--- fex-20091210+debian0.orig/debian/fex.cron.d +++ fex-20091210+debian0/debian/fex.cron.d @@ -0,0 +1,4 @@ +# +# Regular cron jobs for the fex package +# +0 3 * * * fex [ -x /usr/share/fex/bin/fex_cleanup ] && /usr/share/fex/bin/fex_cleanup --- fex-20091210+debian0.orig/debian/compat +++ fex-20091210+debian0/debian/compat @@ -0,0 +1 @@ +7 --- fex-20091210+debian0.orig/debian/README.source +++ fex-20091210+debian0/debian/README.source @@ -0,0 +1,5 @@ +This package uses dpatch to handle patches against upstream source code; you +can find additional information about dpatch at + + /usr/share/doc/dpatch/ + --- fex-20091210+debian0.orig/debian/fex.links +++ fex-20091210+debian0/debian/fex.links @@ -0,0 +1,2 @@ +/var/spool/fex /usr/share/fex/spool +/usr/bin/fac /usr/share/fex/bin/fac --- fex-20091210+debian0.orig/debian/fex-utils.links +++ fex-20091210+debian0/debian/fex-utils.links @@ -0,0 +1,3 @@ +/usr/bin/fexsend /usr/share/fex/bin/fexsend +/usr/bin/fexget /usr/share/fex/bin/fexget +/usr/bin/sexsend /usr/share/fex/bin/sexsend --- fex-20091210+debian0.orig/debian/fex.postrm +++ fex-20091210+debian0/debian/fex.postrm @@ -0,0 +1,54 @@ +#!/bin/sh +# postrm script for fex +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge) + rm -rf /var/spool/fex/ + rm -rf /etc/fex/ + if [ -x "$(command -v deluser)" ]; then + deluser --quiet --system fexsrv > /dev/null || true + else + echo >&2 "not removing $USERNAME system account because deluser command was not found" + fi + if [ -x /etc/init.d/xinetd ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d xinetd reload || true + else + /etc/init.d/xinetd reload + fi + fi + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- fex-20091210+debian0.orig/debian/fex.dirs +++ fex-20091210+debian0/debian/fex.dirs @@ -0,0 +1,2 @@ +var/spool/fex/.error +etc/xinetd.d --- fex-20091210+debian0.orig/debian/watch +++ fex-20091210+debian0/debian/watch @@ -0,0 +1,9 @@ +# Example watch control file for uscan +# Rename this file to "watch" and then you can run the "uscan" command +# to check for upstream updates and more. +# See uscan(1) for format + +# Compulsory line, this is a version 3 file +version=3 +opts="dversionmangle=s/.debian.//" \ +http://fex.rus.uni-stuttgart.de/fex.html /download/archive/fex-(.*)\.tar --- fex-20091210+debian0.orig/debian/control +++ fex-20091210+debian0/debian/control @@ -0,0 +1,60 @@ +Source: fex +Section: web +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Giuseppe Iuculano +Uploaders: Alessio Treglia +Build-Depends: debhelper (>= 7), quilt (>= 0.40) +Standards-Version: 3.8.4 +Homepage: http://fex.rus.uni-stuttgart.de/ +Vcs-Git: git://git.debian.org/collab-maint/fex.git +Vcs-Browser: http://git.debian.org/?p=collab-maint/fex.git + +Package: fex +Architecture: all +Depends: ${misc:Depends}, perl, adduser, xinetd +Recommends: perl-modules, libnet-dns-perl, libdigest-md5-file-perl +Description: web service for transferring very large files + F*EX (Frams's Fast File EXchange) is a service that can be used to allow + users anywhere on the Internet to exchange very large files quickly and + conveniently. + . + The sender uploads the file to the F*EX-server and the recipient + automatically gets a notification e-mail with a download-URL. + . + Main features of F*EX: + . + * file transfer of virtually unlimited file size + * sender and recipient only need an e-mail program and a web browser + (of any kind; they do not have to install any software) + * RESEND and REGET for resuming after link failures at last sent byte + * auto-notification of recipient + * auto-deletion after download + * auto-deletion after expiration date (default: 5 days) + * full-users can create sub-users, who can send only to this full-user + * maintenance-free: no administration necessary beyond creating new + F*EX accounts + * multiple recipients only require one stored copy + * F*EX uses HTTP and needs no firewall tunnels + * support for streams, too (SEX: Stream EXchange) + * shell clients provided for commandline users: fexsend and fexget. + (fex-utils package) + +Package: fex-utils +Architecture: all +Depends: ${misc:Depends}, perl +Recommends: libdigest-md5-file-perl +Description: web service for transferring very large files (utils) + F*EX (Frams's Fast File EXchange) is a service that can be used to allow + users anywhere on the Internet to exchange very large files quickly and + conveniently. + . + The sender uploads the file to the F*EX-server and the recipient + automatically gets a notification e-mail with a download-URL. + . + This package includes: + . + fexsend + fexget + sexsend + sexget --- fex-20091210+debian0.orig/debian/fex.docs +++ fex-20091210+debian0/debian/fex.docs @@ -0,0 +1,5 @@ +doc/concept +doc/Contribs +doc/debugging +doc/FAQ +doc/SSL --- fex-20091210+debian0.orig/debian/changelog +++ fex-20091210+debian0/debian/changelog @@ -0,0 +1,26 @@ +fex (20091210+debian0-2ubuntu0.1) lucid-security; urgency=high + + * SECURITY UPDATE: fix XSS in fup script + - backport DSA 2414 + - CVE-2012-1293, CVE-2012-0869 + * SECURITY UPDATE: fix authentication bypass + - backport DSA 2259 + - CVE-2011-1409 + + -- Kilian Krause Sun, 04 Mar 2012 14:24:04 +0100 + +fex (20091210+debian0-2) unstable; urgency=low + + * [c977b32] Fixed a bug in the mailer, sendmail syntax was wrong + * [edc6f17] bin/fac: use VISUAL and EDITOR environment variables. If + neither of the environment variables is defined, then the default + editor /usr/bin/editor is used. + + -- Giuseppe Iuculano Sun, 07 Feb 2010 18:36:28 +0100 + +fex (20091210+debian0-1) unstable; urgency=low + + * Initial release (Closes: #495973) + + -- Giuseppe Iuculano Sun, 31 Jan 2010 21:39:04 +0100 + --- fex-20091210+debian0.orig/debian/rules +++ fex-20091210+debian0/debian/rules @@ -0,0 +1,54 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This has to be exported to make some magic below work. +export DH_OPTIONS + +include /usr/share/quilt/quilt.make + + +build: $(QUILT_STAMPFN) build-stamp + +build-stamp: + dh_testdir + touch $@ + +clean: unpatch + dh_testdir + dh_testroot + rm -f build-stamp + dh_clean + +install: build + dh_testdir + dh_testroot + dh_prep -i + dh_installdirs -i + dh_install -i + +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs doc/Changes + dh_installdocs + dh_install + rm debian/fex/usr/share/fex/bin/sexsend \ + debian/fex/usr/share/fex/bin/fexget debian/fex/usr/share/fex/bin/fexsend \ + debian/fex/usr/share/fex/htdocs/License + cp etc/xinetd_fex debian/fex/etc/xinetd.d/fex + dh_installman -pfex-utils debian/man-fex-utils/*.1 + dh_installman -pfex debian/man-fex/*.1 + dh_link + dh_compress + dh_fixperms + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +binary-arch: + +binary: binary-arch binary-indep +.PHONY: build clean binary-indep binary-arch binary install --- fex-20091210+debian0.orig/debian/fex-utils.docs +++ fex-20091210+debian0/debian/fex-utils.docs @@ -0,0 +1,2 @@ +doc/fexsend.example +doc/SEX --- fex-20091210+debian0.orig/debian/fex.postinst +++ fex-20091210+debian0/debian/fex.postinst @@ -0,0 +1,56 @@ +#!/bin/sh +# postinst script for fex +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + # lets give them a fex user/group in all cases. + getent group fex >/dev/null 2>&1 || addgroup --system fex + getent passwd fex >/dev/null 2>&1 || adduser --system --home /usr/share/fex --no-create-home \ + --disabled-password --ingroup fex fex + chown -R fex:fex /usr/share/fex/* + chown -R fex:fex /var/spool/fex/ + if [ -x /etc/init.d/xinetd ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d xinetd reload || true + else + /etc/init.d/xinetd reload || true + fi + fi + + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 + + --- fex-20091210+debian0.orig/debian/copyright +++ fex-20091210+debian0/debian/copyright @@ -0,0 +1,57 @@ +This package was debianized by Giuseppe Iuculano on +Fri, 03 Oct 2008 16:27:07 +0200. + +It was downloaded from http://fex.rus.uni-stuttgart.de/fex.html + +Upstream Author: + Ulli Horlacher + +Copyright: + Copyright (C) 2006-2009 Ulli Horlacher + +License: + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this package; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL-3'. + +File-specific license terms: + + +== htdocs/FIX.jar == + +Sources for FIX.jar are in fix/ directory, and can be downloaded from: +http://fex.rus.uni-stuttgart.de/download/fix.tar.gz + +All files in directory fix/ except fix/src/fix/Base64Coder.java: + + Copyright (C) 2008 Dominik Greibl + Copyright (C) 2009 Sebastian Roth + LICENSE: GPL (v3 or later), see below + +fix/src/fix/Base64Coder.java: + + Copyright (C) 2003: Christian d'Heureuse, Inventec Informatik AG, Switzerland. + LICENSE: * This is "Open Source" software and released under the GNU/LGPL + (http://www.gnu.org/licenses/lgpl.html) license. + It is provided "as is" without warranty of any kind. + On Debian systems, the complete text of the GNU Lesser General Public License + can be found in `/usr/share/common-licenses/LGPL-3'. + + +The Debian packaging is © 2010, Giuseppe Iuculano and +is licensed under the same license as the software itself. + --- fex-20091210+debian0.orig/debian/fex.install +++ fex-20091210+debian0/debian/fex.install @@ -0,0 +1,8 @@ +bin/ usr/share/fex +cgi-bin/ usr/share/fex +lib/dop usr/share/fex/lib +lib/fex.pp usr/share/fex/lib +lib/fup.pl usr/share/fex/lib +htdocs/ usr/share/fex +lib/fex.ph etc/fex +bin/fac usr/bin --- fex-20091210+debian0.orig/debian/README.Debian +++ fex-20091210+debian0/debian/README.Debian @@ -0,0 +1,7 @@ +fex for Debian +-------------- + +This package installs F*EX webserver on port 8888. If you want change it, edit +/etc/xinetd.d/fex file and change fexsrv port. + + -- Giuseppe Iuculano Sun, 31 Jan 2010 16:27:07 +0200 --- fex-20091210+debian0.orig/debian/fex-utils.install +++ fex-20091210+debian0/debian/fex-utils.install @@ -0,0 +1,4 @@ +bin/fexsend usr/bin +bin/fexget usr/bin +bin/sexsend usr/bin +bin/sexget usr/bin --- fex-20091210+debian0.orig/debian/man-fex/fac.1 +++ fex-20091210+debian0/debian/man-fex/fac.1 @@ -0,0 +1,38 @@ +.TH fac 1 "October 7, 2008" +.SH NAME +fac \- F*EX admin control +.SH SYNOPSIS +.B fac +.SH DESCRIPTION +This manual page documents briefly the +.B fac +command. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +.SH OPTIONS +.B fac +follow the usual GNU command line syntax, with long +options starting with two dashes (`-'). +A summary of options is included below. +.TP +.B \-v +Show config. +.TP +.B \-u user +Show upload URL for user. +If is used, create new user or set new auth-ID +.TP +.B \-e user +Edit user recipients restriction file +.TP +.B \-d user +Delete user. +.TP +.B \-l +List current files +Self-register your e-mail address at FEX server +.SH AUTHOR +fac was written by Ulli Horlacher +.PP +This manual page was written by Giuseppe Iuculano , +for the Debian project (but may be used by others). --- fex-20091210+debian0.orig/debian/man-fex-utils/fexsend.1 +++ fex-20091210+debian0/debian/man-fex-utils/fexsend.1 @@ -0,0 +1,69 @@ +.TH fexsend 1 "October 7, 2008" +.SH NAME +fexsend \- F*EX client +.SH SYNOPSIS +.B fexsend +.SH DESCRIPTION +This manual page documents briefly the +.B fexsend +command. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +.SH OPTIONS +.B fexsend +follow the usual GNU command line syntax, with long +options starting with two dashes (`-'). +A summary of options is included below. +.TP +.B \-v +Runs fexsend in verbose mode. +.TP +.B \-m +Limit throughput to limit kB/s. +.TP +.B \-s +Save to filename (\-s- means: write to STDOUT/pipe) +.TP +.B \-d +Delete on server. +.TP +.B \-l +List files on server. +.TP +.B \-c +Compress file +.TP +.B \-u +Use FEX-URL +.TP +.B \-f +Use user and ID +.TP +.B \-C +Add comment to notification e-mail +.TP +.B \-k +keep file max days on fex server +.TP +.B \-K +Really keep: no auto-delete after download +.TP +.B \-D +Delay auto-delete after download (until next cleanup) +.TP +.B \-a +Put files in archive (.zip .7z .tar .tgz) +.TP +.B \-A +Put files in archive and send to yourself +.TP +.B \-I +Initialize ID file +.TP +.B \-R +Self-register your e-mail address at FEX server +.SH AUTHOR +fexsend was written by Ulli Horlacher +.PP +This manual page was written by Giuseppe Iuculano , +for the Debian project (but may be used by others). --- fex-20091210+debian0.orig/debian/man-fex-utils/fexget.1 +++ fex-20091210+debian0/debian/man-fex-utils/fexget.1 @@ -0,0 +1,36 @@ +.TH fexget 1 "October 7, 2008" +.SH NAME +fexget \- F*EX client +.SH SYNOPSIS +.B fexget +.SH DESCRIPTION +This manual page documents briefly the +.B fexget +command. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +.SH OPTIONS +.B fexget +follow the usual GNU command line syntax, with long +options starting with two dashes (`-'). +A summary of options is included below. +.TP +.B \-v +Runs fexget in verbose mode. +.TP +.B \-m +Limit kB/s. +.TP +.B \-s +Save to filename (\-s- means: write to STDOUT/pipe) +.TP +.B \-d +Delete on server. +.TP +.B \-l +List files on server. +.SH AUTHOR +fexget was written by Ulli Horlacher +.PP +This manual page was written by Giuseppe Iuculano , +for the Debian project (but may be used by others). --- fex-20091210+debian0.orig/debian/man-fex-utils/sexsend.1 +++ fex-20091210+debian0/debian/man-fex-utils/sexsend.1 @@ -0,0 +1,33 @@ +.TH sexsend 1 "October 7, 2008" +.SH NAME +sexsend \- F*EX client +.SH SYNOPSIS +.B sexsend +.SH DESCRIPTION +This manual page documents briefly the +.B sexsend +command. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +.SH OPTIONS +.B sexsend +follow the usual GNU command line syntax, with long +options starting with two dashes (`-'). +A summary of options is included below. +.TP +.B \-v +Runs sexsend in verbose mode. +.TP +.B \-t +Runs sexsend in text mode +.TP +.B \-F +Start with fill character (1 kB '=') +.TP +.B \-d +Do not check recipient for mutt alias. +.SH AUTHOR +sexsend was written by Ulli Horlacher +.PP +This manual page was written by Giuseppe Iuculano , +for the Debian project (but may be used by others). --- fex-20091210+debian0.orig/debian/man-fex-utils/sexget.1 +++ fex-20091210+debian0/debian/man-fex-utils/sexget.1 @@ -0,0 +1,27 @@ +.TH sexget 1 "October 7, 2008" +.SH NAME +sexget \- F*EX client +.SH SYNOPSIS +.B sexget +.SH DESCRIPTION +This manual page documents briefly the +.B sexget +command. +This manual page was written for the Debian distribution +because the original program does not have a manual page. +.SH OPTIONS +.B sexget +follow the usual GNU command line syntax, with long +options starting with two dashes (`-'). +A summary of options is included below. +.TP +.B \-v +Runs sexget in verbose mode. +.TP +.B \-u +Use this user & ID (ID may be "public") +.SH AUTHOR +sexget was written by Ulli Horlacher +.PP +This manual page was written by Giuseppe Iuculano , +for the Debian project (but may be used by others). --- fex-20091210+debian0.orig/debian/patches/04_fac.patch +++ fex-20091210+debian0/debian/patches/04_fac.patch @@ -0,0 +1,22 @@ +Author: Giuseppe Iuculano +Description: Print better response for user creation +--- a/bin/fac ++++ b/bin/fac +@@ -160,7 +160,7 @@ if ($opt_u) { + unless ($ido) { + die "$0: user is not a regular FEX user\n"; + } +- print "$fup?from=$user&ID=$ido\n"; ++ print "Email: $user\nAuth-ID: $ido\nURL: $fup?from=$user&ID=$ido\n"; + exit; + } + unless ($user =~ /\w@[\w\.\-]+\.[a-z]+$/) { +@@ -173,7 +173,7 @@ if ($opt_u) { + open F,">$idf" or die "$0: cannot write $idf - $!\n"; + print F $id,"\n",$sid; + close F or die "$0: cannot write $idf - $!\n"; +- print "$fup?from=$user&ID=$id\n"; ++ print "New auth-ID for $user: $id \nURL: $fup?from=$user&ID=$id\n"; + exit; + } + --- fex-20091210+debian0.orig/debian/patches/06_mail.patch +++ fex-20091210+debian0/debian/patches/06_mail.patch @@ -0,0 +1,58 @@ +Fixed sendmail syntax +--- a/cgi-bin/fuc ++++ b/cgi-bin/fuc +@@ -362,7 +362,7 @@ sub notify_subuser { + my $server = $hostname || $mdomain; + + $from .= '@'.$mdomain if $from !~ /@/; +- open my $mail,"|$sendmail -f '$from' $subuser,fex" ++ open my $mail,"|$sendmail -f '$from' $subuser , $admin" + or http_die("cannot start sendmail - $!\n"); + pq($mail,qq( + 'From: $from ($from via F*EX service $server)' +--- a/cgi-bin/fup ++++ b/cgi-bin/fup +@@ -85,7 +85,7 @@ if ($from and $id_forgotten) { + 'From: $admin' + 'To: $from' + 'Subject: F*EX service $hostname' +- 'Bcc: fex' ++ 'Bcc: $admin' + '' + 'Your reqested F*EX auth-ID for $hostname is:' + '$id' +--- a/cgi-bin/fur ++++ b/cgi-bin/fur +@@ -135,10 +135,10 @@ if ($verify eq 'no') { + http_header("200 OK",'Content-Type: text/plain'); + print "$ENV{PROTO}://$ENV{HTTP_HOST}/fup?from=$user&ID=$id\n"; + furlog("direct: account $user created"); +- if (open my $mail,"|$sendmail fex 2>>$log") { ++ if (open my $mail,"|$sendmail $admin 2>>$log") { + pq($mail,qq( + 'From: fex' +- 'To: fex' ++ 'To: $admin' + 'Subject: F*EX user registration' + '' + '$user has been auto-registrated with verify=no' +@@ -158,7 +158,7 @@ open $reg,'>',".reg/$reg" or http_die("o + print {$reg} $user,"\n",$id,"\n"; + close $reg or http_die("close .reg/$reg - $!\n"); + +-open my $mail,"|$sendmail $user,fex 2>>$log" ++open my $mail,"|$sendmail $user , $admin 2>>$log" + or http_die("cannot start sendmail - $!\n"); + pq($mail,qq( + 'From: fex\@$hostname' +--- a/lib/fex.pp ++++ b/lib/fex.pp +@@ -326,7 +326,7 @@ WARNING: File is greater than 4 GB. Inte + else { $comment = "" } + if ($days == 1) { $days .= " day" } + else { $days .= " days" } +- open P,"|$sendmail -f '$mfrom' $mto,fex" or http_die("cannot start sendmail - $!\n"); ++ open P,"|$sendmail -f '$mfrom' $mto" or http_die("cannot start sendmail - $!\n"); + print P $header,"\n"; + # binmode(P,':utf8'); + pq(P,qq( --- fex-20091210+debian0.orig/debian/patches/02_fex.ph.patch +++ fex-20091210+debian0/debian/patches/02_fex.ph.patch @@ -0,0 +1,33 @@ +Author: Giuseppe Iuculano +Description: Force to use /etc/fex/fex.ph +--- a/bin/fac ++++ b/bin/fac +@@ -38,7 +38,7 @@ our ($FEXHOME,$spooldir,$logdir,$docdir, + # load common code, local config : $HOME/lib/fex.ph + require "$FEXLIB/fex.pp" or die "$0: cannot load $FEXLIB/fex.pp - $!\n"; + +-die "$0: \$admin not configured in $FEXLIB/fex.ph\n" if $admin =~ /example.org/; ++die "$0: \$admin not configured in /etc/fex/fex.ph\n" if $admin =~ /example.org/; + + $opt_v = $opt_l = $opt_h = $opt_w = 0; + $opt_u = $opt_s = $opt_e = $opt_d = ''; +@@ -134,7 +134,7 @@ if ($opt_v) { + print "mdomain = $mdomain\n"; + print "keep_default = $keep_default\n"; + print "admin = $admin\n"; +- print "\nto change these settings, edit $FEXLIB/fex.ph\n"; ++ print "\nto change these settings, edit /etc/fex/fex.ph\n"; + exit; + } + +--- a/lib/fex.pp ++++ b/lib/fex.pp +@@ -24,7 +24,7 @@ $sendmail = '/no/sendmail' unless + $FEXLIB =~ s:/+$::; + + # local config +-require "$FEXLIB/fex.ph"; ++require "/etc/fex/fex.ph"; + + # $FEXHOME is top-level directory of F*EX installation + # $ENV{HOME} is login-directory of user fex --- fex-20091210+debian0.orig/debian/patches/03_fix_edit_user.patch +++ fex-20091210+debian0/debian/patches/03_fix_edit_user.patch @@ -0,0 +1,23 @@ +Author: Giuseppe Iuculano +Description: use VISUAL and EDITOR environment variables. + If neither of the environment variables is defined, then the default editor /usr/bin/editor is used +--- a/bin/fac ++++ b/bin/fac +@@ -40,6 +40,8 @@ require "$FEXLIB/fex.pp" or die "$0: can + + die "$0: \$admin not configured in /etc/fex/fex.ph\n" if $admin =~ /example.org/; + ++$EDITOR = $ENV{VISUAL} || $ENV{EDITOR} || '/usr/bin/editor'; ++ + $opt_v = $opt_l = $opt_h = $opt_w = 0; + $opt_u = $opt_s = $opt_e = $opt_d = ''; + +@@ -120,7 +122,7 @@ if ($opt_e) { + EOD + close F; + } +- system $ENV{EDITOR},$ar; ++ system $EDITOR,$ar; + unlink $ar unless -s $ar; + exit; + } --- fex-20091210+debian0.orig/debian/patches/07_security_fixes.patch +++ fex-20091210+debian0/debian/patches/07_security_fixes.patch @@ -0,0 +1,113 @@ +Author: Ullrich Horlacher +Description: fix fup to enforce auth-ID to be set (backported from 20110609) +Description: fix XSS (backported from 20120215) +--- a/bin/fexsrv ++++ b/bin/fexsrv +@@ -137,7 +137,7 @@ REQUEST: + + seek $log,0,SEEK_END; + +-$ENV{REQUEST_URI} = ''; ++$ENV{REQUEST_URI} = $uri = ''; + $http_req = $cgi = ''; + $hl = 0; + +@@ -205,11 +205,15 @@ while (defined($_ = nvt_read())) { + goto REQUEST; # uh-uhhhh! ugly! ;-) + } elsif (/^(GET|HEAD|POST)\s+(.+)\s(HTTP\/[\d\.]+$)/i) { + $ENV{REQUEST_METHOD} = uc($1); +- $ENV{REQUEST_URI} = $cgi = $2; ++ $ENV{REQUEST_URI} = $uri = $cgi = $2; + $ENV{HTTP_VERSION} = $protocol = $3; + $ENV{QUERY_STRING} = $1 if $cgi =~ s/\?(.*)//; + $ENV{PATH_INFO} = $1 if $cgi =~ m:/.+?(/.+?)(\?|$):; + $ENV{KEEP_ALIVE} = $keep_alive = '' if $protocol =~ /1\.0/; ++ if ($uri =~ /<|%3c/i) { badchar("<") } ++ if ($uri =~ />|%3e/i) { badchar(">") } ++ if ($uri =~ /\||%7c/i) { badchar("|") } ++ if ($uri =~ /\\|%5c/i) { badchar("\\") } + } elsif (/^([\w\-_]+):\s*(.+)/) { + # mega stupid "Download Manager" FlashGet + if (m{^Referer: https?://[^/]+/fop/\w+$}) { +@@ -374,6 +378,14 @@ sub schrub { + } + + ++sub badchar { ++ my $bc = shift; ++ ++ debuglog("DISCONNECT: bad characters in URL $uri"); ++ http_die("\"$bc\" is not allowed in URL"); ++} ++ ++ + sub http_error { + my $error = shift; + +--- a/cgi-bin/fop ++++ b/cgi-bin/fop +@@ -373,6 +373,9 @@ sub sendfile { + $type = 'application/octet-stream'; + } + ++ # HTML is not allowed for security reasons! ++ type =~ s/html/plain/i; ++ + if ($seek) { + my $range = sprintf("bytes %s-%s/%s",$seek,$total_size-1,$total_size); + nvt_print( +--- a/cgi-bin/fup ++++ b/cgi-bin/fup +@@ -639,6 +639,7 @@ unless ($file) { + # all these variables should be defined here, but just to be sure... + http_die("no file specified") unless $file; + http_die("no sender specified") unless $from; ++http_die("no auth-ID specified") unless $id; + http_die("no recipient specified") unless @to; + http_die("wrong auth-ID specified") unless $rid eq $id; + +@@ -740,9 +741,16 @@ exit; + sub checkchars { + my $input = shift; + local $_ = shift; +- http_die("\"$1\" is not allowed at beginning of $input $_") if /^([<>|+.])/; +- http_die("\"$1\" is not allowed in $input $_") if /([\/,])/; +- http_die("\"$1\" is not allowed at end of $input $_") if /([<>|])$/; ++ if (/^([<>|+.])/) { ++ http_die(sprintf("\"&#%s;\" is not allowed at beginning of %s", ++ ord($1),$input)); ++ } ++ if (/([\/\"\\<>,])/) { ++ http_die(sprintf("\"&#%s;\" is not allowed in %s",ord($1),$input)); ++ } ++ if (/([<>|])$/) { ++ http_die(sprintf("\"&#%s;\" is not allowed at end of %s",ord($1),$input)); ++ } + } + + # parse GET and POST requests +@@ -758,6 +766,10 @@ sub parse_request { + my $x = $1; + # decode URL-encoding + s/%([a-f0-9]{2})/chr(hex($1))/gie; ++ if (/([<>])/) { ++ $_ = sprintf("\"&#%s;\" is not allowed in URL parameter",ord($1)); ++ http_die($_); ++ } + setparam($x,$_); + } + } +@@ -820,7 +832,12 @@ sub parse_request { + push @header,$_; + $file = $param{'FILE'} = $1; + $file =~ s/%(\d+)/chr($1)/ge; +- $file = $filename = untaint(strip_path(normalize($file))); ++ $file = untaint(strip_path(normalize($file))); ++ $file =~ s/[\\\/<>]/_/g; # filter out dangerous chars ++ $file =~ s/^\|//; # filter out dangerous chars ++ $file =~ s/\|$//; # filter out dangerous chars ++ $filename = $file; ++ + $fkey = urlencode($file); + while (&nvt_read) { + last if /^\s*$/; --- fex-20091210+debian0.orig/debian/patches/05_xinetd.patch +++ fex-20091210+debian0/debian/patches/05_xinetd.patch @@ -0,0 +1,18 @@ +Use port 8888 by default +--- a/etc/xinetd_fex ++++ b/etc/xinetd_fex +@@ -7,12 +7,11 @@ service fex + wait = no + type = unlisted + protocol = tcp +- bind = ADDRESS +- port = PORT ++ port = 8888 + cps = 5 10 + user = fex + groups = yes +- server = FEXHOME/bin/fexsrv ++ server = /usr/share/fex/bin/fexsrv + nice = 0 + disable = no + } --- fex-20091210+debian0.orig/debian/patches/01_fac_in_usr_bin.patch +++ fex-20091210+debian0/debian/patches/01_fac_in_usr_bin.patch @@ -0,0 +1,14 @@ +Author: Giuseppe Iuculano +Description: Force to use /usr/share/fex/lib dir +--- a/bin/fac ++++ b/bin/fac +@@ -16,6 +16,9 @@ $FEXLIB = + $0 =~ m:(.*/): ? "$1/../lib": + "../lib"; + ++# Force to use /usr/share/fex/lib dir ++$FEXLIB = "/usr/share/fex/lib"; ++ + die "$0: no \$FEXLIB, run $0 with full path!\n" unless -d $FEXLIB; + + $0 =~ s:.*/::; --- fex-20091210+debian0.orig/debian/patches/series +++ fex-20091210+debian0/debian/patches/series @@ -0,0 +1,7 @@ +01_fac_in_usr_bin.patch +02_fex.ph.patch +03_fix_edit_user.patch +04_fac.patch +05_xinetd.patch +06_mail.patch +07_security_fixes.patch