10 files changed, 298 insertions, 0 deletions

diff --git a/community/vsftpd/APKBUILD b/community/vsftpd/APKBUILD
new file mode 100644
index 0000000000..7ae0b80c9c
--- /dev/null
+++ b/community/vsftpd/APKBUILD
@@ -0,0 +1,49 @@
+# Contributor: Carlo Landmeter <clandmeter@gmail.com>
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
+pkgname=vsftpd
+pkgver=3.0.3
+pkgrel=6
+pkgdesc="Very secure ftpd"
+url="http://vsftpd.beasts.org"
+arch="all"
+license="GPL-2.0-only"
+makedepends="openssl-dev libcap-dev linux-pam-dev linux-headers"
+subpackages="$pkgname-doc"
+install="$pkgname.pre-install"
+source="https://security.appspot.com/downloads/vsftpd-$pkgver.tar.gz
+	vsftpd.initd
+	vsftpd.confd
+	vsftpd-enable-ssl.patch
+	vsftpd-clearenv.patch
+	CVE-2015-1419.patch
+	wtmpx_file.patch
+	findlibs.patch
+	strip.patch
+	"
+
+
+build() {
+	make CFLAGS="$CFLAGS -D_GNU_SOURCE"
+}
+
+package() {
+	install -m755 -D vsftpd "$pkgdir"/usr/sbin/vsftpd
+	install -m644 -D vsftpd.8 "$pkgdir"/usr/share/man/man8/vsftpd.8
+	install -m644 -D vsftpd.conf.5 "$pkgdir"/usr/share/man/man5/vsftpd.conf.5
+	install -m644 -D vsftpd.conf "$pkgdir"/etc/vsftpd/vsftpd.conf
+	install -m755 -D "$srcdir"/$pkgname.initd "$pkgdir"/etc/init.d/$pkgname
+	install -m644 -D "$srcdir"/$pkgname.confd "$pkgdir"/etc/conf.d/$pkgname
+	mkdir -p "$pkgdir"/usr/share/empty
+	mkdir -p "$pkgdir"/var/lib/ftp
+	chown root:ftp "$pkgdir"/var/lib/ftp
+}
+
+sha512sums="5a4410a88e72ecf6f60a60a89771bcec300c9f63c2ea83b219bdf65fd9749b9853f9579f7257205b55659aefcd5dab243eba878dbbd4f0ff8532dd6e60884df7  vsftpd-3.0.3.tar.gz
+99d02ed2a91ea967d6e907c07bbe89e2ced3f919e659be3e8ab90d95d87648cb9fc7224e1c8879b94b6d364810624165db1333020b602f7c42afd2bcc7a2d8e3  vsftpd.initd
+7bd138cf66356db55d00796f99b327e9aedf45a48b6fc9b464801fd17a69949ca1296131513c289b0293d27b29c1add08e601068501591108ed7fb13efeeacf3  vsftpd.confd
+842c1bd972f710e4ba15e1d62a4c8ebf133dc279607b844710ad6484834b6f3a43f9f3296a53e3176df2cec129b0d96b30f0610042ee66b3263d821e1efda398  vsftpd-enable-ssl.patch
+13a3949695ad904c5389513206b9db71b6a4f5d35cd0c37484d9a8d8db1cd7a10c023b005661241a2e6b993fdd9c93eb7b3faaaf2542bf68a1520cf869abd710  vsftpd-clearenv.patch
+73023176872a60a60ea72dc370c13617b5113ff9eb8df8f56c4efc709ca9f7752aed4c7e19530927ea6fe9ccb52dbd8ec128ec898cc8177c6d62ad41c4f281f1  CVE-2015-1419.patch
+bb1bcb97df769d658e3d99a1ed1b585250a84ecfb7371adc17dff85732eee0bdc53442725c91e7563dda250d3c0b1cea1f3a5e805f3abc36aa7d27a7ba237742  wtmpx_file.patch
+d3c8943a23a3c6a36642c8f9e133637bf27a3c5dd70f05d8a2d0bdf62cb0584a42fcfd67831bc2c89286b634cce529ec83ca3253d2eb4d79e15b9f6e98a46d5b  findlibs.patch
+c7d1a188abd3136d973b8f6381512152ddbbfd1d86218b46b1707b7df23ce7a0ad37b6e29c8b6ec940aa0dfe959b31cecf1dbc34f55a220e85d255e0671cb291  strip.patch"
diff --git a/community/vsftpd/CVE-2015-1419.patch b/community/vsftpd/CVE-2015-1419.patch
new file mode 100644
index 0000000000..b0662b4580
--- /dev/null
+++ b/community/vsftpd/CVE-2015-1419.patch
@@ -0,0 +1,97 @@
+Index: vsftpd-3.0.2/ls.c
+===================================================================
+--- vsftpd-3.0.2.orig/ls.c
++++ vsftpd-3.0.2/ls.c
+@@ -7,6 +7,7 @@
+  * Would you believe, code to handle directory listing.
+  */
+ 
++#include <stdlib.h>
+ #include "ls.h"
+ #include "access.h"
+ #include "defs.h"
+@@ -243,11 +244,42 @@ vsf_filename_passes_filter(const struct
+   struct mystr temp_str = INIT_MYSTR;
+   struct mystr brace_list_str = INIT_MYSTR;
+   struct mystr new_filter_str = INIT_MYSTR;
++  struct mystr normalize_filename_str = INIT_MYSTR;
++  const char *normname;
++  const char *path;
+   int ret = 0;
+   char last_token = 0;
+   int must_match_at_current_pos = 1;
++
+   str_copy(&filter_remain_str, p_filter_str);
+-  str_copy(&name_remain_str, p_filename_str);
++
++  /* normalize filepath */
++  path = str_strdup(p_filename_str);
++  normname = realpath(path, NULL);
++  if (normname == NULL)
++     goto out;
++  str_alloc_text(&normalize_filename_str, normname);
++
++  if (!str_isempty (&filter_remain_str) && !str_isempty(&normalize_filename_str)) {
++    if (str_get_char_at(p_filter_str, 0) == '/') {
++      if (str_get_char_at(&normalize_filename_str, 0) != '/') {
++        str_getcwd (&name_remain_str);
++
++        if (str_getlen(&name_remain_str) > 1) /* cwd != root dir */
++          str_append_char (&name_remain_str, '/');
++
++        str_append_str (&name_remain_str, &normalize_filename_str);
++      }
++      else
++       str_copy (&name_remain_str, &normalize_filename_str);
++    } else {
++      if (str_get_char_at(p_filter_str, 0) != '{')
++        str_basename (&name_remain_str, &normalize_filename_str);
++      else
++        str_copy (&name_remain_str, &normalize_filename_str);
++    }
++  } else
++    str_copy(&name_remain_str, &normalize_filename_str);
+ 
+   while (!str_isempty(&filter_remain_str) && *iters < VSFTP_MATCHITERS_MAX)
+   {
+@@ -360,6 +392,9 @@ vsf_filename_passes_filter(const struct
+     ret = 0;
+   }
+ out:
++  free(normname);
++  free(path);
++  str_free(&normalize_filename_str);
+   str_free(&filter_remain_str);
+   str_free(&name_remain_str);
+   str_free(&temp_str);
+Index: vsftpd-3.0.2/str.c
+===================================================================
+--- vsftpd-3.0.2.orig/str.c
++++ vsftpd-3.0.2/str.c
+@@ -770,3 +770,14 @@ str_replace_unprintable(struct mystr* p_
+   }
+ }
+ 
++void
++str_basename (struct mystr* d_str, const struct mystr* path)
++{
++  static struct mystr tmp;
++
++  str_copy (&tmp, path);
++  str_split_char_reverse(&tmp, d_str, '/');
++
++  if (str_isempty(d_str))
++   str_copy (d_str, path);
++}
+Index: vsftpd-3.0.2/str.h
+===================================================================
+--- vsftpd-3.0.2.orig/str.h
++++ vsftpd-3.0.2/str.h
+@@ -101,6 +101,7 @@ void str_replace_unprintable(struct myst
+ int str_atoi(const struct mystr* p_str);
+ filesize_t str_a_to_filesize_t(const struct mystr* p_str);
+ unsigned int str_octal_to_uint(const struct mystr* p_str);
++void str_basename (struct mystr* d_str, const struct mystr* path);
+ 
+ /* PURPOSE: Extract a line of text (delimited by \n or EOF) from a string
+  * buffer, starting at character position 'p_pos'. The extracted line will
diff --git a/community/vsftpd/findlibs.patch b/community/vsftpd/findlibs.patch
new file mode 100644
index 0000000000..4806470d3a
--- /dev/null
+++ b/community/vsftpd/findlibs.patch
@@ -0,0 +1,30 @@
+diff --git a/vsf_findlibs.sh b/vsf_findlibs.sh
+index f5d485d..baf167b 100755
+--- a/vsf_findlibs.sh
++++ b/vsf_findlibs.sh
+@@ -6,8 +6,6 @@ find_func() { egrep $1 $2 >/dev/null; }
+ 
+ if find_func hosts_access tcpwrap.o; then
+   echo "-lwrap";
+-  locate_library /lib/libnsl.so && echo "-lnsl";
+-  locate_library /lib64/libnsl.so && echo "-lnsl";
+ fi
+ 
+ # Look for PAM (done weirdly due to distribution bugs (e.g. Debian) or the
+@@ -36,7 +34,6 @@ locate_library /lib/libdl.so && echo "-ldl";
+ locate_library /lib/libsocket.so && echo "-lsocket";
+ 
+ # Look for libnsl. Solaris needs this.
+-locate_library /lib/libnsl.so && echo "-lnsl";
+ 
+ # Look for libresolv. Solaris needs this.
+ locate_library /lib/libresolv.so && echo "-lresolv";
+@@ -69,7 +66,7 @@ locate_library /usr/shlib/librt.so && echo "-lrt";
+ locate_library /usr/lib/libsendfile.so && echo "-lsendfile";
+ 
+ # OpenSSL
+-if find_func SSL_library_init ssl.o; then
++if find_func SSL_CTX_new ssl.o; then
+   echo "-lssl -lcrypto";
+ fi
+ 
diff --git a/community/vsftpd/strip.patch b/community/vsftpd/strip.patch
new file mode 100644
index 0000000000..3983173c22
--- /dev/null
+++ b/community/vsftpd/strip.patch
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index c63ed1b..a02f3c1 100644
+--- a/Makefile
++++ b/Makefile
+@@ -9,7 +9,7 @@ CFLAGS	=	-O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 \
+ 	#-pedantic -Wconversion
+ 
+ LIBS	=	`./vsf_findlibs.sh`
+-LINK	=	-Wl,-s
++LINK	=	
+ LDFLAGS	=	-fPIE -pie -Wl,-z,relro -Wl,-z,now
+ 
+ OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
diff --git a/community/vsftpd/vsftpd-clearenv.patch b/community/vsftpd/vsftpd-clearenv.patch
new file mode 100644
index 0000000000..748cc9481b
--- /dev/null
+++ b/community/vsftpd/vsftpd-clearenv.patch
@@ -0,0 +1,21 @@
+diff -ru vsftpd-3.0.2.orig/sysdeputil.c vsftpd-3.0.2/sysdeputil.c
+--- vsftpd-3.0.2.orig/sysdeputil.c	2014-06-19 15:54:37.000000000 -0300
++++ vsftpd-3.0.2/sysdeputil.c	2014-06-19 16:31:14.267550219 -0300
+@@ -37,6 +37,7 @@
+ 
+ #include <sys/prctl.h>
+ #include <signal.h>
++#include <stdlib.h>
+ 
+ /* Configuration.. here are the possibilities */
+ #undef VSF_SYSDEP_HAVE_CAPABILITIES
+@@ -931,7 +932,8 @@
+     p_env++;
+   }
+   /* Oops :-) */
+-  environ = 0;
++  /* environ = 0; */
++  clearenv();
+   s_p_proctitle = (char*) argv[0];
+   vsf_sysutil_memclr(s_p_proctitle, s_proctitle_space);
+ }
diff --git a/community/vsftpd/vsftpd-enable-ssl.patch b/community/vsftpd/vsftpd-enable-ssl.patch
new file mode 100644
index 0000000000..93469e6fdc
--- /dev/null
+++ b/community/vsftpd/vsftpd-enable-ssl.patch
@@ -0,0 +1,11 @@
+--- a/builddefs.h.orig	Sun Mar  1 15:18:09 2009
++++ b/builddefs.h	Sun Mar  1 15:15:24 2009
+@@ -3,7 +3,7 @@
+ 
+ #undef VSF_BUILD_TCPWRAPPERS
+ #define VSF_BUILD_PAM
+-#undef VSF_BUILD_SSL
++#define VSF_BUILD_SSL
+ 
+ #endif /* VSF_BUILDDEFS_H */
+ 
diff --git a/community/vsftpd/vsftpd.confd b/community/vsftpd/vsftpd.confd
new file mode 100644
index 0000000000..f14602696d
--- /dev/null
+++ b/community/vsftpd/vsftpd.confd
@@ -0,0 +1,9 @@
+# Sample conf.d file for alpine linux
+
+#
+# Specify daemon $OPTS here.
+#
+
+OPTS="/etc/vsftpd/vsftpd.conf"
+USER="vsftp"
+GROUP="vsftp"
diff --git a/community/vsftpd/vsftpd.initd b/community/vsftpd/vsftpd.initd
new file mode 100644
index 0000000000..b040d6305c
--- /dev/null
+++ b/community/vsftpd/vsftpd.initd
@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+
+NAME=vsftpd
+DAEMON=/usr/sbin/$NAME
+
+depend() {
+	need net
+	after firewall
+}
+
+start() {
+	ebegin "Starting ${SVCNAME}"
+		start-stop-daemon --start --quiet --background \
+			--make-pidfile --pidfile /var/run/${SVCNAME}.pid \
+			--exec ${DAEMON} -- ${OPTS}
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+		start-stop-daemon --stop --quiet \
+			--exec ${DAEMON} \
+			--pidfile /var/run/${SVCNAME}.pid \
+	eend $?
+}
+
diff --git a/community/vsftpd/vsftpd.pre-install b/community/vsftpd/vsftpd.pre-install
new file mode 100755
index 0000000000..c6e45f1b71
--- /dev/null
+++ b/community/vsftpd/vsftpd.pre-install
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+addgroup -S ftp 2>/dev/null
+addgroup vsftp ftp 2>/dev/null
+adduser -S -h /var/lib/ftp -s /sbin/nologin -G ftp -g vsftp vsftp 2>/dev/null
+
+exit 0
diff --git a/community/vsftpd/wtmpx_file.patch b/community/vsftpd/wtmpx_file.patch
new file mode 100644
index 0000000000..6ca8416933
--- /dev/null
+++ b/community/vsftpd/wtmpx_file.patch
@@ -0,0 +1,35 @@
+diff -rupN a/seccompsandbox.c b/seccompsandbox.c
+--- a/seccompsandbox.c	2012-09-18 08:52:30.000000000 +0200
++++ b/seccompsandbox.c	2014-02-05 20:22:15.919607188 +0100
+@@ -21,7 +21,7 @@
+ 
+ #include <netinet/in.h>
+ 
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/socket.h>
+diff -rupN a/sysdeputil.c b/sysdeputil.c
+--- a/sysdeputil.c	2012-09-16 06:18:04.000000000 +0200
++++ b/sysdeputil.c	2014-02-05 20:20:07.212933389 +0100
+@@ -1216,7 +1216,9 @@ vsf_insert_uwtmp(const struct mystr* p_u
+   setutxent();
+   (void) pututxline(&s_utent);
+   endutxent();
++#if defined(WTMPX_FILE)
+   updwtmpx(WTMPX_FILE, &s_utent);
++#endif
+ }
+ 
+ void
+@@ -1235,7 +1237,9 @@ vsf_remove_uwtmp(void)
+   (void) pututxline(&s_utent);
+   endutxent();
+   s_utent.ut_tv.tv_sec = vsf_sysutil_get_time_sec();
++#if defined(WTMPX_FILE)
+   updwtmpx(WTMPX_FILE, &s_utent);
++#endif
+ }
+ 
+ #endif /* !VSF_SYSDEP_HAVE_UTMPX */