package/pure-ftpd: bump to version 1.0.50

- Drop patches (already in version)
- Update hash of COPYING (year updated with
  https://github.com/jedisct1/pure-ftpd/commit/a81471dceb9caa3f8c1c4b0b35a1291108a0dead
  https://github.com/jedisct1/pure-ftpd/commit/16809bdf93a48b2c89019886065f4bb191619ce6
  and alt_arc4random.c removed with
  https://github.com/jedisct1/pure-ftpd/commit/43591eb6f6488ed9ede0da01dc118dbd8565a89b)
- Update indentation in hash file (two spaces)

https://github.com/jedisct1/pure-ftpd/releases/tag/1.0.50

Signed-off-by: Fabrice Fontaine <[email protected]>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>

diff --git a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch b/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
deleted file mode 100644 (file)
index 2f791d1..0000000
--- a/package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
-From: Frank Denis <[email protected]>
-Date: Mon, 30 Dec 2019 17:40:04 +0100
-Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
- display
-
-Allocating a new buffer for each entry is useless.
-
-And as these buffers are allocated on the stack, on systems with a
-small stack size, with many entries, the limit can easily be reached,
-causing a stack exhaustion and aborting the user session.
-
-Reported by Antonio Morales from the GitHub Security Lab team, thanks!
-[Retrieved from:
-https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
-Signed-off-by: Fabrice Fontaine <[email protected]>
----
- src/ls.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
-diff --git a/src/ls.c b/src/ls.c
-index cf804c7..f8a588f 100644
---- a/src/ls.c
-+++ b/src/ls.c
-@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
-     char *names;
-     PureFileInfo *s;
-     PureFileInfo *r;
-+    char *alloca_subdir;
-+    size_t sizeof_subdir;
-     int d;
- 
-     if (depth >= max_ls_depth || matches >= max_ls_files) {
-@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
-     }
-     outputfiles(f, tls_fd);
-     r = dir;
-+    sizeof_subdir = PATH_MAX + 1U;
-+    if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
-+        goto toomany;
-+    }
-     while (opt_R && r != s) {
-         if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
--            char *alloca_subdir;
--            const size_t sizeof_subdir = PATH_MAX + 1U;
--
--            if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
--                goto toomany;
--            }
-             if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
-                                  name, FI_NAME(r)), sizeof_subdir)) {
-                 goto nolist;
-@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
-             wrstr(f, tls_fd, alloca_subdir);
-             wrstr(f, tls_fd, ":\r\n\r\n");
-             listdir(depth + 1U, f, tls_fd, alloca_subdir);
-+
-             nolist:
--            ALLOCA_FREE(alloca_subdir);
-             if (matches >= max_ls_files) {
-                 goto toomany;
-             }
-@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
-         r++;
-     }
-     toomany:
-+    ALLOCA_FREE(alloca_subdir);
-     free(names);
-     free(dir);
-     names = NULL;

diff --git a/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch b/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
deleted file mode 100644 (file)
index 3de3cbd..0000000
--- a/package/pure-ftpd/0002-pure_strcmp-len-s2-can-be-len-s1.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 36c6d268cb190282a2c17106acfd31863121b58e Mon Sep 17 00:00:00 2001
-From: Frank Denis <[email protected]>
-Date: Mon, 24 Feb 2020 15:19:43 +0100
-Subject: [PATCH] pure_strcmp(): len(s2) can be > len(s1)
-
-Reported by Antonio Morales from GitHub Security Labs, thanks!
-[Retrieved from:
-https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b]
-Signed-off-by: Fabrice Fontaine <[email protected]>
----
- src/utils.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/utils.c b/src/utils.c
-index f41492d..a7f0381 100644
---- a/src/utils.c
-+++ b/src/utils.c
-@@ -45,5 +45,11 @@ int pure_memcmp(const void * const b1_, const void * const b2_, size_t len)
- 
- int pure_strcmp(const char * const s1, const char * const s2)
- {
--    return pure_memcmp(s1, s2, strlen(s1) + 1U);
-+    const size_t s1_len = strlen(s1);
-+    const size_t s2_len = strlen(s2);
-+
-+    if (s1_len != s2_len) {
-+        return -1;
-+    }
-+    return pure_memcmp(s1, s2, s1_len);
- }

diff --git a/package/pure-ftpd/0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch b/package/pure-ftpd/0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
deleted file mode 100644 (file)
index 6c58eb7..0000000
--- a/package/pure-ftpd/0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa Mon Sep 17 00:00:00 2001
-From: Frank Denis <[email protected]>
-Date: Tue, 18 Feb 2020 18:36:58 +0100
-Subject: [PATCH] diraliases: always set the tail of the list to NULL
-
-Spotted and reported by Antonio Norales from GitHub Security Labs.
-Thanks!
-
-Signed-off-by: Fabrice Fontaine <[email protected]>
-[Retrieved from:
-https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa]
----
- src/diraliases.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/diraliases.c b/src/diraliases.c
-index 4002a36..fb70273 100644
---- a/src/diraliases.c
-+++ b/src/diraliases.c
-@@ -93,7 +93,6 @@ int init_aliases(void)
-                 (tail->dir = strdup(dir)) == NULL) {
-                 die_mem();
-             }
--            tail->next = NULL;
-         } else {
-             DirAlias *curr;
- 
-@@ -105,6 +104,7 @@ int init_aliases(void)
-             tail->next = curr;
-             tail = curr;
-         }
-+        tail->next = NULL;
-     }
-     fclose(fp);
-     aliases_up++;

diff --git a/package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch b/package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
deleted file mode 100644 (file)
index b269e6c..0000000
--- a/package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 37ad222868e52271905b94afea4fc780d83294b4 Mon Sep 17 00:00:00 2001
-From: Frank Denis <[email protected]>
-Date: Tue, 23 Nov 2021 18:53:34 +0100
-Subject: [PATCH] Initialize the max upload file size when quotas are enabled
-
-Due to an unwanted check, files causing the quota to be exceeded
-were deleted after the upload, but not during the upload.
-
-The bug was introduced in 2009 in version 1.0.23
-
-Spotted by @DroidTest, thanks!
-
-[Retrieved from:
-https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4]
-Signed-off-by: Fabrice Fontaine <[email protected]>
----
- src/ftpd.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/ftpd.c b/src/ftpd.c
-index d856839..be2fd78 100644
---- a/src/ftpd.c
-+++ b/src/ftpd.c
-@@ -4247,8 +4247,7 @@ void dostor(char *name, const int append, const int autorename)
-     if (quota_update(&quota, 0LL, 0LL, &overflow) == 0 &&
-         (overflow > 0 || quota.files >= user_quota_files ||
-          quota.size > user_quota_size ||
--         (max_filesize >= (off_t) 0 &&
--          (max_filesize = user_quota_size - quota.size) < (off_t) 0))) {
-+         (max_filesize = user_quota_size - quota.size) < (off_t) 0)) {
-         overflow = 1;
-         (void) close(f);
-         goto afterquota;

diff --git a/package/pure-ftpd/pure-ftpd.hash b/package/pure-ftpd/pure-ftpd.hash
index 8fe73e4fb012382b40c9c975aa26de60ba7b8e57..e8b779c313e3089c819718c41fe86b89d398f339 100644 (file)
--- a/package/pure-ftpd/pure-ftpd.hash
+++ b/package/pure-ftpd/pure-ftpd.hash
@@ -1,3 +1,3 @@
 # Locally calculated after checking pgp signature
-sha256 8a727dfef810f275fba3eb6099760d4f8a0bdeae2c1197d0d5bfeb8c1b2f61b6  pure-ftpd-1.0.49.tar.bz2
-sha256 3a9e94382a69d04aa434d69b20ff2c01dbbfcb7191f05f69a7109c0ee1559c19  COPYING
+sha256  6722c7fd09fe3c9ebbd572f3d097087ec7b32aacb3df8fa3400d4c07e4f377d7  pure-ftpd-1.0.50.tar.bz2
+sha256  c1be5d56c28927b05131d7384bd522af4b11c3afea45725f5ca7983c11db61ac  COPYING

diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 35a1aac9174c41a1f53ac4ab686c63b47f1cb03f..f3cbef84b90ccb6e0c0a090547045471c43da450 100644 (file)
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PURE_FTPD_VERSION = 1.0.49
+PURE_FTPD_VERSION = 1.0.50
 PURE_FTPD_SITE = https://download.pureftpd.org/pub/pure-ftpd/releases
 PURE_FTPD_SOURCE = pure-ftpd-$(PURE_FTPD_VERSION).tar.bz2
 PURE_FTPD_LICENSE = ISC
@@ -12,18 +12,6 @@ PURE_FTPD_LICENSE_FILES = COPYING
 PURE_FTPD_CPE_ID_VENDOR = pureftpd
 PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
 
-# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
-PURE_FTPD_IGNORE_CVES += CVE-2019-20176
-
-# 0002-pure_strcmp-len-s2-can-be-len-s1.patch
-PURE_FTPD_IGNORE_CVES += CVE-2020-9365
-
-# 0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
-PURE_FTPD_IGNORE_CVES += CVE-2020-9274
-
-# 0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
-PURE_FTPD_IGNORE_CVES += CVE-2021-40524
-
 PURE_FTPD_CONF_OPTS = \
        --with-altlog \
        --with-puredb