On 02/03/2018 04:29 PM, Demetris Demetriou wrote:
> Package: pure-ftpd-mysql
> Severity: important
>
> Hello,
>
> Pure-ftpd fails to start on newer MariaDB versions (>=10.2) due to an issue
> with my_make_scrambled_password. Full comment by MariaDB developers below.
> More
> info at
> https://jira.mariadb.org/browse/MDEV-12889?focusedCommentId=97156&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-
> tabpanel#comment-97156
>
> Quoted comment:
> "There is definitely an issue with pureftpd. Or, rather, there was. Here's the
> full story:
>
> In its early days, say, about 20 years ago, libmysqlclient did not version
> symbols and did not limit their visibility. Some functions were documented —
> they were client API, and we promised to keep them stable, working over years.
> Other functions were not documented, they were internal, no promises. But they
> were exported and available too.
>
> Later, in MariaDB time, we took a closer look at that. RedHat was versioning
> libmysqlclient symbols. Old symbols from libmysqlclient.so.16.0.0 had the
> version libmysqlclient_16, newer symbols had the version libmysqlclient_18.
> Internal symols was hidden, with few exceptions. One of such exceptions was
> my_make_scrambled_password, because pureftpd started using it since the old
> days, when everything was kind of allowed. Debian had a different, simpler
> (and
> less correct) approach to versioning, all symbols had libmysqlclient_18
> version. In MariaDB we managed to create a library compatible with both
> approaches. my_make_scrambled_password was not hidden, with the comment "for
> pureftpd".
>
> Now, a couple of days ago, I wanted to report this bug to pureftpd, to have it
> finally fixed and not use internal non-public libmysqlclient symbols. And I
> found that pureftpd source have this:
>
> # ifdef HAVE_MY_MAKE_SCRAMBLED_PASSWORD
> my_make_scrambled_password(scrambled_password, password,
> strlen(password));
> # elif defined(HAVE_MAKE_SCRAMBLED_PASSWORD)
> make_scrambled_password(scrambled_password, password);
> # else
> {
> SHA1_CTX ctx;
> unsigned char h0[20], h1[20];
> char *p;
>
> SHA1Init(&ctx);
> SHA1Update(&ctx, password, strlen(password));
> SHA1Final(h0, &ctx);
> SHA1Init(&ctx);
> SHA1Update(&ctx, h0, sizeof h0);
> pure_memzero(h0, sizeof h0);
> SHA1Final(h1, &ctx);
> *scrambled_password = '*';
> hexify(scrambled_password + 1U, h1,
> (sizeof scrambled_password) - 1U, sizeof h1);
> *(p = scrambled_password) = '*';
> while (*p++ != 0) {
> *p = (char) toupper((unsigned char) *p);
> }
> }
> # endif
> That is, it only uses make_scrambled_password if it's available, otherwise it
> can perfectly do without. So, now it's Debian bug, because they build pureftpd
> to use internal libmysqlclient symbols, while they perfectly can avoid that.
>
> Even more, I've found that in the latest pureftpd sources on github, they've
> removed this ifdef and don't use make_scrambled_password at all anymore.
> https://github.com/jedisct1/pure-
> ftpd/commit/27443b29320d85352d8b52c0120836843e10c0f9
>
> So it was pureftpd issue, and they've fixed it.
> Sergei Golubchik
> Missing versioning is our issue and we'll fix it." - Sergei Golubchik
>
>
> Waiting for the newer version to trickle down through the normal release cycle
> would mean that every one that uses pure-ftpd with newer MariaDB servers will
> wait at least a couple of years for a solution, which in production
> environments is not an acceptable solution. The easiest solution would be to
> provide an up-to-date version through debian-backports, or alternatively bump
> up the package in Debian stable to the latest version through an exception to
> the normal release schedule.
>
Hello Demetris,
I will checkout your suggestions how to solve this problems.
Thanks for your report.
Regards
Racke
>
>
>
> -- System Information:
> Debian Release: 9.3
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
> LANGUAGE=en_US:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages pure-ftpd-mysql depends on:
> ii libc6 2.24-11+deb9u1
> ii libcap2 1:2.25-1
> pn libmariadbclient18 <none>
> ii libpam0g 1.1.8-3.6
> ii libssl1.1 1.1.0f-3+deb9u1
> ii lsb-base 9.20161125
> pn openbsd-inetd | inet-superserver <none>
> pn pure-ftpd-common <none>
> ii zlib1g 1:1.2.8.dfsg-5
>
> pure-ftpd-mysql recommends no packages.
>
> pure-ftpd-mysql suggests no packages.
>
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
