--- vsftpd-2.0.6.orig/debian/copyright +++ vsftpd-2.0.6/debian/copyright @@ -0,0 +1,17 @@ +This package was created on Thu, 8 Mar 2001, by Daniel Jacobowitz +. It's currently maintained by Matej Vela . + +Upstream source: ftp://vsftpd.beasts.org/users/cevans/ +Upstream Author: Chris Evans +More information is available at http://vsftpd.beasts.org/. + +Copyright (C) 2001-2008 Chris Evans + +vsftpd is distributed under the terms of version 2 of the GNU General Public +License, which can be found in /usr/share/common-licenses/GPL. There is an +additional exception from the author permitting linking with OpenSSL: + + As copyright holder, I give permission for vsftpd to be linked to + the OpenSSL libraries. This includes permission for vsftpd binaries to be + distributed linked against the OpenSSL libraries. All other obligations + under the GPL v2 remain intact. --- vsftpd-2.0.6.orig/debian/vsftpd.pam +++ vsftpd-2.0.6/debian/vsftpd.pam @@ -0,0 +1,13 @@ +# Standard behaviour for ftpd(8). +auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed + +# Note: vsftpd handles anonymous logins on its own. Do not enable +# pam_ftp.so. + +# Standard blurb. +@include common-account +@include common-session + +@include common-auth +auth required pam_shells.so + --- vsftpd-2.0.6.orig/debian/vsftpd.docs +++ vsftpd-2.0.6/debian/vsftpd.docs @@ -0,0 +1,14 @@ +AUDIT +BENCHMARKS +BUGS +EXAMPLE +FAQ +README +README.security +README.ssl +REWARD +SECURITY +SIZE +SPEED +TODO +TUNING --- vsftpd-2.0.6.orig/debian/vsftpd.postinst +++ vsftpd-2.0.6/debian/vsftpd.postinst @@ -0,0 +1,29 @@ +#!/bin/sh +set -e + +case "$1" in + configure) + if [ -z "$2" ]; then + if ! getent passwd ftp > /dev/null 2>/dev/null; then + adduser --no-create-home --system ftp + if ! [ -d /home/ftp ]; then + install -o root -g nogroup -m 0755 -d /home/ftp + fi + fi + fi + + # In 1.2.1-1, the default changed to standalone mode. If the + # configuration file contains the options for standalone operation, + # make sure to disable inetd operation. + if [ -f /etc/vsftpd.conf ] && egrep -iq "^ *listen(_ipv6)? *= *yes" /etc/vsftpd.conf; then + update-inetd --disable --pattern vsftpd ftp + fi + + # Remove shutdown and reboot links; this init script does not need them. + if dpkg --compare-versions "$2" lt "2.0.4-0ubuntu5"; then + rm -f /etc/rc0.d/K20vsftpd /etc/rc6.d/K20vsftpd + fi + ;; +esac + +#DEBHELPER# --- vsftpd-2.0.6.orig/debian/control +++ vsftpd-2.0.6/debian/control @@ -0,0 +1,20 @@ +Source: vsftpd +Section: net +Priority: extra +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Matej Vela +Build-Depends: cdbs, debhelper (>= 4.2.0), libpam0g-dev, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], libwrap0-dev, libssl-dev, quilt (>= 0.40) +Standards-Version: 3.7.3 + +Package: vsftpd +Architecture: any +Depends: ${shlibs:Depends}, libpam-modules, adduser, netbase, lsb-base (>= 1.3-9ubuntu3), ssl-cert (>= 1.0-11ubuntu1), sysv-rc (>= 2.86.ds1-14.1ubuntu2), update-inetd +Recommends: logrotate +Provides: ftp-server +Conflicts: ftp-server +Description: The Very Secure FTP Daemon + A lightweight, efficient FTP server written from the ground up with + security in mind. + . + vsftpd supports both anonymous and non-anonymous FTP, PAM authentication, + bandwidth limiting, and the Linux sendfile() facility. --- vsftpd-2.0.6.orig/debian/vsftpd.install +++ vsftpd-2.0.6/debian/vsftpd.install @@ -0,0 +1,2 @@ +vsftpd usr/sbin +vsftpd.conf debian/ftpusers etc --- vsftpd-2.0.6.orig/debian/rules +++ vsftpd-2.0.6/debian/rules @@ -0,0 +1,15 @@ +#!/usr/bin/make -f + +DEB_UPDATE_RCD_PARAMS := multiuser + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/patchsys-quilt.mk +include /usr/share/cdbs/1/class/langcore.mk + +CFLAGS += -W -Wshadow + +build/vsftpd:: + $(MAKE) CFLAGS="$(CFLAGS)" LINK="" + +clean:: + $(MAKE) clean --- vsftpd-2.0.6.orig/debian/watch +++ vsftpd-2.0.6/debian/watch @@ -0,0 +1,2 @@ +version=3 +ftp://vsftpd.beasts.org/users/cevans/vsftpd-([\d.]+)\.tar\.gz --- vsftpd-2.0.6.orig/debian/ftpusers +++ vsftpd-2.0.6/debian/ftpusers @@ -0,0 +1,14 @@ +# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5). + +root +daemon +bin +sys +sync +games +man +lp +mail +news +uucp +nobody --- vsftpd-2.0.6.orig/debian/vsftpd.manpages +++ vsftpd-2.0.6/debian/vsftpd.manpages @@ -0,0 +1,2 @@ +vsftpd.conf.5 +vsftpd.8 --- vsftpd-2.0.6.orig/debian/vsftpd.init.d +++ vsftpd-2.0.6/debian/vsftpd.init.d @@ -0,0 +1,45 @@ +#!/bin/sh +# /etc/init.d/vsftpd +# +# Written by Sander Smeenk + +set -e + +# Exit if vsftpd.conf doesn't have listen=yes or listen_ipv6=yes +# (mandatory for standalone operation) +if [ -f /etc/vsftpd.conf ] && ! egrep -iq "^ *listen(_ipv6)? *= *yes" /etc/vsftpd.conf; then + exit 0 +fi + +DAEMON=/usr/sbin/vsftpd +NAME=vsftpd + +test -x $DAEMON || exit 0 +. /lib/lsb/init-functions + +case "$1" in + start) + log_begin_msg "Starting FTP server: $NAME" + [ -d /var/run/vsftpd ] || mkdir -p /var/run/vsftpd + start-stop-daemon --start --background -m --pidfile /var/run/vsftpd/vsftpd.pid --exec $DAEMON && log_end_msg 0 || log_end_msg 1 + ;; + stop) + log_begin_msg "Stopping FTP server: $NAME" + start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --oknodo --exec $DAEMON && log_end_msg 0 || log_end_msg 1 + rm -f /var/run/vsftpd/vsftpd.pid + ;; + restart) + $0 stop + $0 start + ;; + reload|force-reload) + log_begin_msg "Reloading $NAME configuration files" + start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --signal 1 --exec $DAEMON && log_end_msg 0 || log_end_msg 1 + ;; + *) + log_success_msg "Usage: /etc/init.d/$NAME {start|stop|restart|reload}" + exit 1 + ;; +esac + +exit 0 --- vsftpd-2.0.6.orig/debian/vsftpd.postrm +++ vsftpd-2.0.6/debian/vsftpd.postrm @@ -0,0 +1,12 @@ +#!/bin/sh +set -e + +case "$1" in + remove) + # Older versions of vsftpd add to inetd.conf, or the user might have + # done so manually, so disable any vsftpd entry. + update-inetd --disable --pattern vsftpd ftp + ;; +esac + +#DEBHELPER# --- vsftpd-2.0.6.orig/debian/vsftpd.dirs +++ vsftpd-2.0.6/debian/vsftpd.dirs @@ -0,0 +1 @@ +var/run/vsftpd --- vsftpd-2.0.6.orig/debian/changelog +++ vsftpd-2.0.6/debian/changelog @@ -0,0 +1,330 @@ +vsftpd (2.0.6-1ubuntu1.2) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service via crafted glob expressions + - debian/patches/11-CVE-2011-0762.patch: limit number of iterations in + access.c, defs.h, ls.*. + - CVE-2011-0762 + + -- Marc Deslauriers Fri, 25 Mar 2011 14:54:08 -0400 + +vsftpd (2.0.6-1ubuntu1.1) hardy-proposed; urgency=low + + * Added fix-ssl-shutdown.patch (LP: #254905): + - Properly close SSL connections, fixing incompatibility with clients such + as recent FileZilla + - Bug fixed upstream in 2.0.7 + - Patch taken from Fedora, thanks! + + -- Adrien Cunin Sat, 27 Sep 2008 15:07:01 +0200 + +vsftpd (2.0.6-1ubuntu1) hardy; urgency=low + + * Merge from Debian unstable, remaining changes: + - remove stop links from rc0 and rc6 + - lsb init script + - use snakeoil ssl certs + - add update-inetd dependency + * debian/control: + - Modify Maintainer value to match DebianMaintainerField spec. + + -- Matti Lindell Mon, 25 Feb 2008 09:53:13 +0200 + +vsftpd (2.0.6-1) unstable; urgency=low + + * New upstream release. Closes: #467128. + - Adds a chown_upload_mode option. Closes: #269193. + - Supports UTF8. Closes: #445393. + * man-typo.patch: Integrated upstream. + * unused-libs.patch: Remove `-lnsl -ldl -lresolv -lutil' since we + don't use any of their symbols. + * debian/copyright: Add upstream copyright. + * debian/copyright: Update upstream e-mail. + * debian/control: Build-depend on quilt (>= 0.40) rather than + (>= 0.40-1) to placate Lintian. + * Conforms to Standards version 3.7.3. + + -- Matej Vela Sat, 23 Feb 2008 11:39:37 +0100 + +vsftpd (2.0.5-2ubuntu2) feisty; urgency=low + + * debian/control: Add update-inetd dependency (Ubuntu netbase + drops inetd dependency but update-inetd is needed in postinst, + Closes Ubuntu: #75432). + + -- Lionel Porcheron Wed, 13 Dec 2006 11:02:41 +0100 + +vsftpd (2.0.5-2ubuntu1) feisty; urgency=low + + * Merge from debian unstable, remaining changes: + - remove stop links from rc0 and rc6 + - lsb init script + - use snakeoil ssl certs + + -- Scott James Remnant Tue, 28 Nov 2006 15:56:37 +0000 + +vsftpd (2.0.5-2) unstable; urgency=low + + * New maintainer. Closes: #385929. + * Acknowledge NMU. Thanks, Martin! + * vsftpd-debian.patch: Split into individual patches. + * wifexited-const.patch: Quiltify fix from 2.0.5-1.1. + * man-typo.patch: Remove trailing `s' from `delay_failed_login' and + `delay_successful_login' in vsftpd.conf.5. Closes: #382154. + * Switch to cdbs. + * Remove dependency on libpam-runtime (>= 0.76-13.1) since we have + 0.76-22 in sarge (and an unversioned dependency is already provided + by libpam0g). + * debian/copyright: Update upstream URL. + * debian/vsftpd.files: Remove cruft. + * debian/vsftpd.init.d: Remove pidfile on stop. + * debian/vsftpd.postinst, debian/vsftpd.postrm: Use `set -e'. + * debian/watch: Add. + * Conforms to Standards version 3.7.2. + + -- Matej Vela Thu, 26 Oct 2006 10:55:25 +0200 + +vsftpd (2.0.5-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Applied patch by Martin Michlmayr to fix compilation problem on 64bit + architectures (closes: #386267). + * Added dependency on netbase because of update-inetd call (closes: #386719) + + -- martin f. krafft Sat, 9 Sep 2006 18:25:37 +0200 + +vsftpd (2.0.5-1) unstable; urgency=low + + * New upstream release. + - Added support for certificate chains (Closes: #307498). + * Use quilt.make to manage changes to the upstream source. + * Exclude libcap-dev build dependency for non-Linux architectures + (Closes: #375026). + * Mention trouble with background=yes in vsftpd.conf in the + README file. + * Create /var/run/vsftpd if necessary (Closes: #350996). + + -- Daniel Jacobowitz Sun, 23 Jul 2006 18:46:23 -0400 + +vsftpd (2.0.4-0ubuntu5) edgy; urgency=low + + * Remove stop script symlinks from rc0 and rc6. + + -- Scott James Remnant Mon, 18 Sep 2006 16:34:57 +0100 + +vsftpd (2.0.4-0ubuntu4) dapper; urgency=low + + * Switch default config to use ssl-cert-snakeoil certificates. + * Add Depends on ssl-cert. + + -- Fabio M. Di Nitto Fri, 03 Feb 2006 17:05:04 +0100 + +vsftpd (2.0.4-0ubuntu3) dapper; urgency=low + + * Create /var/run/vsftpd if necessary before starting the daemon. + + -- Colin Watson Thu, 2 Feb 2006 09:13:03 +0000 + +vsftpd (2.0.4-0ubuntu2) dapper; urgency=low + + * Upload as upstream version. + + -- Matthias Klose Thu, 19 Jan 2006 15:27:31 +0000 + +vsftpd (2.0.4-0ubuntu1) dapper; urgency=low + + * New upstream version. + + -- Matthias Klose Thu, 19 Jan 2006 16:19:35 +0100 + +vsftpd (2.0.3-1ubuntu1) breezy; urgency=low + + * Resynchronise with Debian. + + -- Adam Conrad Thu, 21 Apr 2005 08:43:37 +0000 + +vsftpd (2.0.3-1) unstable; urgency=low + + * New upstream release (Closes: #300132). + * Search for SSL certificates in /etc by default. + * Improved documentation for SSL support (Closes: #266664). + + -- Daniel Jacobowitz Fri, 1 Apr 2005 22:47:55 -0500 + +vsftpd (2.0.1-1ubuntu1) hoary; urgency=low + + * pretty init scriptage + + -- LaMont Jones Wed, 23 Mar 2005 15:52:34 -0700 + +vsftpd (2.0.1-1) unstable; urgency=low + + * New upstream release (Closes: #249977, #257773). + - Includes SSL support. + * Document that the capability module must be loaded if capabilities + were built as a module (Closes: #252241, #257774). + * Include an /etc/ftpusers to quiet a syslog warning (Closes: #249974). + * Conflict with other FTP daemons now that we provide /etc/ftpusers. + * Correct output formatting of init.d script (patch from + Adeodato Simó ) (Closes: #246437). + * Use common-auth and common-account PAM configuration files + (Closes: #245233). + + -- Daniel Jacobowitz Sun, 11 Jul 2004 23:57:34 -0400 + +vsftpd (1.2.1-1) unstable; urgency=low + + * New upstream release. + * Change default vsftpd.conf to run standalone (listen=YES) instead of + from inetd (Closes: #200159). + * Do not call update-inetd in postinst any more since we default to + standalone operation (Closes: #163163). + + -- Daniel Jacobowitz Sat, 15 Nov 2003 19:42:21 -0500 + +vsftpd (1.2.0-4) unstable; urgency=high + + * Tweaks for init.d script, including starting the server if listen_ipv6 + is specified (from Paul van Tilburg) (Closes: #212210). + * Check for a listen configuration, but not in inetd - let the daemon + start on an alternate port if it's configured to. + + -- Daniel Jacobowitz Tue, 23 Sep 2003 09:28:22 -0400 + +vsftpd (1.2.0-3) unstable; urgency=HIGH + + * Remove pam_ftp.so from the default PAM configuration. + + -- Daniel Jacobowitz Sun, 21 Sep 2003 14:03:39 -0400 + +vsftpd (1.2.0-2) unstable; urgency=low + + * Update for new PAM scheme. + * Include more documentation from the source (Closes: #206312). + + -- Daniel Jacobowitz Tue, 26 Aug 2003 16:53:19 -0400 + +vsftpd (1.2.0-1) unstable; urgency=low + + * New upstream release. + - Oops - make max_per_ip and max_clients work with the two process model + when both connect_from_port_20 and chown_uploads are false + (Closes: #171350). + - Add ability for virtual users to use local privs non anon privs, via + virtual_use_local_privs=YES (Closes: #172829). + * Update README.Debian to describe virtual_use_local_privs. + * Depend on adduser (Closes: #195277). + * Include the FAQ. + * Mention chroot_local_user in the sample configuration file. + + -- Daniel Jacobowitz Sun, 17 Aug 2003 11:47:35 -0400 + +vsftpd (1.1.3-3) unstable; urgency=low + + * Add /etc/init.d/vsftpd script for standalone mode, from Sander Smeenk. + * Document the interaction between guest_enable and anonymous user + configuration in README.Debian. + + -- Daniel Jacobowitz Mon, 27 Jan 2003 12:21:13 -0500 + +vsftpd (1.1.3-2) unstable; urgency=low + + * Brown bag. Fix install invocation in postinst (Closes: #168973). + + -- Daniel Jacobowitz Wed, 13 Nov 2002 13:51:24 -0500 + +vsftpd (1.1.3-1) unstable; urgency=low + + * New upstream release. + - Adds tcpwrappers support (off by default, see vsftpd.conf(5)). + + -- Daniel Jacobowitz Mon, 11 Nov 2002 11:30:23 -0500 + +vsftpd (1.1.2-1) unstable; urgency=low + + * New upstream release. + - Fixes port_promiscuous option (Closes: #167104). + * Create /home/ftp owned by root (Closes: #163164). + * Change the default value of pam_service_name to "vsftpd". + If you had a custom configuration in /etc/pam.d/ftpd, you should + either specify pam_service_name=ftp in vsftpd.conf or copy it to the + new file. + * Provide a default PAM configuration. + * Update Standards-Version (no changes required, yay!). + + -- Daniel Jacobowitz Mon, 4 Nov 2002 17:36:33 -0500 + +vsftpd (1.1.0-2) unstable; urgency=low + + * Add FTP username on initial installation (Closes: #155353). + * Rewrite README.Debian. + * Use the included vsftpd(8) manual page. + + -- Daniel Jacobowitz Sun, 18 Aug 2002 14:59:02 -0400 + +vsftpd (1.1.0-1) unstable; urgency=low + + * New upstream release. + - Fix for kernel warning about MSG_PEEK. + - Change the meaning of anon_root and local_root (Closes: #140713). + * Upstream removed the kernel 2.4.0 warning, so I've also removed the + kernel 2.4.0 sanity check. 2.4.0 and 2.4.1 had plenty of other nasty + bugs besides this one, so everyone should update if they haven't yet. + * Update upstream URLs in debian/copyright (Closes: #142525). + + -- Daniel Jacobowitz Tue, 6 Aug 2002 15:06:30 -0400 + +vsftpd (1.0.0-2) unstable; urgency=low + + * Provide ftp-server, even though we do not conflict with others + like the other ftp-servers do (Closes: #120354). + + -- Daniel Jacobowitz Sun, 27 Jan 2002 20:07:08 -0500 + +vsftpd (1.0.0-1) unstable; urgency=low + + * New upstream release; no code changes from 0.9.4pre4. + * Change priority to extra. + + -- Daniel Jacobowitz Wed, 14 Nov 2001 10:21:02 -0500 + +vsftpd (0.9.4.0pre4-1) unstable; urgency=low + + * New upstream release. + * Now uses libcap instead of direct kernel includes (Closes: #105168, + #89424). + + -- Daniel Jacobowitz Mon, 12 Nov 2001 14:12:27 -0500 + +vsftpd (0.9.2-2) unstable; urgency=low + + * Brown bag fix; 2.4.[01] check objected to 2.4.10 (Closes: #113808). + + -- Daniel Jacobowitz Fri, 28 Sep 2001 15:21:19 -0400 + +vsftpd (0.9.2-1) unstable; urgency=low + + * New upstream version, with nifty features like bandwidth limiting. + + -- Daniel Jacobowitz Sat, 22 Sep 2001 12:47:38 -0400 + +vsftpd (0.9.1-1) unstable; urgency=low + + * New upstream version. + * Add missingok to /etc/logrotate.d/vsftpd (Closes: #89736). + + -- Daniel Jacobowitz Thu, 31 May 2001 09:58:07 -0700 + +vsftpd (0.0.14-2) unstable; urgency=low + + * Add build dependency on libpam0g-dev. Oops. + + -- Daniel Jacobowitz Fri, 9 Mar 2001 01:07:26 -0500 + +vsftpd (0.0.14-1) unstable; urgency=low + + * Initial Release. + * Create a man page for vsftpd(8). + * Suggest logrotate and provide a logrotate.d entry. + * Abort if kernel 2.4.0 or 2.4.1 is running. + + -- Daniel Jacobowitz Thu, 8 Mar 2001 01:24:06 -0500 --- vsftpd-2.0.6.orig/debian/patches/fix-ssl-shutdown.patch +++ vsftpd-2.0.6/debian/patches/fix-ssl-shutdown.patch @@ -0,0 +1,21 @@ +Index: vsftpd-2.0.6/ssl.c +=================================================================== +--- vsftpd-2.0.6.orig/ssl.c 2008-09-27 15:05:40.000000000 +0200 ++++ vsftpd-2.0.6/ssl.c 2008-09-27 15:06:06.000000000 +0200 +@@ -282,8 +282,15 @@ + void + ssl_data_close(struct vsf_session* p_sess) + { +- if (p_sess->p_data_ssl) ++ SSL* p_ssl = p_sess->p_data_ssl; ++ if (p_ssl) + { ++ int ret; ++ ret = SSL_shutdown(p_ssl); ++ if (ret == 0) ++ { ++ SSL_shutdown(p_ssl); ++ } + SSL_free(p_sess->p_data_ssl); + p_sess->p_data_ssl = NULL; + } --- vsftpd-2.0.6.orig/debian/patches/series +++ vsftpd-2.0.6/debian/patches/series @@ -0,0 +1,6 @@ +unused-libs.patch +builddefs.patch +config.patch +wifexited-const.patch +fix-ssl-shutdown.patch +11-CVE-2011-0762.patch --- vsftpd-2.0.6.orig/debian/patches/builddefs.patch +++ vsftpd-2.0.6/debian/patches/builddefs.patch @@ -0,0 +1,16 @@ +Index: vsftpd/vsftpd-2.0.5/builddefs.h +=================================================================== +--- vsftpd-2.0.5.orig/builddefs.h 2006-10-26 09:11:31.000000000 +0200 ++++ vsftpd-2.0.5/builddefs.h 2006-10-26 09:11:36.000000000 +0200 +@@ -1,9 +1,9 @@ + #ifndef VSF_BUILDDEFS_H + #define VSF_BUILDDEFS_H + +-#undef VSF_BUILD_TCPWRAPPERS ++#define VSF_BUILD_TCPWRAPPERS 1 + #define VSF_BUILD_PAM +-#undef VSF_BUILD_SSL ++#define VSF_BUILD_SSL + + #endif /* VSF_BUILDDEFS_H */ + --- vsftpd-2.0.6.orig/debian/patches/wifexited-const.patch +++ vsftpd-2.0.6/debian/patches/wifexited-const.patch @@ -0,0 +1,20 @@ +--- vsftpd-2.0.5.orig/sysutil.c ++++ vsftpd-2.0.5/sysutil.c +@@ -601,7 +601,7 @@ + vsf_sysutil_wait_exited_normally( + const struct vsf_sysutil_wait_retval* p_waitret) + { +- return WIFEXITED(p_waitret->exit_status); ++ return WIFEXITED(((struct vsf_sysutil_wait_retval *)p_waitret)->exit_status); + } + + int +@@ -611,7 +611,7 @@ + { + bug("not a normal exit in vsf_sysutil_wait_get_exitcode"); + } +- return WEXITSTATUS(p_waitret->exit_status); ++ return WEXITSTATUS(((struct vsf_sysutil_wait_retval *)p_waitret)->exit_status); + } + + void --- vsftpd-2.0.6.orig/debian/patches/11-CVE-2011-0762.patch +++ vsftpd-2.0.6/debian/patches/11-CVE-2011-0762.patch @@ -0,0 +1,137 @@ +Description: fix denial of service via crafted glob expressions +Origin: upstream, from 2.3.3 and 2.3.4 releases + +diff -Nur vsftpd-2.0.6/access.c vsftpd-2.0.6.new/access.c +--- vsftpd-2.0.6/access.c 2008-02-01 20:30:41.000000000 -0500 ++++ vsftpd-2.0.6.new/access.c 2011-03-25 14:54:03.623109930 -0400 +@@ -16,6 +16,7 @@ + vsf_access_check_file(const struct mystr* p_filename_str) + { + static struct mystr s_access_str; ++ unsigned int iters = 0; + + if (!tunable_deny_file) + { +@@ -25,7 +26,7 @@ + { + str_alloc_text(&s_access_str, tunable_deny_file); + } +- if (vsf_filename_passes_filter(p_filename_str, &s_access_str)) ++ if (vsf_filename_passes_filter(p_filename_str, &s_access_str, &iters)) + { + return 0; + } +@@ -45,6 +46,7 @@ + vsf_access_check_file_visible(const struct mystr* p_filename_str) + { + static struct mystr s_access_str; ++ unsigned int iters = 0; + + if (!tunable_hide_file) + { +@@ -54,7 +56,7 @@ + { + str_alloc_text(&s_access_str, tunable_hide_file); + } +- if (vsf_filename_passes_filter(p_filename_str, &s_access_str)) ++ if (vsf_filename_passes_filter(p_filename_str, &s_access_str, &iters)) + { + return 0; + } +diff -Nur vsftpd-2.0.6/defs.h vsftpd-2.0.6.new/defs.h +--- vsftpd-2.0.6/defs.h 2008-02-01 20:30:41.000000000 -0500 ++++ vsftpd-2.0.6.new/defs.h 2011-03-25 14:54:03.623109930 -0400 +@@ -10,6 +10,7 @@ + #define VSFTP_MAX_COMMAND_LINE 4096 + #define VSFTP_DATA_BUFSIZE 65536 + #define VSFTP_DIR_BUFSIZE 16384 ++#define VSFTP_MATCHITERS_MAX 1000 + #define VSFTP_PATH_MAX 4096 + #define VSFTP_CONF_FILE_MAX 100000 + #define VSFTP_LISTEN_BACKLOG 32 +diff -Nur vsftpd-2.0.6/ls.c vsftpd-2.0.6.new/ls.c +--- vsftpd-2.0.6/ls.c 2008-02-01 20:30:41.000000000 -0500 ++++ vsftpd-2.0.6.new/ls.c 2011-03-25 14:54:03.623109930 -0400 +@@ -9,6 +9,7 @@ + + #include "ls.h" + #include "access.h" ++#include "defs.h" + #include "str.h" + #include "strlist.h" + #include "sysstr.h" +@@ -116,7 +117,9 @@ + /* If we have an ls option which is a filter, apply it */ + if (!str_isempty(p_filter_str)) + { +- if (!vsf_filename_passes_filter(&s_next_filename_str, p_filter_str)) ++ unsigned int iters = 0; ++ if (!vsf_filename_passes_filter(&s_next_filename_str, p_filter_str, ++ &iters)) + { + continue; + } +@@ -215,7 +218,8 @@ + + int + vsf_filename_passes_filter(const struct mystr* p_filename_str, +- const struct mystr* p_filter_str) ++ const struct mystr* p_filter_str, ++ unsigned int* iters) + { + /* A simple routine to match a filename against a pattern. + * This routine is used instead of e.g. fnmatch(3), because we should be +@@ -242,12 +246,13 @@ + str_copy(&filter_remain_str, p_filter_str); + str_copy(&name_remain_str, p_filename_str); + +- while (!str_isempty(&filter_remain_str)) ++ while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX) + { + static struct mystr s_match_needed_str; + /* Locate next special token */ + struct str_locate_result locate_result = + str_locate_chars(&filter_remain_str, "*?{"); ++ (*iters)++; + /* Isolate text leading up to token (if any) - needs to be matched */ + if (locate_result.found) + { +@@ -311,7 +316,8 @@ + { + str_copy(&new_filter_str, &brace_list_str); + str_append_str(&new_filter_str, &filter_remain_str); +- if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str)) ++ if (vsf_filename_passes_filter(&name_remain_str, &new_filter_str, ++ iters)) + { + ret = 1; + goto out; +@@ -347,6 +353,9 @@ + } + /* OK, a match */ + ret = 1; ++ if (*iters == VSFTP_MATCHITERS_MAX) { ++ ret = 0; ++ } + out: + str_free(&filter_remain_str); + str_free(&name_remain_str); +diff -Nur vsftpd-2.0.6/ls.h vsftpd-2.0.6.new/ls.h +--- vsftpd-2.0.6/ls.h 2008-02-01 20:30:41.000000000 -0500 ++++ vsftpd-2.0.6.new/ls.h 2011-03-25 14:54:03.623109930 -0400 +@@ -35,11 +35,14 @@ + * PARAMETERS + * p_filename_str - the filename to match + * p_filter_str - the filter to match against ++ * iters - pointer to a zero-seeded int which prevents the match ++ * loop from running an excessive number of times + * RETURNS + * Returns 1 if there is a match, 0 otherwise. + */ + int vsf_filename_passes_filter(const struct mystr* p_filename_str, +- const struct mystr* p_filter_str); ++ const struct mystr* p_filter_str, ++ unsigned int* iters); + + #endif /* VSF_LS_H */ + --- vsftpd-2.0.6.orig/debian/patches/config.patch +++ vsftpd-2.0.6/debian/patches/config.patch @@ -0,0 +1,105 @@ +Index: vsftpd-2.0.5/tunables.c +=================================================================== +--- vsftpd-2.0.5.orig/tunables.c 2006-07-01 19:06:56.000000000 -0400 ++++ vsftpd-2.0.5/tunables.c 2006-07-23 18:31:14.000000000 -0400 +@@ -95,7 +95,7 @@ unsigned int tunable_delay_failed_login + unsigned int tunable_delay_successful_login = 0; + unsigned int tunable_max_login_fails = 3; + +-const char* tunable_secure_chroot_dir = "/usr/share/empty"; ++const char* tunable_secure_chroot_dir = "/var/run/vsftpd"; + const char* tunable_ftp_username = "ftp"; + const char* tunable_chown_username = "root"; + const char* tunable_xferlog_file = "/var/log/xferlog"; +@@ -105,7 +105,7 @@ const char* tunable_nopriv_user = "nobod + const char* tunable_ftpd_banner = 0; + const char* tunable_banned_email_file = "/etc/vsftpd.banned_emails"; + const char* tunable_chroot_list_file = "/etc/vsftpd.chroot_list"; +-const char* tunable_pam_service_name = "ftp"; ++const char* tunable_pam_service_name = "vsftpd"; + const char* tunable_guest_username = "ftp"; + const char* tunable_userlist_file = "/etc/vsftpd.user_list"; + const char* tunable_anon_root = 0; +Index: vsftpd-2.0.5/vsftpd.conf +=================================================================== +--- vsftpd-2.0.5.orig/vsftpd.conf 2005-05-20 18:52:54.000000000 -0400 ++++ vsftpd-2.0.5/vsftpd.conf 2006-07-23 18:31:14.000000000 -0400 +@@ -8,6 +8,17 @@ + # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's + # capabilities. + # ++# ++# Run standalone? vsftpd can run either from an inetd or as a standalone ++# daemon started from an initscript. ++listen=YES ++# ++# Run standalone with IPv6? ++# Like the listen parameter, except vsftpd will listen on an IPv6 socket ++# instead of an IPv4 one. This parameter and the listen parameter are mutually ++# exclusive. ++#listen_ipv6=YES ++# + # Allow anonymous FTP? (Beware - allowed by default if you comment this out). + anonymous_enable=YES + # +@@ -88,6 +99,11 @@ connect_from_port_20=YES + # (default follows) + #banned_email_file=/etc/vsftpd.banned_emails + # ++# You may restrict local users to their home directories. See the FAQ for ++# the possible risks in this before using chroot_local_user or ++# chroot_list_enable below. ++#chroot_local_user=YES ++# + # You may specify an explicit list of local users to chroot() to their home + # directory. If chroot_local_user is YES, then this list becomes a list of + # users to NOT chroot(). +@@ -100,4 +116,25 @@ connect_from_port_20=YES + # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume + # the presence of the "-R" option, so there is a strong case for enabling it. + #ls_recurse_enable=YES +- ++# ++# ++# Debian customization ++# ++# Some of vsftpd's settings don't fit the Debian filesystem layout by ++# default. These settings are more Debian-friendly. ++# ++# This option should be the name of a directory which is empty. Also, the ++# directory should not be writable by the ftp user. This directory is used ++# as a secure chroot() jail at times vsftpd does not require filesystem ++# access. ++secure_chroot_dir=/var/run/vsftpd ++# ++# This string is the name of the PAM service vsftpd will use. ++pam_service_name=vsftpd ++# ++# This option specifies the location of the RSA certificate to use for SSL ++# encrypted connections. ++rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem ++# This option specifies the location of the RSA key to use for SSL ++# encrypted connections. ++rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +Index: vsftpd-2.0.5/vsftpd.conf.5 +=================================================================== +--- vsftpd-2.0.5.orig/vsftpd.conf.5 2006-07-01 19:05:57.000000000 -0400 ++++ vsftpd-2.0.5/vsftpd.conf.5 2006-07-23 18:31:14.000000000 -0400 +@@ -848,7 +848,7 @@ Default: nobody + .B pam_service_name + This string is the name of the PAM service vsftpd will use. + +-Default: ftp ++Default: vsftpd + .TP + .B pasv_address + Use this option to override the IP address that vsftpd will advertise in +@@ -877,7 +877,7 @@ This option should be the name of a dire + directory should not be writable by the ftp user. This directory is used + as a secure chroot() jail at times vsftpd does not require filesystem access. + +-Default: /usr/share/empty ++Default: /var/run/vsftpd + .TP + .B ssl_ciphers + This option can be used to select which SSL ciphers vsftpd will allow for --- vsftpd-2.0.6.orig/debian/patches/unused-libs.patch +++ vsftpd-2.0.6/debian/patches/unused-libs.patch @@ -0,0 +1,37 @@ +Index: vsftpd-2.0.6/vsf_findlibs.sh +=================================================================== +--- vsftpd-2.0.6.orig/vsf_findlibs.sh 2008-02-23 11:23:20.000000000 +0100 ++++ vsftpd-2.0.6/vsf_findlibs.sh 2008-02-23 11:25:12.000000000 +0100 +@@ -6,7 +6,7 @@ + + if find_func hosts_access tcpwrap.o; then + echo "-lwrap"; +- locate_library /lib/libnsl.so && echo "-lnsl"; ++ #locate_library /lib/libnsl.so && echo "-lnsl"; + fi + + # Look for PAM (done weirdly due to distribution bugs (e.g. Debian) or the +@@ -25,19 +25,19 @@ + + # Look for the dynamic linker library. Needed by older RedHat when + # you link in PAM +-locate_library /lib/libdl.so && echo "-ldl"; ++#locate_library /lib/libdl.so && echo "-ldl"; + + # Look for libsocket. Solaris needs this. + locate_library /lib/libsocket.so && echo "-lsocket"; + + # Look for libnsl. Solaris needs this. +-locate_library /lib/libnsl.so && echo "-lnsl"; ++#locate_library /lib/libnsl.so && echo "-lnsl"; + + # Look for libresolv. Solaris needs this. +-locate_library /lib/libresolv.so && echo "-lresolv"; ++#locate_library /lib/libresolv.so && echo "-lresolv"; + + # Look for libutil. Older FreeBSD need this for setproctitle(). +-locate_library /usr/lib/libutil.so && echo "-lutil"; ++#locate_library /usr/lib/libutil.so && echo "-lutil"; + + # For older HP-UX... + locate_library /usr/lib/libsec.sl && echo "-lsec"; --- vsftpd-2.0.6.orig/debian/compat +++ vsftpd-2.0.6/debian/compat @@ -0,0 +1 @@ +4 --- vsftpd-2.0.6.orig/debian/vsftpd.logrotate +++ vsftpd-2.0.6/debian/vsftpd.logrotate @@ -0,0 +1,8 @@ +/var/log/vsftpd.log { + # ftpd doesn't handle SIGHUP properly + nocompress + missingok + notifempty + rotate 4 + weekly +} --- vsftpd-2.0.6.orig/debian/README.Debian +++ vsftpd-2.0.6/debian/README.Debian @@ -0,0 +1,69 @@ +Notes on the Debian vsftpd package +================================== + +If you want to allow local users to log in via FTP (not a good option +on any public network, since FTP relies upon cleartext passwords), you +should uncomment the "local_enable" line in /etc/vsftpd.conf. + + + +The PAM configuration file for vsftpd, unlike for some other FTP daemons, +should not include pam_ftp.so. pam_ftp is only for anonymous logins, and +vsftpd has its own handling of anonymous users. + + + +Anonymous FTP by default uses the home diretory and privileges of the "ftp" +user for its root directory. Installing the vsftpd package for the first +time will create this user. If you want to use a different user account, +change the value of "ftp_username" in /etc/vsftpd.conf. You can also change +the root directory by setting anon_root. + + + +If you use virtual users (via PAM and the guest_enable configuration option +in vsftpd.conf), you may want to investigate the virtual_use_local_privs +option. By default (without this option), guest users (and thus all virtual +users) are treated as anonymous users by the configuration. For instance, to +allow guest users to upload requires setting anon_upload_enable. However, +with virtual_use_local_privs then write_enable is enough to allow your +virtual users to upload. This option is new in vsftpd 1.2.0. + +If you are using password-protected virtual users you should probably use +virtual_use_local_privs, disable anonymous access, or at least be very +careful of your filesystem layout. Note that guest users and anonymous +users can run as a different user (see guest_username and ftp_username), but +both will be able to access a world-writeable directory, etc. + + + +This package includes SSL support. For information about enabling SSL, see +README.ssl. Be sure to read this file before enabling SSL! + +To use SSL you will need a certificate. You may wish to get a certificate +from a certificate agency; if you only need a self-signed certificate, you +can use the "make-ssl-cert" script from the Debian "ssl-cert" package to +create one, or you can create one manually using the "openssl" command. +The default location for the certificate is /etc/ssl/certs/vsftpd.pem; +set "rsa_cert_file" in /etc/vsftpd.conf to look elsewhere. + +At a minimum you will need the "ssl_enable" option. See the vsftpd.conf +manual page for more SSL-related settings. + + +On Linux systems, if capability support was disabled in the kernel or +built as a module and not loaded, vsftpd will fail to run. You'll see +this error message: + 500 OOPS: cap_set_proc +Build and load the appropriate kernel module to continue. + + +The included init script uses start-stop-daemon's --background option to run +vsftpd in the background. If you have "background=yes" in your configuration, +the wrong PID will be recorded in /var/run/vsftpd/vsftpd.pid, and the init +script may fail to restart or stop vsftpd later. Just remove "background=yes" +from vsftpd.conf. + + +For more information on configuring vsftpd, see the vsftpd.conf(5) manual +page, and the included FAQ.