!78 [sync] PR-76: fix CVE-2024-48651

From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333

backport-CVE-2024-48651.patch

@@ -0,0 +1,318 @@
+From cec01cc0a2523453e5da5a486bc6d977c3768db1 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Wed, 13 Nov 2024 06:33:35 -0800
+Subject: [PATCH] Issue #1830: When no supplemental groups are provided by the
+ underlying authentication providers, fall back to using the primary
+ group/GID. (#1835)
+
+This prevents surprise due to inheritance of the parent processes' supplemental group membership, which might inadvertently provided undesired access.
+---
+ contrib/mod_sftp/auth.c                       |  14 +-
+ modules/mod_auth.c                            |  19 +-
+ src/auth.c                                    |  14 +-
+ .../ProFTPD/Tests/Modules/mod_sql_sqlite.pm   | 174 ++++++++++++++++++
+ 4 files changed, 209 insertions(+), 12 deletions(-)
+
+diff --git a/contrib/mod_sftp/auth.c b/contrib/mod_sftp/auth.c
+index c7a694e..6196fec 100644
+--- a/contrib/mod_sftp/auth.c
++++ b/contrib/mod_sftp/auth.c
+@@ -388,8 +388,20 @@ static int setup_env(pool *p, const char *user) {
+       session.groups == NULL) {
+     res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups);
+     if (res < 1) {
++      /* If no supplemental groups are provided, default to using the process
++       * primary GID as the supplemental group.  This prevents access
++       * regressions as seen in Issue #1830.
++       */
+       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+-        "no supplemental groups found for user '%s'", pw->pw_name);
++        "no supplemental groups found for user '%s', "
++        "using primary group %s (GID %lu)", pw->pw_name, session.group,
++        (unsigned long) session.login_gid);
++
++      session.gids = make_array(p, 2, sizeof(gid_t));
++      session.groups = make_array(p, 2, sizeof(char *));
++
++      *((gid_t *) push_array(session.gids)) = session.login_gid;
++      *((char **) push_array(session.groups)) = pstrdup(p, session.group);
+     }
+   }
+ 
+diff --git a/modules/mod_auth.c b/modules/mod_auth.c
+index a85be06..9eb9b48 100644
+--- a/modules/mod_auth.c
++++ b/modules/mod_auth.c
+@@ -1113,8 +1113,8 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) {
+     session.groups = NULL;
+   }
+ 
+-  if (!session.gids &&
+-      !session.groups) {
++  if (session.gids == NULL &&
++      session.groups == NULL) {
+     /* Get the supplemental groups.  Note that we only look up the
+      * supplemental group credentials if we have not cached the group
+      * credentials before, in session.gids and session.groups.  
+@@ -1124,8 +1124,19 @@ static int setup_env(pool *p, cmd_rec *cmd, const char *user, char *pass) {
+      */
+      res = pr_auth_getgroups(p, pw->pw_name, &session.gids, &session.groups);
+      if (res < 1) {
+-       pr_log_debug(DEBUG5, "no supplemental groups found for user '%s'",
+-         pw->pw_name);
++       /* If no supplemental groups are provided, default to using the process
++        * primary GID as the supplemental group.  This prevents access
++        * regressions as seen in Issue #1830.
++        */
++       pr_log_debug(DEBUG5, "no supplemental groups found for user '%s', "
++         "using primary group %s (GID %lu)", pw->pw_name, session.group,
++         (unsigned long) session.login_gid);
++
++       session.gids = make_array(p, 2, sizeof(gid_t));
++       session.groups = make_array(p, 2, sizeof(char *));
++
++       *((gid_t *) push_array(session.gids)) = session.login_gid;
++       *((char **) push_array(session.groups)) = pstrdup(p, session.group);
+      }
+   }
+ 
+diff --git a/src/auth.c b/src/auth.c
+index b90fe41..af39fc0 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -1471,12 +1471,12 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
+   }
+ 
+   /* Allocate memory for the array_headers of GIDs and group names. */
+-  if (group_ids) {
+-    *group_ids = make_array(permanent_pool, 2, sizeof(gid_t));
++  if (group_ids != NULL) {
++    *group_ids = make_array(p, 2, sizeof(gid_t));
+   }
+ 
+-  if (group_names) {
+-    *group_names = make_array(permanent_pool, 2, sizeof(char *));
++  if (group_names != NULL) {
++    *group_names = make_array(p, 2, sizeof(char *));
+   }
+ 
+   cmd = make_cmd(p, 3, name, group_ids ? *group_ids : NULL,
+@@ -1495,7 +1495,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
+      * for the benefit of auth_getgroup() implementors.
+      */
+ 
+-    if (group_ids) {
++    if (group_ids != NULL) {
+       register unsigned int i;
+       char *strgids = "";
+       gid_t *gids = (*group_ids)->elts;
+@@ -1511,7 +1511,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
+         *strgids ? strgids : "(None; corrupted group file?)");
+     }
+ 
+-    if (group_names) {
++    if (group_names != NULL) {
+       register unsigned int i;
+       char *strgroups = ""; 
+       char **groups = (*group_names)->elts;
+@@ -1527,7 +1527,7 @@ int pr_auth_getgroups(pool *p, const char *name, array_header **group_ids,
+     }
+   }
+ 
+-  if (cmd->tmp_pool) {
++  if (cmd->tmp_pool != NULL) {
+     destroy_pool(cmd->tmp_pool);
+     cmd->tmp_pool = NULL;
+   }
+diff --git a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm
+index 08c1542..42ba967 100644
+--- a/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm
++++ b/tests/t/lib/ProFTPD/Tests/Modules/mod_sql_sqlite.pm
+@@ -467,6 +467,11 @@ my $TESTS = {
+     order => ++$order,
+     test_class => [qw(forking bug mod_tls)],
+   },
++
++  sql_user_info_no_suppl_groups_issue1830 => {
++    order => ++$order,
++    test_class => [qw(forking bug rootprivs)],
++  },
+ };
+ 
+ sub new {
+@@ -15764,4 +15769,173 @@ EOC
+   test_cleanup($setup->{log_file}, $ex);
+ }
+ 
++sub sql_user_info_no_suppl_groups_issue1830 {
++  my $self = shift;
++  my $tmpdir = $self->{tmpdir};
++  my $setup = test_setup($tmpdir, 'sqlite');
++
++  my $db_file = File::Spec->rel2abs("$tmpdir/proftpd.db");
++
++  # Build up sqlite3 command to create users, groups tables and populate them
++  my $db_script = File::Spec->rel2abs("$tmpdir/proftpd.sql");
++
++  if (open(my $fh, "> $db_script")) {
++    print $fh <<EOS;
++CREATE TABLE users (
++  userid TEXT,
++  passwd TEXT,
++  uid INTEGER,
++  gid INTEGER,
++  homedir TEXT,
++  shell TEXT
++);
++INSERT INTO users (userid, passwd, uid, gid, homedir, shell) VALUES ('$setup->{user}', '$setup->{passwd}', $setup->{uid}, $setup->{gid}, '$setup->{home_dir}', '/bin/bash');
++
++CREATE TABLE groups (
++  groupname TEXT,
++  gid INTEGER,
++  members TEXT
++);
++INSERT INTO groups (groupname, gid, members) VALUES ('$setup->{group}', $setup->{gid}, '$setup->{user}');
++EOS
++
++    unless (close($fh)) {
++      die("Can't write $db_script: $!");
++    }
++
++  } else {
++    die("Can't open $db_script: $!");
++  }
++
++  my $cmd = "sqlite3 $db_file < $db_script";
++  build_db($cmd, $db_script);
++
++  # Make sure that, if we're running as root, the database file has
++  # the permissions/privs set for use by proftpd
++  if ($< == 0) {
++    unless (chmod(0666, $db_file)) {
++      die("Can't set perms on $db_file to 0666: $!");
++    }
++  }
++
++  my $config = {
++    PidFile => $setup->{pid_file},
++    ScoreboardFile => $setup->{scoreboard_file},
++    SystemLog => $setup->{log_file},
++    TraceLog => $setup->{log_file},
++    Trace => 'auth:20 sql:20',
++
++    # Required for logging the expected message
++    DebugLevel => 5,
++
++    IfModules => {
++      'mod_delay.c' => {
++        DelayEngine => 'off',
++      },
++
++      'mod_sql.c' => {
++        AuthOrder => 'mod_sql.c',
++
++        SQLAuthenticate => 'users',
++        SQLAuthTypes => 'plaintext',
++        SQLBackend => 'sqlite3',
++        SQLConnectInfo => $db_file,
++        SQLLogFile => $setup->{log_file},
++
++        # Set these, so that our lower UID/GID will be used
++        SQLMinUserUID => 100,
++        SQLMinUserGID => 100,
++      },
++    },
++  };
++
++  my ($port, $config_user, $config_group) = config_write($setup->{config_file},
++    $config);
++
++  # Open pipes, for use between the parent and child processes.  Specifically,
++  # the child will indicate when it's done with its test by writing a message
++  # to the parent.
++  my ($rfh, $wfh);
++  unless (pipe($rfh, $wfh)) {
++    die("Can't open pipe: $!");
++  }
++
++  my $ex;
++
++  # Fork child
++  $self->handle_sigchld();
++  defined(my $pid = fork()) or die("Can't fork: $!");
++  if ($pid) {
++    eval {
++      sleep(2);
++
++      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
++      $client->login($setup->{user}, $setup->{passwd});
++
++      my $resp_msgs = $client->response_msgs();
++      my $nmsgs = scalar(@$resp_msgs);
++
++      my $expected = 1;
++      $self->assert($expected == $nmsgs,
++        test_msg("Expected $expected, got $nmsgs"));
++
++      $expected = "User $setup->{user} logged in";
++      $self->assert($expected eq $resp_msgs->[0],
++        test_msg("Expected response '$expected', got '$resp_msgs->[0]'"));
++
++      $client->quit();
++    };
++    if ($@) {
++      $ex = $@;
++    }
++
++    $wfh->print("done\n");
++    $wfh->flush();
++
++  } else {
++    eval { server_wait($setup->{config_file}, $rfh) };
++    if ($@) {
++      warn($@);
++      exit 1;
++    }
++
++    exit 0;
++  }
++
++  # Stop server
++  server_stop($setup->{pid_file});
++  $self->assert_child_ok($pid);
++
++  eval {
++    if (open(my $fh, "< $setup->{log_file}")) {
++      my $ok = 0;
++
++      while (my $line = <$fh>) {
++        chomp($line);
++
++        if ($ENV{TEST_VERBOSE}) {
++          print STDERR "# $line\n";
++        }
++
++        if ($line =~ /no supplemental groups found for user '$setup->{user}', using primary group/) {
++          $ok = 1;
++          last;
++        }
++      }
++
++      close($fh);
++
++      $self->assert($ok, test_msg("Did not see expected log message"));
++
++    } else {
++      die("Can't read $setup->{log_file}: $!");
++    }
++  };
++  if ($@) {
++    $ex = $@ unless $ex;
++  }
++
++  test_cleanup($setup->{log_file}, $ex);
++}
++
+ 1;
+-- 
+2.33.0

huawei-proftpd-service-add-restart.patch

@@ -0,0 +1,24 @@
+From 39d7026876e29020dde52655927e73bf6f98f5ff Mon Sep 17 00:00:00 2001
+From: chengyechun <chengyechun1@huawei.com>
+Date: Wed, 3 Jan 2024 03:18:36 +0000
+Subject: [PATCH] huawei-proftpd-service-add-restart
+
+---
+ contrib/dist/rpm/proftpd.service | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/contrib/dist/rpm/proftpd.service b/contrib/dist/rpm/proftpd.service
+index 6c81db3..14ae9e5 100644
+--- a/contrib/dist/rpm/proftpd.service
++++ b/contrib/dist/rpm/proftpd.service
+@@ -11,6 +11,7 @@ ExecStartPre = /usr/sbin/proftpd --configtest
+ ExecStart = /usr/sbin/proftpd --nodaemon $PROFTPD_OPTIONS
+ ExecReload = /bin/kill -HUP $MAINPID
+ PIDFile = /run/proftpd/proftpd.pid
++Restart=on-failure
+ 
+ [Install]
+ WantedBy = multi-user.target
+-- 
+2.33.0
+

modules.conf

@@ -171,6 +171,10 @@ LoadModule mod_vroot.c
   LoadModule                    mod_qos.c
 </IfDefine>
 
+# Attempt to generate a unique ID for every FTP session
+# (http://www.proftpd.org/docs/contrib/mod_unique_id.html)
+#   LoadModule mod_unique_id.c
+#
 # Provide a flexible way of specifying that certain configuration directives
 # only apply to certain sessions, based on credentials such as connection
 # class, user, or group membership

proftpd-1.3.7a-Adjusting-unit-test-timeouts-for-netacl.patch

@@ -1,25 +0,0 @@
-From 27d632208163a73a0501e595fcdef0302cb44d8c Mon Sep 17 00:00:00 2001
-From: eaglegai <eaglegai@163.com>
-Date: Tue, 1 Jun 2021 17:21:55 +0800
-Subject: [PATCH] proftpd 1.3.7a Adjusting unit test timeouts for netacl
-
----
- tests/api/netacl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/tests/api/netacl.c b/tests/api/netacl.c
-index c4da486..86b628d 100644
---- a/tests/api/netacl.c
-+++ b/tests/api/netacl.c
-@@ -894,6 +894,8 @@ Suite *tests_get_netacl_suite(void) {
-   tcase_add_test(testcase, netacl_match_test);
-   tcase_add_test(testcase, netacl_get_negated_test);
- 
-+  tcase_set_timeout(testcase, 60);
-+
-   suite_add_tcase(suite, testcase);
-   return suite;
- }
--- 
-1.8.3.1
-

proftpd-1.3.7a-fix-environment-sensitive-tests-failure.patch

@@ -1,84 +0,0 @@
-diff -ruNa proftpd-1.3.7a/tests/api/netacl.c proftpd-1.3.7a-fix/tests/api/netacl.c
---- proftpd-1.3.7a/tests/api/netacl.c   2020-07-22 01:25:51.000000000 +0800
-+++ proftpd-1.3.7a-fix/tests/api/netacl.c       2021-01-13 14:44:00.679322360 +0800
-@@ -773,8 +773,10 @@
-   res = pr_netacl_match(acl, addr);
-   if (getenv("CI") == NULL &&
-       getenv("TRAVIS") == NULL) {
--    fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
--      strerror(errno));
-+    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
-+      fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
-+        strerror(errno));
-+    }
-   }
-
-   if (!have_localdomain) {
-@@ -790,8 +790,10 @@
-   res = pr_netacl_match(acl, addr);
-   if (getenv("CI") == NULL &&
-       getenv("TRAVIS") == NULL) {
--    fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
--      strerror(errno));
-+    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
-+      fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
-+        strerror(errno));
-+    }
-   }
-
-   acl_str = "!www.google.com";
-@@ -816,8 +816,10 @@
-   res = pr_netacl_match(acl, addr);
-   if (getenv("CI") == NULL &&
-       getenv("TRAVIS") == NULL) {
--    fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
--      strerror(errno));
-+    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
-+      fail_unless(res == 1, "Failed to positively match ACL to addr: %s",
-+        strerror(errno));
-+    }
-   }
-
-   if (!have_localdomain) {
-@@ -833,8 +835,10 @@
-   res = pr_netacl_match(acl, addr);
-   if (getenv("CI") == NULL &&
-       getenv("TRAVIS") == NULL) {
--    fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
--      strerror(errno));
-+    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
-+      fail_unless(res == -1, "Failed to negatively match ACL to addr: %s",
-+        strerror(errno));
-+    }
-   }
-
-   acl_str = "!www.g*g.com";
-diff -ruNa proftpd-1.3.7a/tests/api/netaddr.c proftpd-1.3.7a-fix/tests/api/netaddr.c
---- proftpd-1.3.7a/tests/api/netaddr.c  2021-01-13 14:30:47.467322360 +0800
-+++ proftpd-1.3.7a-fix/tests/api/netaddr.c      2021-01-13 14:42:45.851322360 +0800
-@@ -417,7 +417,9 @@
-   if (getenv("CI") == NULL &&
-       getenv("TRAVIS") == NULL) {
-     /* This test is sensitive the environment. */
--    fail_unless(res == TRUE, "Expected TRUE, got %d", res);
-+    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
-+      fail_unless(res == TRUE, "Expected TRUE, got %d", res);
-+    }
-   }
-
-   flags = PR_NETADDR_MATCH_IP;
-@@ -879,9 +881,11 @@
-   if (getenv("CI") == NULL &&
-       getenv("TRAVIS") == NULL) {
-     /* This test is sensitive the environment. */
--    fail_unless(strcmp(res, "localhost") == 0 ||
--                strcmp(res, "localhost.localdomain") == 0,
--      "Expected '%s', got '%s'", "localhost or localhost.localdomain", res);
-+    if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
-+      fail_unless(strcmp(res, "localhost") == 0 ||
-+                  strcmp(res, "localhost.localdomain") == 0,
-+        "Expected '%s', got '%s'", "localhost or localhost.localdomain", res);
-+    }
-   }
- }
- END_TEST

proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch

@@ -0,0 +1,105 @@
+From cb0e408e8b82fa8c198d9dd95e5818d8431e9fd5 Mon Sep 17 00:00:00 2001
+From: chen-jan <chen_aka_jan@163.com>
+Date: Tue, 11 Apr 2023 16:55:34 +0800
+Subject: [PATCH] proftpd-1.3.8-fix-environment-sensitive-tests-failure
+
+---
+ tests/api/netacl.c  | 8 ++++++++
+ tests/api/netaddr.c | 6 ++++++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/tests/api/netacl.c b/tests/api/netacl.c
+index e4b0431..b91ecdb 100644
+--- a/tests/api/netacl.c
++++ b/tests/api/netacl.c
+@@ -775,8 +775,10 @@ START_TEST (netacl_match_test) {
+   res = pr_netacl_match(acl, addr);
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     ck_assert_msg(res == 1, "Failed to positively match ACL to addr: %s",
+       strerror(errno));
++     }
+   }
+ 
+   if (!have_localdomain) {
+@@ -793,8 +795,10 @@ START_TEST (netacl_match_test) {
+   res = pr_netacl_match(acl, addr);
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     ck_assert_msg(res == -1, "Failed to negatively match ACL to addr: %s",
+       strerror(errno));
++     }
+   }
+ 
+   acl_str = "!www.google.com";
+@@ -820,8 +824,10 @@ START_TEST (netacl_match_test) {
+   res = pr_netacl_match(acl, addr);
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     ck_assert_msg(res == 1, "Failed to positively match ACL to addr: %s",
+       strerror(errno));
++     }
+   }
+ 
+   if (!have_localdomain) {
+@@ -838,8 +844,10 @@ START_TEST (netacl_match_test) {
+   res = pr_netacl_match(acl, addr);
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     ck_assert_msg(res == -1, "Failed to negatively match ACL to addr: %s",
+       strerror(errno));
++     }
+   }
+ 
+   acl_str = "!www.g*g.com";
+diff --git a/tests/api/netaddr.c b/tests/api/netaddr.c
+index e79b06c..b7dbeaf 100644
+--- a/tests/api/netaddr.c
++++ b/tests/api/netaddr.c
+@@ -424,8 +424,10 @@ START_TEST (netaddr_fnmatch_test) {
+   res = pr_netaddr_fnmatch(addr, "LOCAL*", flags);
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     /* This test is sensitive the environment. */
+     ck_assert_msg(res == TRUE, "Expected TRUE, got %d", res);
++    }
+   }
+ 
+   flags = PR_NETADDR_MATCH_IP;
+@@ -887,10 +889,12 @@ START_TEST (netaddr_get_dnsstr_test) {
+    */
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     /* This test is sensitive the environment. */
+     ck_assert_msg(strcmp(res, "localhost") == 0 ||
+                 strcmp(res, "localhost.localdomain") == 0,
+       "Expected '%s', got '%s'", "localhost or localhost.localdomain", res);
++     }
+   }
+ }
+ END_TEST
+@@ -1011,6 +1015,7 @@ START_TEST (netaddr_get_dnsstr_ipv6_test) {
+    */
+   if (getenv("CI") == NULL &&
+       getenv("TRAVIS") == NULL) {
++     if(strcmp(getenv("HOSTNAME"), "localhost") == 0 || strcmp(getenv("HOSTNAME"), "localhost.localdomain") == 0) {
+     ck_assert_msg(strcmp(res, "localhost") == 0 ||
+                 strcmp(res, "localhost.localdomain") == 0 ||
+                 strcmp(res, "localhost6") == 0 ||
+@@ -1019,6 +1024,7 @@ START_TEST (netaddr_get_dnsstr_ipv6_test) {
+                 strcmp(res, "ip6-loopback") == 0 ||
+                 strcmp(res, ip) == 0,
+       "Expected '%s', got '%s'", "localhost, localhost.localdomain et al", res);
++     }
+   }
+ }
+ END_TEST
+-- 
+2.39.1
+

proftpd-1.3.8-shellbang.patch

@@ -4,7 +4,7 @@
 -#!/usr/bin/env perl
 +#!/usr/bin/perl
  # ---------------------------------------------------------------------------
- # Copyright (C) 2000-2020 TJ Saunders <tj@castaglia.org>
+ # Copyright (C) 2000-2021 TJ Saunders <tj@castaglia.org>
  #
 --- contrib/ftpmail
 +++ contrib/ftpmail

proftpd.spec

@@ -16,13 +16,13 @@
 # Dynamic modules contain references to symbols in main daemon, so we need to disable linker checks for undefined symbols
 %undefine _strict_symbol_defs_build
 
-%global mod_vroot_version 0.9.9
+%global mod_vroot_version 0.9.11
 
 %global vendor %{?_vendor:%{_vendor}}%{!?_vendor:openEuler}
 
 Name:			proftpd
-Version:		1.3.7c
-Release:		4
+Version:		1.3.8b
+Release:		5
 Summary:		Flexible, stable and highly-configurable FTP server
 License:		GPLv2+
 URL:			http://www.proftpd.org/
@@ -38,14 +38,15 @@ Source8:		proftpd-welcome.msg
 Source9:		proftpd.sysconfig
 Source10:		http://github.com/Castaglia/proftpd-mod_vroot/archive/v%{mod_vroot_version}.tar.gz
 
-Patch1:			proftpd-1.3.7-shellbang.patch
+Patch1:			proftpd-1.3.8-shellbang.patch
 Patch2:			proftpd.conf-no-memcached.patch
 Patch3:			proftpd-1.3.4rc1-mod_vroot-test.patch
 Patch4:			proftpd-1.3.6-no-mod-wrap.patch
 Patch5:			proftpd-1.3.6-no-mod-geoip.patch
 Patch6:			proftpd-1.3.7rc3-logging-not-systemd.patch
-Patch7: 		proftpd-1.3.7a-Adjusting-unit-test-timeouts-for-netacl.patch
-Patch8: 		proftpd-1.3.7a-fix-environment-sensitive-tests-failure.patch
+Patch7:			proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch
+Patch8: 		huawei-proftpd-service-add-restart.patch
+Patch9: 		backport-CVE-2024-48651.patch
 
 BuildRequires:		coreutils
 BuildRequires:		gcc
@@ -70,6 +71,10 @@ BuildRequires:		sqlite-devel
 BuildRequires:		tar
 BuildRequires:		zlib-devel
 BuildRequires:		chrpath
+BuildRequires:		libidn2-devel
+BuildRequires:		libmemcached-devel >= 0.41
+BuildRequires:		pcre2-devel >= 10.30
+BuildRequires:		tcp_wrappers-devel
 
 # Test suite requirements
 BuildRequires:		check-devel
@@ -107,6 +112,8 @@ Requires(preun):	chkconfig, initscripts
 Requires(postun):	initscripts
 %endif
 
+Requires:               coreutils
+
 Provides:		ftpserver
 
 %description
@@ -143,6 +150,10 @@ Requires:	postgresql-devel
 %endif
 Requires:	sqlite-devel
 Requires:	zlib-devel
+Requires:	libmemcached-devel >= 0.41
+Requires:	pcre2-devel >= 10.30
+Requires:	tcp_wrappers-devel
+
 
 %description devel
 This package is required to build additional modules for ProFTPD.
@@ -244,6 +255,7 @@ sed -i -e '/killall/s/test.*/systemctl reload proftpd.service/' \
 
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 # Avoid docfile dependencies
 chmod -c -x contrib/xferstats.holger-preiss
@@ -272,6 +284,8 @@ SMOD7=mod_unique_id
 			--libexecdir="%{_libexecdir}/proftpd" \
 			--localstatedir="%{rundir}/proftpd" \
 			--disable-strip \
+			--enable-memcache \
+			--enable-pcre2 \
 			--enable-ctrls \
 			--enable-dso \
 			--enable-facl \
@@ -352,6 +366,10 @@ fi
 %endif
 
 %post
+if [ ! -f /var/run/proftpd/proftpd.delay ]; then
+  touch /var/run/proftpd/proftpd.delay
+fi
+chcon -t user_home_t /var/run/proftpd/proftpd.delay
 %if %{use_systemd}
 systemctl daemon-reload &>/dev/null || :
 %endif
@@ -375,6 +393,7 @@ fi
 %preun
 if [ $1 -eq 0 ]; then
 	# Package removal, not upgrade
+        rm -rf /var/run/proftpd/proftpd.delay
 %if %{use_systemd}
 	systemctl --no-reload disable proftpd.service &>/dev/null || :
 	systemctl stop proftpd.service &>/dev/null || :
@@ -527,6 +546,30 @@ fi
 %{_mandir}/man1/ftpwho.1*
 
 %changelog
+* Mon Nov Dec 2024 liningjie <liningjie@xfusion.com> - 1.3.8b-5
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2024-48651
+
+* Fri Jan 12 2024 chengyechun <chengyechun1@huawei.com> - 1.3.8b-4
+- Type:requirement
+- ID:NA
+- SUG:NA
+- DESC:add Restart in proftpd.service
+
+* Fri Jan 05 2024 Ge Wang <wang__ge@126.com> - 1.3.8b-3
+- Fix service error message due to selinux policy mismatch
+
+* Fri Dec 29 2023 wangkai <13474090681@163.com> - 1.3.8b-2
+- Adjust patch number
+
+* Tue Dec 26 2023 wangkai <13474090681@163.com> - 1.3.8b-1
+- Update to 1.3.8b for fix CVE-2023-51713,CVE-2023-48795
+
+* Tue Apr 11 2023 chenchen <chen_aka_jan@163.com> - 1.3.8-1
+- Update to 1.3.8
+
 * Fri Nov 18 2022 caodongxia <caodongxia@h-partners.com> - 1.3.7c-4
 - Replace openEuler with vendor macro