows the override of any config option specified in -- -2.7.4 +2.14.4 diff --git a/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch b/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch index 62fb66b..0c0bdb7 100644 --- a/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch +++ b/0034-Turn-off-seccomp-sandbox-because-it-is-too-strict.patch @@ -1,7 +1,7 @@ From 4922e60589326540b2ee4f0bdfd6cb95f645f3d5 Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Fri, 18 Nov 2016 10:23:29 +0100 -Subject: [PATCH] Turn off seccomp sandbox, because it is too strict. +Subject: [PATCH 34/59] Turn off seccomp sandbox, because it is too strict. --- tunables.c | 2 +- @@ -21,5 +21,5 @@ index 78f2bcd..5440c00 100644 tunable_accept_timeout = 60; -- -2.7.4 +2.14.4 diff --git a/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch b/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch index ab3f35c..1cebc18 100644 --- a/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch +++ b/0035-Modify-DH-enablement-patch-to-build-with-OpenSSL-1.1.patch @@ -1,7 +1,7 @@ From 6c8dd87f311e411bcb1c72c1c780497881a5621c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Mon, 4 Sep 2017 11:32:03 +0200 -Subject: [PATCH 35/35] Modify DH enablement patch to build with OpenSSL 1.1 +Subject: [PATCH 35/59] Modify DH enablement patch to build with OpenSSL 1.1 --- ssl.c | 41 ++++++++++++++++++++++++++++++++++++++--- @@ -70,5 +70,5 @@ index ba8a613..09ec96a 100644 return NULL; } -- -2.9.5 +2.14.4 diff --git a/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch b/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch index 7f1911a..4299b23 100644 --- a/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch +++ b/0036-Redefine-VSFTP_COMMAND_FD-to-1.patch @@ -1,7 +1,7 @@ From 18e0ab25a0d66088728b506cf64f5545637eda26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Tue, 5 Sep 2017 14:26:08 +0200 -Subject: [PATCH 36/36] Redefine VSFTP_COMMAND_FD to 1 +Subject: [PATCH 36/59] Redefine VSFTP_COMMAND_FD to 1 Redefine VSFTP_COMMAND_FD to 1 (stdout) so that error messages generated during startup are picked up by systemd. @@ -25,5 +25,5 @@ index bde3232..315f0f0 100644 #define VSFTP_PASSWORD_MAX 128 #define VSFTP_USERNAME_MAX 128 -- -2.9.5 +2.14.4 diff --git a/0037-Document-the-relationship-of-text_userdb_names-and-c.patch b/0037-Document-the-relationship-of-text_userdb_names-and-c.patch index 7bf92ae..ae188d7 100644 --- a/0037-Document-the-relationship-of-text_userdb_names-and-c.patch +++ b/0037-Document-the-relationship-of-text_userdb_names-and-c.patch @@ -1,7 +1,7 @@ From 221f35f302d53f5a89f8e79592492e7cb322e81a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 26 Oct 2017 13:08:32 +0200 -Subject: [PATCH 37/37] Document the relationship of text_userdb_names and +Subject: [PATCH 37/59] Document the relationship of text_userdb_names and chroot_local_user Note in vsftpd.conf(5) that text_userdb_names may not work when @@ -25,5 +25,5 @@ index a3d569e..45b3f9c 100644 Default: NO .TP -- -2.14.3 +2.14.4 diff --git a/0038-Document-allow_writeable_chroot-in-the-man-page.patch b/0038-Document-allow_writeable_chroot-in-the-man-page.patch index f8d8c1d..ca073d3 100644 --- a/0038-Document-allow_writeable_chroot-in-the-man-page.patch +++ b/0038-Document-allow_writeable_chroot-in-the-man-page.patch @@ -1,7 +1,7 @@ From 35ec3be5427a54facd5f6299fda2da4c146d4846 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Fri, 24 Nov 2017 11:22:43 +0100 -Subject: [PATCH 38/38] Document allow_writeable_chroot in the man page +Subject: [PATCH 38/59] Document allow_writeable_chroot in the man page --- vsftpd.conf.5 | 9 +++++++++ @@ -28,5 +28,5 @@ index 45b3f9c..d1f0db5 100644 .TP .B anon_mkdir_write_enable -- -2.14.3 +2.14.4 diff --git a/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch b/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch index 4b32923..307ce35 100644 --- a/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch +++ b/0039-Improve-documentation-of-ASCII-mode-in-the-man-page.patch @@ -1,7 +1,7 @@ From 7d4b76abb437184fa692533cb5537318026a30e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Fri, 24 Nov 2017 11:26:37 +0100 -Subject: [PATCH 39/39] Improve documentation of ASCII mode in the man page +Subject: [PATCH 39/59] Improve documentation of ASCII mode in the man page --- vsftpd.conf.5 | 6 ++++++ @@ -30,5 +30,5 @@ index d1f0db5..3ca55e4 100644 Default: NO .TP -- -2.14.3 +2.14.4 diff --git a/0040-Use-system-wide-crypto-policy.patch b/0040-Use-system-wide-crypto-policy.patch index d79530b..f59ba2b 100644 --- a/0040-Use-system-wide-crypto-policy.patch +++ b/0040-Use-system-wide-crypto-policy.patch @@ -1,7 +1,7 @@ From b83be8b4f86bf1a8a6de4802a9486d084c4a46cd Mon Sep 17 00:00:00 2001 From: Martin Sehnoutka Date: Tue, 29 Aug 2017 10:32:16 +0200 -Subject: [PATCH 40/40] Use system wide crypto policy +Subject: [PATCH 40/59] Use system wide crypto policy Resolves: rhbz#1483970 --- @@ -23,5 +23,5 @@ index 5440c00..354251c 100644 install_str_setting(0, &tunable_dsa_private_key_file); install_str_setting(0, &tunable_ca_certs_file); -- -2.14.3 +2.14.4 diff --git a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch index e004e0f..8b26c7b 100644 --- a/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch +++ b/0041-Document-the-new-default-for-ssl_ciphers-in-the-man-.patch @@ -1,7 +1,7 @@ From 2369d1ea5144d525d315aba90da528e7d9bfd1cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 21 Dec 2017 14:19:18 +0100 -Subject: [PATCH 41/41] Document the new default for ssl_ciphers in the man +Subject: [PATCH 41/59] Document the new default for ssl_ciphers in the man page Related: rhbz#1483970 @@ -27,5 +27,5 @@ index 3ca55e4..2a7662e 100644 .B user_config_dir This powerful option allows the override of any config option specified in -- -2.14.3 +2.14.4 diff --git a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch index 542cd69..250a44c 100644 --- a/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch +++ b/0042-When-handling-FEAT-command-check-ssl_tlsv1_1-and-ssl.patch @@ -1,7 +1,7 @@ From 1c280a0b04e58ec63ce9ab5eb8d0ffe5ebbae115 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 21 Dec 2017 14:29:25 +0100 -Subject: [PATCH 42/42] When handling FEAT command, check ssl_tlsv1_1 and +Subject: [PATCH 42/59] When handling FEAT command, check ssl_tlsv1_1 and ssl_tlsv1_2 Send 'AUTH SSL' in reply to the FEAT command when the ssl_tlsv1_1 @@ -28,5 +28,5 @@ index 1212980..d024366 100644 vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n"); } -- -2.14.3 +2.14.4 diff --git a/0043-Enable-only-TLSv1.2-by-default.patch b/0043-Enable-only-TLSv1.2-by-default.patch index ca8b1d3..eb157f8 100644 --- a/0043-Enable-only-TLSv1.2-by-default.patch +++ b/0043-Enable-only-TLSv1.2-by-default.patch @@ -1,7 +1,7 @@ From 75c942c77aa575143c5b75637e64a925ad12641a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 21 Dec 2017 16:38:40 +0100 -Subject: [PATCH 43/43] Enable only TLSv1.2 by default +Subject: [PATCH 43/59] Enable only TLSv1.2 by default Disable TLSv1 and TLSv1.1 - enable only TLSv1.2 by default. --- @@ -49,5 +49,5 @@ index 2a7662e..df14027 100644 .B ssl_tlsv1_2 Only applies if -- -2.14.3 +2.14.4 diff --git a/0044-Disable-anonymous_enable-in-default-config-file.patch b/0044-Disable-anonymous_enable-in-default-config-file.patch index cc9eace..4e62d76 100644 --- a/0044-Disable-anonymous_enable-in-default-config-file.patch +++ b/0044-Disable-anonymous_enable-in-default-config-file.patch @@ -1,7 +1,7 @@ From ffaeebcfdb56ba75392af21c68c0bac78a226b55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Tue, 2 Jan 2018 09:54:43 +0100 -Subject: [PATCH 44/44] Disable anonymous_enable in default config file +Subject: [PATCH 44/59] Disable anonymous_enable in default config file Resolves: rhbz#1338637 --- @@ -22,5 +22,5 @@ index 39d1955..4626c1b 100644 # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir -- -2.14.3 +2.14.4 diff --git a/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch b/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch index b4a6f59..2243790 100644 --- a/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch +++ b/0045-Expand-explanation-of-ascii_-options-behaviour-in-ma.patch @@ -1,7 +1,7 @@ From 61327320b54a59e319c522151f7a61c74ec94f2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Tue, 2 Jan 2018 16:25:55 +0100 -Subject: [PATCH 45/46] Expand explanation of ascii_* options behaviour in man +Subject: [PATCH 45/59] Expand explanation of ascii_* options behaviour in man page --- @@ -48,5 +48,5 @@ index df14027..a5abeb2 100644 Default: NO .TP -- -2.14.3 +2.14.4 diff --git a/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch b/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch index 9e8b8ea..61ed691 100644 --- a/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch +++ b/0046-vsftpd.conf-Refer-to-the-man-page-regarding-the-asci.patch @@ -1,7 +1,7 @@ From 446f7c1ec54e06b5da2e890e0cd8fbd7308322c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Tue, 2 Jan 2018 16:33:18 +0100 -Subject: [PATCH 46/46] vsftpd.conf: Refer to the man page regarding the +Subject: [PATCH 46/59] vsftpd.conf: Refer to the man page regarding the ascii_* options --- @@ -23,5 +23,5 @@ index 4626c1b..e70bc6d 100644 # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the -- -2.14.3 +2.14.4 diff --git a/0047-Disable-tcp_wrappers-support.patch b/0047-Disable-tcp_wrappers-support.patch index ce64f2d..f71aab0 100644 --- a/0047-Disable-tcp_wrappers-support.patch +++ b/0047-Disable-tcp_wrappers-support.patch @@ -1,7 +1,7 @@ From b383ec42bb750419fea102fccf36af5216145eb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Fri, 5 Jan 2018 09:17:13 +0100 -Subject: [PATCH 47/48] Disable tcp_wrappers support +Subject: [PATCH 47/59] Disable tcp_wrappers support Resolves: rhbz#1518796 --- @@ -45,5 +45,5 @@ index e70bc6d..6b8eebb 100644 userlist_enable=YES -tcp_wrappers=YES -- -2.14.3 +2.14.4 diff --git a/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch b/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch index 5fbb2cc..513e128 100644 --- a/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch +++ b/0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch @@ -1,7 +1,7 @@ From 9cba9e81aa96e1d64ae2eaaf88330e09dadfce79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Fri, 5 Jan 2018 09:40:09 +0100 -Subject: [PATCH 48/48] Fix default value of strict_ssl_read_eof in man page +Subject: [PATCH 48/59] Fix default value of strict_ssl_read_eof in man page --- vsftpd.conf.5 | 5 ++--- @@ -25,5 +25,5 @@ index a5abeb2..43b0435 100644 .B strict_ssl_write_shutdown If enabled, SSL data downloads are required to terminate via SSL, not an -- -2.14.3 +2.14.4 diff --git a/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch b/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch index bfbb871..22745b5 100644 --- a/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch +++ b/0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch @@ -1,7 +1,7 @@ From 1203b943b369651d96d057f8190f14f015e6ff0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Tue, 6 Feb 2018 13:30:44 +0100 -Subject: [PATCH 49/49] Add new filename generation algorithm for STOU command +Subject: [PATCH 49/59] Add new filename generation algorithm for STOU command A new configuration option 'better_stou' can be used to enable a better algorithm for generating unique filenames. @@ -318,5 +318,5 @@ index 43b0435..6911a73 100644 .TP .B anon_mkdir_write_enable -- -2.14.3 +2.14.4 diff --git a/0050-Don-t-link-with-libnsl.patch b/0050-Don-t-link-with-libnsl.patch index c907980..8b626bb 100644 --- a/0050-Don-t-link-with-libnsl.patch +++ b/0050-Don-t-link-with-libnsl.patch @@ -1,7 +1,7 @@ From f8663f35d5d150f0533bb052e48306b9a5111d87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Tue, 6 Feb 2018 18:04:53 +0100 -Subject: [PATCH 50/50] Don't link with libnsl +Subject: [PATCH 50/59] Don't link with libnsl Don't link with libnsl. It builds just fine without it and vsf_findlibs.sh enables it only when tcp_wrappers is enabled. @@ -23,5 +23,5 @@ index 612994e..0f7411c 100644 LDFLAGS = -fPIE -pie -Wl,-z,relro -Wl,-z,now -- -2.14.3 +2.14.4 diff --git a/0001-Improve-documentation-of-better_stou-in-the-man-page.patch b/0051-Improve-documentation-of-better_stou-in-the-man-page.patch similarity index 92% rename from 0001-Improve-documentation-of-better_stou-in-the-man-page.patch rename to 0051-Improve-documentation-of-better_stou-in-the-man-page.patch index e1293ab..c2593be 100644 --- a/0001-Improve-documentation-of-better_stou-in-the-man-page.patch +++ b/0051-Improve-documentation-of-better_stou-in-the-man-page.patch @@ -1,7 +1,7 @@ From 765f99b26705c8d6fe2be4feb07f4c91e7eb96f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 5 Apr 2018 12:29:03 +0200 -Subject: [PATCH] Improve documentation of better_stou in the man page +Subject: [PATCH 51/59] Improve documentation of better_stou in the man page --- vsftpd.conf.5 | 7 ++++++- @@ -26,5 +26,5 @@ index 6911a73..e9ae474 100644 Default: NO .TP -- -2.14.3 +2.14.4 diff --git a/0001-Fix-rDNS-with-IPv6.patch b/0052-Fix-rDNS-with-IPv6.patch similarity index 99% rename from 0001-Fix-rDNS-with-IPv6.patch rename to 0052-Fix-rDNS-with-IPv6.patch index 2328968..eca9474 100644 --- a/0001-Fix-rDNS-with-IPv6.patch +++ b/0052-Fix-rDNS-with-IPv6.patch @@ -1,7 +1,7 @@ From 01b646d2af0ed885d01d31a6479898a3c423a630 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 26 Apr 2018 10:00:19 +0200 -Subject: [PATCH 1/4] Fix rDNS with IPv6 +Subject: [PATCH 52/59] Fix rDNS with IPv6 Previously IPv6 addresses were not translated to hostnames for PAM to use. --- @@ -191,5 +191,5 @@ index 7a59f13..2df14ed 100644 void vsf_sysutil_activate_keepalive(int fd); void vsf_sysutil_rcvtimeo(int fd); -- -2.14.3 +2.14.4 diff --git a/0002-Always-do-chdir-after-chroot.patch b/0053-Always-do-chdir-after-chroot.patch similarity index 91% rename from 0002-Always-do-chdir-after-chroot.patch rename to 0053-Always-do-chdir-after-chroot.patch index 566ca09..e1c0105 100644 --- a/0002-Always-do-chdir-after-chroot.patch +++ b/0053-Always-do-chdir-after-chroot.patch @@ -1,7 +1,7 @@ From 315f9720db94af3319c9550feaf473b9cf09aeac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Thu, 3 May 2018 13:20:28 +0200 -Subject: [PATCH 2/4] Always do chdir("/") after chroot() +Subject: [PATCH 53/59] Always do chdir("/") after chroot() Always do chdir("/") after chroot() to be more sure we'll never get out of it. This will not affect the working directory after calling @@ -28,5 +28,5 @@ index b68583b..3014c05 100644 unsigned int -- -2.14.3 +2.14.4 diff --git a/0003-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch b/0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch similarity index 89% rename from 0003-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch rename to 0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch index 337fa28..d67db00 100644 --- a/0003-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch +++ b/0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch @@ -1,7 +1,7 @@ From ca27e6e34d89fc247a164ed7330735644f97d7d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Wed, 9 May 2018 20:15:29 +0200 -Subject: [PATCH 3/4] vsf_sysutil_rcvtimeo: Check return value of setsockopt +Subject: [PATCH 54/59] vsf_sysutil_rcvtimeo: Check return value of setsockopt --- sysutil.c | 7 ++++++- @@ -29,5 +29,5 @@ index 3014c05..de5f876 100644 void -- -2.14.3 +2.14.4 diff --git a/0004-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch b/0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch similarity index 97% rename from 0004-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch rename to 0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch index 72f70b1..85d4f2f 100644 --- a/0004-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch +++ b/0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch @@ -1,7 +1,7 @@ From c7ac05fdf2a7b53d901bfc3afeb9a61916aaaaf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Wed, 9 May 2018 20:26:37 +0200 -Subject: [PATCH 4/4] vsf_sysutil_get_tz: Check the return value of syscalls +Subject: [PATCH 55/59] vsf_sysutil_get_tz: Check the return value of syscalls Check the return value of syscalls. There's always the possibility that they'll fail. (Failure of close() is not handled though, apart from EINTR. @@ -104,5 +104,5 @@ index de5f876..fd07d99 100644 return ret_tz; -- -2.14.3 +2.14.4 diff --git a/0001-Log-die-calls-to-syslog.patch b/0056-Log-die-calls-to-syslog.patch similarity index 99% rename from 0001-Log-die-calls-to-syslog.patch rename to 0056-Log-die-calls-to-syslog.patch index d6aa2f8..46b93f6 100644 --- a/0001-Log-die-calls-to-syslog.patch +++ b/0056-Log-die-calls-to-syslog.patch @@ -1,7 +1,7 @@ From ee6af258e8cb1a7fada5e6d3e54429b89f12b158 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Fri, 15 Jun 2018 12:02:21 +0200 -Subject: [PATCH 1/3] Log die() calls to syslog +Subject: [PATCH 56/59] Log die() calls to syslog Pass messages given to die(), die2() and bug() to syslog. Currently this functionality requires waiting for a short amount of time (1 second is diff --git a/0002-Improve-error-message-when-max-number-of-bind-attemp.patch b/0057-Improve-error-message-when-max-number-of-bind-attemp.patch similarity index 87% rename from 0002-Improve-error-message-when-max-number-of-bind-attemp.patch rename to 0057-Improve-error-message-when-max-number-of-bind-attemp.patch index 221a2de..3a0effe 100644 --- a/0002-Improve-error-message-when-max-number-of-bind-attemp.patch +++ b/0057-Improve-error-message-when-max-number-of-bind-attemp.patch @@ -1,8 +1,8 @@ From 380e40930661d643c865bace4e1791ca8f9d74cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Mon, 18 Jun 2018 14:01:46 +0200 -Subject: [PATCH 2/3] Improve error message when max number of bind attempts is - exceeded +Subject: [PATCH 57/59] Improve error message when max number of bind attempts + is exceeded Resolves: rhbz#1318198 --- diff --git a/0003-Make-the-max-number-of-bind-retries-tunable.patch b/0058-Make-the-max-number-of-bind-retries-tunable.patch similarity index 97% rename from 0003-Make-the-max-number-of-bind-retries-tunable.patch rename to 0058-Make-the-max-number-of-bind-retries-tunable.patch index 533bd29..1350470 100644 --- a/0003-Make-the-max-number-of-bind-retries-tunable.patch +++ b/0058-Make-the-max-number-of-bind-retries-tunable.patch @@ -1,7 +1,7 @@ From be7c2d639127dd8af0139caf94f8c29f431d3753 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= Date: Mon, 18 Jun 2018 10:13:48 +0200 -Subject: [PATCH 3/3] Make the max number of bind retries tunable +Subject: [PATCH 58/59] Make the max number of bind retries tunable Resolves: rhbz#1318198 --- diff --git a/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch b/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch new file mode 100644 index 0000000..3adbd4c --- /dev/null +++ b/0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch @@ -0,0 +1,58 @@ +From 970711fde95bee3de1e4a5e0b557c3132d0c3e3f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Lyson=C4=9Bk?= +Date: Tue, 6 Feb 2018 11:39:01 +0100 +Subject: [PATCH 59/59] Fix SEGFAULT when running in a container as PID 1 + +When vsftpd is running in a container as PID 1, it is possible +that it will get SIGCHILD for processes, which were not directly +created by it, but by some of its children. These processes will +not be in the s_p_pid_ip_hash hash table, and thus trying to +delete the entry from the hash table in standalone.c:handle_sigchld() +will result in segmentation fault. + +I can quite easily reproduce it with the upstream vsftpd and default +configuration, except for isolate=NO and isolate_network=NO being set +(it seems to me that network namespaces take a long time to create +and destroy, which hides the race condition), on a quad-core machine. +When connecting to vsftpd in a loop like this: +$ while true; do echo -en '' | nc localhost 21; done + +vsftpd crashes after a couple of seconds. +--- + standalone.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/standalone.c b/standalone.c +index 3b65ea2..3f35e9e 100644 +--- a/standalone.c ++++ b/standalone.c +@@ -270,13 +270,21 @@ handle_sigchld(void* duff) + if (reap_one) + { + struct vsf_sysutil_ipaddr* p_ip; +- /* Account total number of instances */ +- --s_children; +- /* Account per-IP limit */ + p_ip = (struct vsf_sysutil_ipaddr*) + hash_lookup_entry(s_p_pid_ip_hash, (void*)&reap_one); +- drop_ip_count(p_ip); +- hash_free_entry(s_p_pid_ip_hash, (void*)&reap_one); ++ /* If we are running in a container as PID 1, it is possible ++ * that we will get SIGCHILD for processes, which were not ++ * created directly by our process and which are not in the ++ * s_p_pid_ip_hash hash table. ++ */ ++ if (p_ip) ++ { ++ /* Account total number of instances */ ++ --s_children; ++ /* Account per-IP limit */ ++ drop_ip_count(p_ip); ++ hash_free_entry(s_p_pid_ip_hash, (void*)&reap_one); ++ } + } + } + } +-- +2.14.4 + diff --git a/vsftpd.spec b/vsftpd.spec index 5b455a0..e7d687b 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -2,7 +2,7 @@ Name: vsftpd Version: 3.0.3 -Release: 26%{?dist} +Release: 27%{?dist} Summary: Very Secure Ftp Daemon Group: System Environment/Daemons @@ -79,14 +79,15 @@ Patch47: 0047-Disable-tcp_wrappers-support.patch Patch48: 0048-Fix-default-value-of-strict_ssl_read_eof-in-man-page.patch Patch49: 0049-Add-new-filename-generation-algorithm-for-STOU-comma.patch Patch50: 0050-Don-t-link-with-libnsl.patch -Patch51: 0001-Improve-documentation-of-better_stou-in-the-man-page.patch -Patch52: 0001-Fix-rDNS-with-IPv6.patch -Patch53: 0002-Always-do-chdir-after-chroot.patch -Patch54: 0003-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch -Patch55: 0004-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch -Patch56: 0001-Log-die-calls-to-syslog.patch -Patch57: 0002-Improve-error-message-when-max-number-of-bind-attemp.patch -Patch58: 0003-Make-the-max-number-of-bind-retries-tunable.patch +Patch51: 0051-Improve-documentation-of-better_stou-in-the-man-page.patch +Patch52: 0052-Fix-rDNS-with-IPv6.patch +Patch53: 0053-Always-do-chdir-after-chroot.patch +Patch54: 0054-vsf_sysutil_rcvtimeo-Check-return-value-of-setsockop.patch +Patch55: 0055-vsf_sysutil_get_tz-Check-the-return-value-of-syscall.patch +Patch56: 0056-Log-die-calls-to-syslog.patch +Patch57: 0057-Improve-error-message-when-max-number-of-bind-attemp.patch +Patch58: 0058-Make-the-max-number-of-bind-retries-tunable.patch +Patch59: 0059-Fix-SEGFAULT-when-running-in-a-container-as-PID-1.patch %description vsftpd is a Very Secure FTP daemon. It was written completely from @@ -155,6 +156,9 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub %{_var}/ftp %changelog +* Wed Jul 25 2018 Ondřej Lysoněk - 3.0.3-27 +- Fix a segfault when running as PID 1 + * Sat Jul 14 2018 Fedora Release Engineering - 3.0.3-26 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild