pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/43352: [net/bftpd]Update to 2.8



>Number:         43352
>Category:       pkg
>Synopsis:       [net/bftpd]Update to 2.8
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue May 25 13:35:00 +0000 2010
>Originator:     Wen Heping
>Release:        NetBSD-5.0.2
>Organization:
Private
>Environment:
NetBSD nb502.wenjing.com 5.0.2 NetBSD 5.0.2 (GENERIC) #0: Sat Feb  6 17:53:27 
UTC 2010  
builds%b7.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-2-RELEASE/i386/201002061851Z-obj/home/builds/ab/netbsd-5-0-2-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386
>Description:
Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.8
        - Added patch which will allow client to see hidden
          files if the "-a" parameter is used in list commands.
          Hidden files are only shown if SHOW_HIDDEN_FILES
          is enabled in the config file.
          Patch provded by Raster.
        - Swapped out glob function for custom directory
          search matching. Allows clients to see broken
          symbolic links if "SHOW_NONREADABLE_FILES" is set
          to "yes".
          Patch supplied by Raster.
        - Added patch to clean up zombies if several children
          processes all die at the same time. We were cleaning up
          just one child per signal before.
          Patch supplied by Raster.
        - Fixed typo in log error message.
        - Made sure we can read user config file options
          even with unusual compile flags.
        - Fixed anonymous login.
        - Anonymous login disabled by default in the config file.



Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.7
        - Added patch from Raster which returns more speicifc error
          messages to the client when a file or directory cannot be
          removed. This should avoid confusing some clients when the
          user attempts to remove a directory.
        - Added checks for increased security/stability and to remove
          compiler warnings.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.6
        - Removed some debugging information from the log file.
        - Made certain that bandwidth log will not over-write itself
          when multiple users are logged in.
        - Bandwidth log file is flushed to avoid loss of data.
        - Bftpd will write to bandwidth log even if client does
          not disconnect cleanly.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.5
        - Added better UTF support. Clients that check for this
          will now enable UTF-8. For example, Filezilla.
        - Made sure remote admin login was disabled. This shouldn't
          have worked anyway, but disabled the feautre to make sure.
        - Added additional log file which tracks user bandwidth.
          See the option in the config file called BANDWIDTH.
        - Updated README file to contain notes on logging.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.4
        - Fixed a possible security hole which would allow
        attackers to perform a DoS attack against bftpd.
        (Thanks to Dazhi for pointing out this problem.)


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.2.1 (aka 2.3)
        - Bftpd should not attempt to close stdin, stdout and stderr
        if they do not exist. Fixed this in main.c.
        (Patch provided by Ivan A-R.)


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.2
        - Bftpd does not exit when an incorrect password is given.
        The server does drop connections in cases where logins are
        specifically denied, full server or if an error appears in
        the config file.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.1.2
        - Added option to not show files in a dir list
        if the file is not readable. Thanks to Eric
        Woltermann for sending in this patch.
        By default non-readable files are not listed.
        See the SHOW_NONREADABLE_FILES config option.
        - Make the replace() function safer with
        range checking to avoid buffer over-flow.
        - Fixed calls to replace() function.
        - Most string buffers now have a set size of
        MAX_STRING_LENGTH, rather than some arbitraty size.
        - Applied patch to allow user specific data to
        be subsituted into the user MOTD file path.
        The symbols %u and %h and be used in place of the
        user's username and home directory in the MOTD_USER
        config option.
        Thanks to Eric Woltermann for submitting this patch.
        - Bftpd now prompts for a password, even on anonymous
        accounts to help increase compatiblity with some
        web browsers.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.1.1
        - Fixed directory creation so that the proper
        umask is used. thanks to Thiemo for pointing
        out this problem.
        - Fixed buffer under-size error in options.c
        Thanks to Athan for reporting this bug.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.1
        - By default, the SITE command is now disabled
        in the bftpd.conf file. This is to prevent
        security holes and DoS attacks via "site md5 <filename>"

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.0.3
        - Added md5 support for amd64 machines.
        - If no arch is defined for md5, assume little endian.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.0.2
        - Transfer buffer size now defaults to staying the
        same (max) size for all transfers. To get a variable
        buffer size, change the config option CHANGE_BUFSIZE
        to "yes".
        - Added config file option SHOW_HIDDEN_FILES. When this
        option is set to "yes", bftpd shows hidden files in directory
        listings. By default this is set to "no".


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.0.1
        - Avoid possible segfault in replace() function
        in mystring.c
        - Avoid memory error in main.c using strdup()
        - Avoid segfault in options.c the create_options()
        - Added ability to use the SITE command to provide md5
        checksums of files. (usage: site md5 filename)

        Very many thanks to Ulrich Drepper and Gray Watson for
        the md5 library!

        - Changed ratio calculations to use double type to
        allow for larger files and data transfers.
        - Added HELP option to the SITE command.
        (usage: site help)
        - Added config file variable CHANGE_BUFSIZE. This
          determines whether the transfer buffer changes size.
          It defaults to "yes".
        - Removed extra fileno() calles in file receives.



Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 2.0
        - Avoid memory error in options.c

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.9.3
        - Avoid segfaults in options.c and cwd.c
        - Added memory checks in options.c

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.9.2
        - Avoid segfaults in options.c and dirlist.c

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.9.1
        - Avoid segfaults in options.c and main.c

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.9
        - Added limits.h entry to main.c and options.c
        for compatibility with FreeBSD.
        (All problems with bftpd on FreeBSD were found and
        corrected by Beech of the FreeBSD team.)

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.8.4
        - When printing file sizes for files larger than 4GB
        the file size is now displayed correctly.
        - When a FTP client drops a connection without sending
        an ABORT (ABOR) signal, Bftpd will detect the dropped
        connection and log it. This prevents stale connections
        preventing new users from connecting.
        (Bug found and fixed by: Thorsten)
        - Added limits.h and signal.h to list of headers used
        in commands.c, for compatibility with BSD.
        - Changed sighandler_t in "run_script()" to sig_t
        for compatibility between Linux and BSD.
        - Added OpenPAM patch from FreeBSD (login.c)
        - Added limits.h include to login.c file for
        compatibility with BSD.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.8.3
        - If Bftpd is unable to create bftpdutmp file, an error
        should now be written to the log file.
        - Directory output corrected for when large files (> 2GB)
        are listed.
        - Documentation for xinetd config updated.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.8.2
        - Changed bftpd's direcotry name to plain "bftpd"
        rather than "bftpd-version". This will, hopefully, make
        it easier to run scripts which build/run bftpd.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.8.1
        - Avoid segfault in getoption() (options.c)
          Credit to Mats Erik Andersson for finding this bug.
        - Fixed potential memory leaks in commands.c

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.7.2
        - Fixed serious bug which would cause bftpd to crash
        while sending a file. Double-free error.
        (Credit to Davide Pozza for reporting these bugs below.)
        - Prevent buffer over-flow in parsecmd() when
        forming confstr variable.
        - Check return values of strtoul() to make sure they
        do not over-flow an int.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.7.1
        (Credit to Davide Pozza for reporting these bugs.)
        - Avoid memory over-flow in bftpd_login (login.c)
        with the str[] variable. Made size 512 + 1.
        - Avoid buffer over-flow in str[] variable in
        main().
        - Prevent buffer over-flow in check_file_password()
        when performing fscanf().
        - In check_file_password() made calloc() allocate
        larger buffer to prevent over-flow.
        - Performed range checking on the number of users on
        the system to make sure they don't over-flow a 32-bit int.
        - Make sure malloc calls in commands.c do not allocate
        too much or too little memory.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6.6
        - Perform memory allocation check in bftpd_cwd_mappath()
        - Changed a strcmp() to strcasecmp() in command_retr function.
        - Performed free(mapped) at end of command_retr.
        - Performed memory checks and clean-up in various functions.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6.5
        - The when using the FILE_AUTH option, the text
        password file can contain anonymous users. That is,
        users who do not require passwords. THIS IS DANGEROUS
        ON MOST SYSTEMS. A entry with the password field set to
        a * (star) does not require a password. See the
        config file option FILE_AUTH for more information.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6.4
        - Allow ANONYMOUS_USER config file option to be used with
        the FILE_AUTH option. This basically allows anyone
        to login to the system without a password if both
        options are used!
        - When a chroot fails during login the server will
        no longer tell the client which directory it was trying
        to chroot to.
        - When the config.h file contains a definition for
        NO_GETPWNAM then the getpwnam() function is not used.
        Also, this forces the use of the FILE_AUTH option. If
        NO_GETPWNAM is defined and FILE_AUTH is not used, all
        connections are dropped.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6.3
        - Introduced option to over-ride the local/LAN
        IP address assigned to the host computer. This
        option takes a 4-number IP address in the format
        of "127.0.3.101". See OVERRIDE_IP in bftpd.conf for
        more information.
        - Removed description-pak file from source tree.
        - The options PRE_WRITE_SCRIPT and POST_WRITE_SCRIPT
        have been added to the bftpd.conf file. These options
        let you run scripts before and after any command writes
        to the file system. Handy if you want to re-mount.
        Please see the bftpd.conf file for details.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6.2
        - When using FILE_AUTH to login, check
        DO_CHROOT option before performing
        a chroot().

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6.1
        - Removed code which uses sendfile().
        The sendfile code appears to cause a
        conflict on some systems when used
        with 64-bit file size variables.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.6
        - Released bftpd without code changes, but
        with updated Polish documentation.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.5
        - Added Polish documentation to website.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.4.1
        - Added ability to use a plain text file
          for authentication. See config file option
          FILE_AUTH for details.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.4
        - Fixed default configuration.
        - Fixed compile warnings for vanilla config.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.3.2
        - Fixed Makefile to erase config.cache file during
          "make clean"
        - Added ability to uncompress files on the fly
          during downloads. Any file with the extension
          ".gz" can be decompressed during transfer to
          the client with the use of the GZ_DOWNLOAD
          in the config file. This option requires bftpd
          be configured (pre-compile time) with the flag
          --enable-libz.


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.3.1
        - Changed ratio values to unsigned long
          variables to support large files.
        - Editted Makefile to allow bftpd to handle large
          files (2GB+).

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.2.2
        - Added ability to upload files and
          compress them into .gz files on the fly.
          See bftpd.conf file for the option.
          This option requires --enable-libz be
          used when running the configure script.

        - Cleaned up code to avoid compiler warnings
          from gcc 4.0.2.
          Files changed: main.c commands.c

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.2.1
        - When the config file is re-read, global
          are changed only.
          Files changes: options.c options.h


Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.2
        - Made re-reable options be able to hold larger
          values. Up to 256 bytes/characters long.
        - Replaced old rpm spec file with one from
          Joe, which will be used from now on for
          rpm builds.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.1.3
        - When a child/client dies, the
          parent process will now attempt to
          remove the client's log entry
          from the bftpdutmp file. This
          should prevent stale entries.
        - Changed some default values to
          constants in options.h
        - Fixed typo(s) in bftpd.conf
        - Set delete/over-write for global
          users to be disabled by default
          in bftpd.conf.
        - Added the XFER_DELAY option to
          the bftpd.conf file. This allows
          the admin to set a time delay
          between data transfer bursts.
          This aid in bandwidth throttling.
          Please see bftpd.conf for more
          details on this feature.
        - Added more re-read options
          when catching signal SIGHUP.
          The re-readable options are now:
          HELLO_STRING, QUIT_MSG, XFERBUFSIZE,
          DATA_TIMEOUT, CONTROL_TIMEOUT,
          USERLIMIT_GLOBAL, USERLIMIT_SINGLEUSER,
          USERLIMIT_HOST, DENY_LOGIN and XFER_DELAY.

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.1.2
        - Program now catches signal SIGHUP.
        - When bftpd catches the SIGHUP (hang up)
          it re-reads the config file. It looks
          for some config values, but not all.
          At this time, the values which are
          re-read are:
          HELLO_STRING, QUIT_MSG and XFERBUFSIZE

Jesse Smith <jessefrgsmith%yahoo.ca@localhost> -> 1.1.1
        - Added rpm spec file to redhat directory.
        - Changed numberic string length (512) to a defined
          string length (MAXCMD). Makes code more
          compatible with main.c and uses less stack
          memory. File changed: commands.c
        - When receiving files, the transfer buffer
          (XFER_BUFSIZE) is divided by the number of
          connected clients. This should prevent bandwidth
          being sucked back by multiple connections.
        - Minor fixes, checking for malloc errors,
          freeing memory and closing sockets.
          File changed: commands.c
        - When sending files, the transfer buffer
          (XFER_BUFSIZE) is divided by the number
          of connected clients. This should prevent
          bandwidth being taken over by multiple connections.
        - Changed Makefile so bftpd.8 gets installed as
          a manual page in the proper location.
          Also updated rpm spec file to include man page.


Jesse Smith <slicer69%hotmail.com@localhost> -> 1.1.0
        - Changed some bftpdutmp_log(0) lines to
        calls to bftpdutmp_end(). This should be safer.
        - Made sure that clients cannot write or append
        to files if the "delete" command is disabled. I
        think if they cannot delete the file they shouldn't
        be allowed to truncate it to zero bytes either.
        - Added reason for login failure to log file.
        - Removed logging of getting user count from
        temp file. Just seems to be taking up space.
>How-To-Repeat:

>Fix:
diff -urN bftpd.orig/Makefile bftpd/Makefile
--- bftpd.orig/Makefile 2010-05-26 05:09:19.000000000 +0800
+++ bftpd/Makefile      2010-05-26 05:23:40.000000000 +0800
@@ -1,10 +1,9 @@
 # $NetBSD: Makefile,v 1.10 2008/07/10 15:52:03 joerg Exp $
 #

-DISTNAME=      bftpd-1.0.24
-PKGREVISION=   1
+DISTNAME=      bftpd-2.8
 CATEGORIES=    net
-MASTER_SITES=  http://bftpd.sourceforge.net/downloads/src/
+MASTER_SITES=  http://downloads.sourceforge.net/project/bftpd/bftpd/bftpd-2.8/

 MAINTAINER=    virtus%wanadoo.nl@localhost
 HOMEPAGE=      http://bftpd.sourceforge.net/
@@ -21,4 +20,6 @@

 PKG_DESTDIR_SUPPORT=   user-destdir

+WRKSRC=                ${WRKDIR}/bftpd
+
 .include "../../mk/bsd.pkg.mk"
diff -urN bftpd.orig/distinfo bftpd/distinfo
--- bftpd.orig/distinfo 2010-05-26 05:09:19.000000000 +0800
+++ bftpd/distinfo      2010-05-26 05:27:04.000000000 +0800
@@ -1,7 +1,7 @@
 $NetBSD: distinfo,v 1.4 2008/07/10 15:52:03 joerg Exp $

-SHA1 (bftpd-1.0.24.tar.gz) = 4a047778e9435fc9221d02c1093f040186bb88d7
-RMD160 (bftpd-1.0.24.tar.gz) = 6eb162a5d692c5df2811c24fd07d40193e77d095
-Size (bftpd-1.0.24.tar.gz) = 75995 bytes
-SHA1 (patch-aa) = 5ddab875688e1c2b7ba82171a3a776503ffd7af7
+SHA1 (bftpd-2.8.tar.gz) = 91ae280010006c46719a1cad89b3bbb2872b645d
+RMD160 (bftpd-2.8.tar.gz) = 63166339ed8365d2b36c634c6816f9b25e82a597
+Size (bftpd-2.8.tar.gz) = 139341 bytes
 SHA1 (patch-ab) = faef48266dd0fb7b095738207be2b26ee34e9359
+SHA1 (patch-ac) = 0f028cf6cba35f681dcb21781d4de8ab9f76c8c5
diff -urN bftpd.orig/patches/patch-aa bftpd/patches/patch-aa
--- bftpd.orig/patches/patch-aa 2010-05-26 05:09:18.000000000 +0800
+++ bftpd/patches/patch-aa      1970-01-01 07:00:00.000000000 +0700
@@ -1,30 +0,0 @@
-$NetBSD: patch-aa,v 1.3 2008/07/10 15:52:03 joerg Exp $
-
---- Makefile.in.orig   2003-05-09 16:47:48.000000000 -0500
-+++ Makefile.in
-@@ -4,6 +4,7 @@ INSTALL=@INSTALL@
- CFLAGS=@CFLAGS@ @DEFS@ -Wall -I. -DVERSION=\"$(VERSION)\" @DEBUG@
- LIBS=@LIBS@
- prefix=@prefix@
-+datadir=@datadir@
- mandir=@mandir@
- sbindir=@sbindir@
- DESTDIR=
-@@ -26,14 +27,9 @@ bftpd: $(OBJS)
- $(OBJS): $(HEADERS) Makefile
-
- install: all
--      $(INSTALL) -g 0 -m 700 -o 0 bftpd $(DESTDIR)/$(prefix)/sbin
--      $(INSTALL) -g 0 -m 644 -o 0 bftpd.8 $(DESTDIR)/$(mandir)/man8
--      [ -f $(DESTDIR)/etc/bftpd.conf ] || \
--              $(INSTALL) -g 0 -m 600 -o 0 bftpd.conf $(DESTDIR)/etc
--      touch /var/log/bftpd.log
--      chmod 644 /var/log/bftpd.log
--      mkdir -p /var/run/bftpd
--      chmod 755 /var/run/bftpd
-+      $(INSTALL) -m 700 bftpd $(DESTDIR)/$(prefix)/sbin
-+      $(INSTALL) -m 644 bftpd.8 $(DESTDIR)/$(mandir)/man8
-+      $(INSTALL) -m 600 bftpd.conf $(DESTDIR)/$(datadir)/examples/bftpd
-
- clean distclean:
-       rm -f *~ $(OBJS) bftpd mksources.finished
diff -urN bftpd.orig/patches/patch-ac bftpd/patches/patch-ac
--- bftpd.orig/patches/patch-ac 1970-01-01 07:00:00.000000000 +0700
+++ bftpd/patches/patch-ac      2010-05-26 05:20:24.000000000 +0800
@@ -0,0 +1,29 @@
+--- Makefile.in.orig   2010-05-26 05:17:41.000000000 +0800
++++ Makefile.in        2010-05-26 05:19:46.000000000 +0800
+@@ -4,6 +4,7 @@
+ CFLAGS=@CFLAGS@ @DEFS@ -Wall -I. -DVERSION=\"$(VERSION)\" 
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE @DEBUG@
+ LIBS=@LIBS@
+ prefix=@prefix@
++datadir=@datadir@
+ mandir=@mandir@
+ sbindir=@sbindir@
+ DESTDIR=
+@@ -26,15 +27,9 @@
+ $(OBJS): $(HEADERS) Makefile
+
+ install: all
+-      $(INSTALL) -g 0 -m 700 -o 0 bftpd $(DESTDIR)/$(prefix)/sbin
+-      $(INSTALL) -g 0 -m 644 -o 0 bftpd.8 $(DESTDIR)/$(mandir)/man8
+-      [ -f $(DESTDIR)/etc/bftpd.conf ] || \
+-              $(INSTALL) -g 0 -m 600 -o 0 bftpd.conf $(DESTDIR)/etc
+-      mkdir -p $(DESTDIR)/var/log
+-      touch $(DESTDIR)/var/log/bftpd.log
+-      chmod 644 $(DESTDIR)/var/log/bftpd.log
+-      mkdir -p $(DESTDIR)/var/run/bftpd
+-      chmod 755 $(DESTDIR)/var/run/bftpd
++      $(INSTALL) -m 700 bftpd $(DESTDIR)/$(prefix)/sbin
++      $(INSTALL) -m 644 bftpd.8 $(DESTDIR)/$(mandir)/man8
++      $(INSTALL) -m 600 bftpd.conf $(DESTDIR)/$(datadir)/examples/bftpd
+
+ clean distclean:
+       rm -f *~ $(OBJS) bftpd mksources.finished config.cache



Home | Main Index | Thread Index | Old Index