[proftpd-dfsg] 02/02: Added backported fix for CVE-2015-3306

Francesco Lovergine frankie at moszumanska.debian.org
Thu Apr 23 12:57:04 UTC 2015


This is an automated email from the git hooks/post-receive script.

frankie pushed a commit to branch master
in repository proftpd-dfsg.

commit de13ef140b787501e60a23783ecfdcef3b1c1406
Author: Francesco Paolo Lovergine <frankie at debian.org>
Date:   Thu Apr 23 14:56:26 2015 +0200

    Added backported fix for CVE-2015-3306
---
 debian/patches/CVE-2015-3306 | 610 +++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series        |   1 +
 2 files changed, 611 insertions(+)

diff --git a/debian/patches/CVE-2015-3306 b/debian/patches/CVE-2015-3306
new file mode 100644
index 0000000..306fbb6
--- /dev/null
+++ b/debian/patches/CVE-2015-3306
@@ -0,0 +1,610 @@
+Index: proftpd-dfsg/contrib/mod_copy.c
+===================================================================
+--- proftpd-dfsg.orig/contrib/mod_copy.c
++++ proftpd-dfsg/contrib/mod_copy.c
+@@ -2,7 +2,7 @@
+  * ProFTPD: mod_copy -- a module supporting copying of files on the server
+  *                      without transferring the data to the client and back
+  *
+- * Copyright (c) 2009-2012 TJ Saunders
++ * Copyright (c) 2009-2015 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -25,13 +25,11 @@
+  *
+  * This is mod_copy, contrib software for proftpd 1.3.x and above.
+  * For more information contact TJ Saunders <tj at castaglia.org>.
+- *
+- * $Id: mod_copy.c,v 1.8 2012/12/27 22:31:29 castaglia Exp $
+  */
+ 
+ #include "conf.h"
+ 
+-#define MOD_COPY_VERSION	"mod_copy/0.4"
++#define MOD_COPY_VERSION	"mod_copy/0.5"
+ 
+ /* Make sure the version of proftpd is as necessary. */
+ #if PROFTPD_VERSION_NUMBER < 0x0001030401
+@@ -40,6 +38,8 @@
+ 
+ extern pr_response_t *resp_list, *resp_err_list;
+ 
++static int copy_engine = TRUE;
++
+ static const char *trace_channel = "copy";
+ 
+ /* These are copied largely from src/mkhome.c */
+@@ -165,7 +165,7 @@ static int copy_symlink(pool *p, const c
+       src_path, strerror(xerrno));
+ 
+     errno = xerrno;
+-    return -1;
++    return -1; 
+   }
+   link_path[len] = '\0';
+ 
+@@ -471,10 +471,37 @@ static int copy_paths(pool *p, const cha
+   return 0;
+ }
+ 
++/* Configuration handlers
++ */
++
++/* usage: CopyEngine on|off */
++MODRET set_copyengine(cmd_rec *cmd) {
++  int engine = -1;
++  config_rec *c;
++
++  CHECK_ARGS(cmd, 1);
++  CHECK_CONF(cmd, CONF_ROOT|CONF_VIRTUAL|CONF_GLOBAL);
++
++  engine = get_boolean(cmd, 1);
++  if (engine == -1) {
++    CONF_ERROR(cmd, "expected Boolean parameter");
++  }
++
++  c = add_config_param(cmd->argv[0], 1, NULL);
++  c->argv[0] = palloc(c->pool, sizeof(int));
++  *((int *) c->argv[0]) = engine;
++
++  return PR_HANDLED(cmd);
++}
++
+ /* Command handlers
+  */
+ 
+ MODRET copy_copy(cmd_rec *cmd) {
++  if (copy_engine == FALSE) {
++    return PR_DECLINED(cmd);
++  }
++
+   if (cmd->argc < 2) {
+     return PR_DECLINED(cmd);
+   }
+@@ -539,12 +566,26 @@ MODRET copy_cpfr(cmd_rec *cmd) {
+   register unsigned int i;
+   int res;
+   char *path = "";
++  unsigned char *authenticated = NULL;
++
++  if (copy_engine == FALSE) {
++    return PR_DECLINED(cmd);
++  }
+ 
+   if (cmd->argc < 3 ||
+       strncasecmp(cmd->argv[1], "CPFR", 5) != 0) {
+     return PR_DECLINED(cmd);
+   }
+ 
++  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
++  if (authenticated == NULL ||
++      *authenticated == FALSE) {
++    pr_response_add_err(R_530, _("Please login with USER and PASS"));
++  
++    errno = EPERM;
++    return PR_ERROR(cmd);
++  }
++
+   CHECK_CMD_MIN_ARGS(cmd, 3);
+ 
+   /* Construct the target file name by concatenating all the parameters after
+@@ -594,12 +635,26 @@ MODRET copy_cpfr(cmd_rec *cmd) {
+ MODRET copy_cpto(cmd_rec *cmd) {
+   register unsigned int i;
+   char *from, *to = "";
++  unsigned char *authenticated = NULL;
++
++  if (copy_engine == FALSE) {
++    return PR_DECLINED(cmd);
++  }
+ 
+   if (cmd->argc < 3 ||
+       strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
+     return PR_DECLINED(cmd);
+   }
+ 
++  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
++  if (authenticated == NULL ||
++      *authenticated == FALSE) {
++    pr_response_add_err(R_530, _("Please login with USER and PASS"));
++
++    errno = EPERM;
++    return PR_ERROR(cmd);
++  }
++
+   CHECK_CMD_MIN_ARGS(cmd, 3);
+ 
+   from = pr_table_get(session.notes, "mod_copy.cpfr-path", NULL);
+@@ -632,6 +687,10 @@ MODRET copy_cpto(cmd_rec *cmd) {
+ }
+ 
+ MODRET copy_log_site(cmd_rec *cmd) {
++  if (copy_engine == FALSE) {
++    return PR_DECLINED(cmd);
++  }
++
+   if (cmd->argc < 3 ||
+       strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
+     return PR_DECLINED(cmd);
+@@ -643,23 +702,58 @@ MODRET copy_log_site(cmd_rec *cmd) {
+   return PR_DECLINED(cmd);
+ }
+ 
++MODRET copy_post_pass(cmd_rec *cmd) {
++  config_rec *c;
++
++  if (copy_engine == FALSE) {
++    return PR_DECLINED(cmd);
++  }
++
++  /* The CopyEngine directive may have been changed for this user by
++   * e.g. mod_ifsession, thus we check again.
++   */
++  c = find_config(main_server->conf, CONF_PARAM, "CopyEngine", FALSE);
++  if (c != NULL) {
++    copy_engine = *((int *) c->argv[0]);
++  }
++
++  return PR_DECLINED(cmd);
++}
++
+ /* Initialization functions
+  */
+ 
+ static int copy_sess_init(void) {
++  config_rec *c;
++
++  c = find_config(main_server->conf, CONF_PARAM, "CopyEngine", FALSE);
++  if (c != NULL) {
++    copy_engine = *((int *) c->argv[0]);
++  }
++
++  if (copy_engine == FALSE) {
++    return 0;
++  }
++
+   /* Advertise support for the SITE command */
+   pr_feat_add("SITE COPY");
+-
+   return 0;
+ }
+ 
+ /* Module API tables
+  */
+ 
++static conftable copy_conftab[] = {
++  { "CopyEngine",	set_copyengine,		NULL },
++
++  { NULL }
++};
++
+ static cmdtable copy_cmdtab[] = {
+   { CMD, 	C_SITE, G_WRITE,	copy_copy,	FALSE,	FALSE, CL_MISC },
+   { CMD, 	C_SITE, G_DIRS,		copy_cpfr,	FALSE,	FALSE, CL_MISC },
+   { CMD, 	C_SITE, G_WRITE,	copy_cpto,	FALSE,	FALSE, CL_MISC },
++  { POST_CMD,	C_PASS,	G_NONE,		copy_post_pass, FALSE,	FALSE },
+   { LOG_CMD, 	C_SITE, G_NONE,		copy_log_site,	FALSE,	FALSE },
+   { LOG_CMD_ERR, C_SITE, G_NONE,	copy_log_site,	FALSE,	FALSE },
+ 
+@@ -676,7 +770,7 @@ module copy_module = {
+   "copy",
+ 
+   /* Module configuration handler table */
+-  NULL,
++  copy_conftab,
+ 
+   /* Module command handler table */
+   copy_cmdtab,
+Index: proftpd-dfsg/doc/contrib/mod_copy.html
+===================================================================
+--- proftpd-dfsg.orig/doc/contrib/mod_copy.html
++++ proftpd-dfsg/doc/contrib/mod_copy.html
+@@ -1,5 +1,5 @@
+-<!-- $Id: mod_copy.html,v 1.1 2010/03/10 19:20:43 castaglia Exp $ -->
+-<!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_copy.html,v $ -->
++<!-- $Id: mod_copy.html,v 1.1 2010-03-10 19:20:43 castaglia Exp $ -->
++<!-- $Source: /home/proftpd-core/backup/proftp-cvsroot/proftpd/doc/contrib/mod_copy.html,v $ -->
+ 
+ <html>
+ <head>
+@@ -27,22 +27,40 @@ ProFTPD 1.3.<i>x</i>, and is not compile
+ instructions are discussed <a href="#Installation">here</a>.
+ 
+ <p>
+-The most current version of <code>mod_copy</code> can be found at:
+-<pre>
+-  <a href="http://www.castaglia.org/proftpd/">http://www.castaglia.org/proftpd/</a>
+-</pre>
++The most current version of <code>mod_copy</code> is distributed with the
++ProFTPD source code.
+ 
+ <h2>Author</h2>
+ <p>
+ Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any
+ questions, concerns, or suggestions regarding this module.
+ 
++<h2>Directives</h2>
++<ul>
++  <li><a href="#CopyEngine">CopyEngine</a>
++</ul>
++
+ <h2><code>SITE</code> Commands</h2>
+ <ul>
+   <li><a href="#SITE_CPFR">SITE CPFR</a>
+   <li><a href="#SITE_CPTO">SITE CPTO</a>
+ </ul>
+ 
++<p>
++<hr>
++<h2><a name="CopyEngine">CopyEngine</a></h2>
++<strong>Syntax:</strong> CopyEngine <em>on|off</em><br>
++<strong>Default:</strong> CopyEngine on<br>
++<strong>Context:</strong> server config, <code><VirtualHost></code>, <code><Global></code><br>
++<strong>Module:</strong> mod_radius<br>
++<strong>Compatibility:</strong> 1.3.6rc1 and later
++
++<p>
++The <code>CopyEngine</code> directive enables or disables the module's
++handling of <code>SITE COPY</code> <i>et al</i> commands.  If it is set to
++<em>off</em> this module ignores these commands.
++
++<p>
+ <hr>
+ <h2><a name="SITE_CPFR">SITE CPFR</a></h2>
+ This <code>SITE</code> command specifies the source file/directory to use
+@@ -118,13 +136,8 @@ your existing server:
+ <p>
+ <hr><br>
+ 
+-Author: <i>$Author: castaglia $</i><br>
+-Last Updated: <i>$Date: 2010/03/10 19:20:43 $</i><br>
+-
+-<br><hr>
+-
+ <font size=2><b><i>
+-© Copyright 2009-2010 TJ Saunders<br>
++© Copyright 2009-2015 TJ Saunders<br>
+  All Rights Reserved<br>
+ </i></b></font>
+ 
+Index: proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
+===================================================================
+--- proftpd-dfsg.orig/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
++++ proftpd-dfsg/tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm
+@@ -21,6 +21,11 @@ my $TESTS = {
+     test_class => [qw(forking)],
+   },
+ 
++  copy_file_no_login => {
++    order => ++$order,
++    test_class => [qw(bug forking)],
++  },
++
+   copy_dir => {
+     order => ++$order,
+     test_class => [qw(forking)],
+@@ -86,6 +91,11 @@ my $TESTS = {
+     test_class => [qw(forking)],
+   },
+ 
++  copy_cpfr_cpto_no_login => {
++    order => ++$order,
++    test_class => [qw(bug forking)],
++  },
++
+   copy_cpto_no_cpfr => {
+     order => ++$order,
+     test_class => [qw(forking)],
+@@ -263,6 +273,137 @@ sub copy_file {
+   unlink($log_file);
+ }
+ 
++sub copy_file_no_login {
++  my $self = shift;
++  my $tmpdir = $self->{tmpdir};
++
++  my $config_file = "$tmpdir/copy.conf";
++  my $pid_file = File::Spec->rel2abs("$tmpdir/copy.pid");
++  my $scoreboard_file = File::Spec->rel2abs("$tmpdir/copy.scoreboard");
++
++  my $log_file = File::Spec->rel2abs('tests.log');
++
++  my $auth_user_file = File::Spec->rel2abs("$tmpdir/copy.passwd");
++  my $auth_group_file = File::Spec->rel2abs("$tmpdir/copy.group");
++
++  my $user = 'proftpd';
++  my $passwd = 'test';
++  my $group = 'ftpd';
++  my $home_dir = File::Spec->rel2abs($tmpdir);
++  my $uid = 500;
++  my $gid = 500;
++
++  # Make sure that, if we're running as root, that the home directory has
++  # permissions/privs set for the account we create
++  if ($< == 0) {
++    unless (chmod(0755, $home_dir)) {
++      die("Can't set perms on $home_dir to 0755: $!");
++    }
++
++    unless (chown($uid, $gid, $home_dir)) {
++      die("Can't set owner of $home_dir to $uid/$gid: $!");
++    }
++  }
++
++  auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir,
++    '/bin/bash');
++  auth_group_write($auth_group_file, $group, $gid, $user);
++
++  my $src_file = File::Spec->rel2abs("$home_dir/foo.txt");
++  if (open(my $fh, "> $src_file")) {
++    print $fh "Hello, World!\n";
++
++    unless (close($fh)) {
++      die("Can't write $src_file: $!");
++    }
++
++  } else {
++    die("Can't open $src_file: $!");
++  }
++
++  my $dst_file = File::Spec->rel2abs("$home_dir/bar.txt");
++
++  my $config = {
++    PidFile => $pid_file,
++    ScoreboardFile => $scoreboard_file,
++    SystemLog => $log_file,
++
++    AuthUserFile => $auth_user_file,
++    AuthGroupFile => $auth_group_file,
++
++    IfModules => {
++      'mod_delay.c' => {
++        DelayEngine => 'off',
++      },
++    },
++  };
++
++  my ($port, $config_user, $config_group) = config_write($config_file, $config);
++
++  # Open pipes, for use between the parent and child processes.  Specifically,
++  # the child will indicate when it's done with its test by writing a message
++  # to the parent.
++  my ($rfh, $wfh);
++  unless (pipe($rfh, $wfh)) {
++    die("Can't open pipe: $!");
++  }
++
++  my $ex;
++
++  # Fork child
++  $self->handle_sigchld();
++  defined(my $pid = fork()) or die("Can't fork: $!");
++  if ($pid) {
++    eval {
++      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
++
++      eval { $client->site('COPY', 'foo.txt', 'bar.txt') };
++      unless ($@) { 
++        die("SITE COPY succeeded unexpectedly");
++      }
++
++      my $resp_code = $client->response_code();
++      my $resp_msg = $client->response_msg();
++
++      my $expected;
++      $expected = 530;
++      $self->assert($expected == $resp_code,
++        test_msg("Expected response code $expected, got $resp_code"));
++
++      $expected = "Please login with USER and PASS";
++      $self->assert($expected eq $resp_msg,
++        test_msg("Expected response message '$expected', got '$resp_msg'"));
++    };
++
++    if ($@) {
++      $ex = $@;
++    }
++
++    $wfh->print("done\n");
++    $wfh->flush();
++
++  } else {
++    eval { server_wait($config_file, $rfh) };
++    if ($@) {
++      warn($@);
++      exit 1;
++    }
++
++    exit 0;
++  }
++
++  # Stop server
++  server_stop($pid_file);
++
++  $self->assert_child_ok($pid);
++
++  if ($ex) {
++    die($ex);
++  }
++
++  unlink($log_file);
++}
++
+ sub copy_dir {
+   my $self = shift;
+   my $tmpdir = $self->{tmpdir};
+@@ -2578,6 +2719,153 @@ sub copy_cpfr_cpto {
+     };
+ 
+     if ($@) {
++      $ex = $@;
++    }
++
++    $wfh->print("done\n");
++    $wfh->flush();
++
++  } else {
++    eval { server_wait($config_file, $rfh) };
++    if ($@) {
++      warn($@);
++      exit 1;
++    }
++
++    exit 0;
++  }
++
++  # Stop server
++  server_stop($pid_file);
++
++  $self->assert_child_ok($pid);
++
++  if ($ex) {
++    die($ex);
++  }
++
++  unlink($log_file);
++}
++
++sub copy_cpfr_cpto_no_login {
++  my $self = shift;
++  my $tmpdir = $self->{tmpdir};
++
++  my $config_file = "$tmpdir/copy.conf";
++  my $pid_file = File::Spec->rel2abs("$tmpdir/copy.pid");
++  my $scoreboard_file = File::Spec->rel2abs("$tmpdir/copy.scoreboard");
++
++  my $log_file = File::Spec->rel2abs('tests.log');
++
++  my $auth_user_file = File::Spec->rel2abs("$tmpdir/copy.passwd");
++  my $auth_group_file = File::Spec->rel2abs("$tmpdir/copy.group");
++
++  my $user = 'proftpd';
++  my $passwd = 'test';
++  my $group = 'ftpd';
++  my $home_dir = File::Spec->rel2abs($tmpdir);
++  my $uid = 500;
++  my $gid = 500;
++
++  # Make sure that, if we're running as root, that the home directory has
++  # permissions/privs set for the account we create
++  if ($< == 0) {
++    unless (chmod(0755, $home_dir)) {
++      die("Can't set perms on $home_dir to 0755: $!");
++    }
++
++    unless (chown($uid, $gid, $home_dir)) {
++      die("Can't set owner of $home_dir to $uid/$gid: $!");
++    }
++  }
++
++  auth_user_write($auth_user_file, $user, $passwd, $uid, $gid, $home_dir,
++    '/bin/bash');
++  auth_group_write($auth_group_file, $group, $gid, $user);
++
++  my $src_file = File::Spec->rel2abs("$home_dir/foo.txt");
++  if (open(my $fh, "> $src_file")) {
++    print $fh "Hello, World!\n";
++
++    unless (close($fh)) {
++      die("Can't write $src_file: $!");
++    }
++
++  } else {
++    die("Can't open $src_file: $!");
++  }
++
++  my $dst_file = File::Spec->rel2abs("$home_dir/bar.txt");
++
++  my $config = {
++    PidFile => $pid_file,
++    ScoreboardFile => $scoreboard_file,
++    SystemLog => $log_file,
++
++    AuthUserFile => $auth_user_file,
++    AuthGroupFile => $auth_group_file,
++
++    IfModules => {
++      'mod_delay.c' => {
++        DelayEngine => 'off',
++      },
++    },
++  };
++
++  my ($port, $config_user, $config_group) = config_write($config_file, $config);
++
++  # Open pipes, for use between the parent and child processes.  Specifically,
++  # the child will indicate when it's done with its test by writing a message
++  # to the parent.
++  my ($rfh, $wfh);
++  unless (pipe($rfh, $wfh)) {
++    die("Can't open pipe: $!");
++  }
++
++  my $ex;
++
++  # Fork child
++  $self->handle_sigchld();
++  defined(my $pid = fork()) or die("Can't fork: $!");
++  if ($pid) {
++    eval {
++      my $client = ProFTPD::TestSuite::FTP->new('127.0.0.1', $port);
++ 
++      eval { $client->site('CPFR', 'foo.txt') };
++      unless ($@) {
++        die("SITE CPFR succeeded unexpectedly");
++      }
++
++      my $resp_code = $client->response_code();
++      my $resp_msg = $client->response_msg();
++
++      my $expected;
++      $expected = 530;
++      $self->assert($expected == $resp_code,
++        test_msg("Expected response code $expected, got $resp_code"));
++
++      $expected = "Please login with USER and PASS";
++      $self->assert($expected eq $resp_msg,
++        test_msg("Expected response message '$expected', got '$resp_msg'"));
++
++      eval { $client->site('CPTO', 'bar.txt') };
++      unless ($@) {
++        die("SITE CPTO succeeded unexpectedly");
++      }
++
++      $resp_code = $client->response_code();
++      $resp_msg = $client->response_msg();
++
++      $expected = 530;
++      $self->assert($expected == $resp_code,
++        test_msg("Expected response code $expected, got $resp_code"));
++
++      $expected = "Please login with USER and PASS";
++      $self->assert($expected eq $resp_msg,
++        test_msg("Expected response message '$expected', got '$resp_msg'"));
++    };
++
++    if ($@) {
+       $ex = $@;
+     }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 01d4f10..d1331b8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ odbc
 silent
 use_hypen_in_manpage
 contrib_hardening_flags
+CVE-2015-3306

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-proftpd/proftpd-dfsg.git



More information about the Pkg-proftpd-maintainers mailing list