Package: pure-ftpd-mysql Severity: important Hello,
Pure-ftpd fails to start on newer MariaDB versions (>=10.2) due to an issue with my_make_scrambled_password. Full comment by MariaDB developers below. More info at https://jira.mariadb.org/browse/MDEV-12889?focusedCommentId=97156&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment- tabpanel#comment-97156 Quoted comment: "There is definitely an issue with pureftpd. Or, rather, there was. Here's the full story: In its early days, say, about 20 years ago, libmysqlclient did not version symbols and did not limit their visibility. Some functions were documented — they were client API, and we promised to keep them stable, working over years. Other functions were not documented, they were internal, no promises. But they were exported and available too. Later, in MariaDB time, we took a closer look at that. RedHat was versioning libmysqlclient symbols. Old symbols from libmysqlclient.so.16.0.0 had the version libmysqlclient_16, newer symbols had the version libmysqlclient_18. Internal symols was hidden, with few exceptions. One of such exceptions was my_make_scrambled_password, because pureftpd started using it since the old days, when everything was kind of allowed. Debian had a different, simpler (and less correct) approach to versioning, all symbols had libmysqlclient_18 version. In MariaDB we managed to create a library compatible with both approaches. my_make_scrambled_password was not hidden, with the comment "for pureftpd". Now, a couple of days ago, I wanted to report this bug to pureftpd, to have it finally fixed and not use internal non-public libmysqlclient symbols. And I found that pureftpd source have this: # ifdef HAVE_MY_MAKE_SCRAMBLED_PASSWORD my_make_scrambled_password(scrambled_password, password, strlen(password)); # elif defined(HAVE_MAKE_SCRAMBLED_PASSWORD) make_scrambled_password(scrambled_password, password); # else { SHA1_CTX ctx; unsigned char h0[20], h1[20]; char *p; SHA1Init(&ctx); SHA1Update(&ctx, password, strlen(password)); SHA1Final(h0, &ctx); SHA1Init(&ctx); SHA1Update(&ctx, h0, sizeof h0); pure_memzero(h0, sizeof h0); SHA1Final(h1, &ctx); *scrambled_password = '*'; hexify(scrambled_password + 1U, h1, (sizeof scrambled_password) - 1U, sizeof h1); *(p = scrambled_password) = '*'; while (*p++ != 0) { *p = (char) toupper((unsigned char) *p); } } # endif That is, it only uses make_scrambled_password if it's available, otherwise it can perfectly do without. So, now it's Debian bug, because they build pureftpd to use internal libmysqlclient symbols, while they perfectly can avoid that. Even more, I've found that in the latest pureftpd sources on github, they've removed this ifdef and don't use make_scrambled_password at all anymore. https://github.com/jedisct1/pure- ftpd/commit/27443b29320d85352d8b52c0120836843e10c0f9 So it was pureftpd issue, and they've fixed it. Sergei Golubchik Missing versioning is our issue and we'll fix it." - Sergei Golubchik Waiting for the newer version to trickle down through the normal release cycle would mean that every one that uses pure-ftpd with newer MariaDB servers will wait at least a couple of years for a solution, which in production environments is not an acceptable solution. The easiest solution would be to provide an up-to-date version through debian-backports, or alternatively bump up the package in Debian stable to the latest version through an exception to the normal release schedule. -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages pure-ftpd-mysql depends on: ii libc6 2.24-11+deb9u1 ii libcap2 1:2.25-1 pn libmariadbclient18 <none> ii libpam0g 1.1.8-3.6 ii libssl1.1 1.1.0f-3+deb9u1 ii lsb-base 9.20161125 pn openbsd-inetd | inet-superserver <none> pn pure-ftpd-common <none> ii zlib1g 1:1.2.8.dfsg-5 pure-ftpd-mysql recommends no packages. pure-ftpd-mysql suggests no packages.
