Bug#697526: proftpd-basic: enhance root privilege dropping
Jann Horn
jannhorn at googlemail.com
Sun Jan 6 15:28:07 UTC 2013
Package: proftpd-basic
Version: 1.3.4a-2+b1
Severity: normal
See upstream bug <http://bugs.proftpd.org/show_bug.cgi?id=3839>, which also includes
a patch.
Proftpd doesn't drop root privileges completely, so if an attacker is capable of performing a
remote code execution attack on proftpd, he can probably gain full access to the system although
proftpd tries to prevent this by dropping privileges. The upstream patch not only fixes the issue
but also adds a new configuration option - merely fixing the issue would take ~5 lines of code.
TJ Saunders classified this as an enhancement, not a bugfix, but I think that it is worth backporting
regardless of that.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages proftpd-basic depends on:
ii adduser 3.113+nmu3
ii debconf 1.5.49
ii debianutils 4.3.2
ii libacl1 2.2.51-8
ii libc6 2.13-37
ii libcap2 1:2.22-1.2
ii libncurses5 5.9-10
ii libpam-runtime 1.1.3-7.1
ii libpam0g 1.1.3-7.1
ii libpcre3 1:8.30-5
ii libssl1.0.0 1.0.1c-4
ii libtinfo5 5.9-10
ii libwrap0 7.6.q-24
ii netbase 5.0
ii sed 4.2.1-10
ii ucf 3.0025+nmu3
ii update-inetd 4.43
ii zlib1g 1:1.2.7.dfsg-13
proftpd-basic recommends no packages.
Versions of packages proftpd-basic suggests:
ii openbsd-inetd [inet-superserver] 0.20091229-2
ii openssl 1.0.1c-4
pn proftpd-doc <none>
pn proftpd-mod-ldap <none>
pn proftpd-mod-mysql <none>
pn proftpd-mod-odbc <none>
pn proftpd-mod-pgsql <none>
pn proftpd-mod-sqlite <none>
-- debconf information excluded
More information about the Pkg-proftpd-maintainers
mailing list