Bug#697526: proftpd-basic: enhance root privilege dropping

Jann Horn jannhorn at googlemail.com
Sun Jan 6 15:28:07 UTC 2013


Package: proftpd-basic
Version: 1.3.4a-2+b1
Severity: normal

See upstream bug <http://bugs.proftpd.org/show_bug.cgi?id=3839>, which also includes
a patch.

Proftpd doesn't drop root privileges completely, so if an attacker is capable of performing a
remote code execution attack on proftpd, he can probably gain full access to the system although
proftpd tries to prevent this by dropping privileges. The upstream patch not only fixes the issue
but also adds a new configuration option - merely fixing the issue would take ~5 lines of code.

TJ Saunders classified this as an enhancement, not a bugfix, but I think that it is worth backporting
regardless of that.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages proftpd-basic depends on:
ii  adduser         3.113+nmu3
ii  debconf         1.5.49
ii  debianutils     4.3.2
ii  libacl1         2.2.51-8
ii  libc6           2.13-37
ii  libcap2         1:2.22-1.2
ii  libncurses5     5.9-10
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1
ii  libpcre3        1:8.30-5
ii  libssl1.0.0     1.0.1c-4
ii  libtinfo5       5.9-10
ii  libwrap0        7.6.q-24
ii  netbase         5.0
ii  sed             4.2.1-10
ii  ucf             3.0025+nmu3
ii  update-inetd    4.43
ii  zlib1g          1:1.2.7.dfsg-13

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  openssl                           1.0.1c-4
pn  proftpd-doc                       <none>
pn  proftpd-mod-ldap                  <none>
pn  proftpd-mod-mysql                 <none>
pn  proftpd-mod-odbc                  <none>
pn  proftpd-mod-pgsql                 <none>
pn  proftpd-mod-sqlite                <none>

-- debconf information excluded



More information about the Pkg-proftpd-maintainers mailing list