[proftpd-dfsg] 01/01: Fixating #859592 and CVE-2017-7418
Francesco Lovergine
frankie at moszumanska.debian.org
Wed Apr 5 14:11:45 UTC 2017
This is an automated email from the git hooks/post-receive script.
frankie pushed a commit to branch 1.3.5b
in repository proftpd-dfsg.
commit 244d5c375a5f185c21c339e1c6f01b501221d099
Author: Francesco Paolo Lovergine <frankie at debian.org>
Date: Wed Apr 5 16:00:17 2017 +0200
Fixating #859592 and CVE-2017-7418
---
debian/changelog | 7 +++
debian/patches/CVE-2017-7418 | 109 +++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 117 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a61f290..3893ca9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4) unstable; urgency=medium
+
+ * Added patch CVE-2017-7418 to add recursive handling of DefalutRoot path.
+ (closes: #859592)
+
+ -- Francesco Paolo Lovergine <frankie at debian.org> Wed, 05 Apr 2017 15:57:53 +0200
+
proftpd-dfsg (1.3.5b-3) unstable; urgency=medium
* Updated debian/proftpd-basic.NEWS to include information already present
diff --git a/debian/patches/CVE-2017-7418 b/debian/patches/CVE-2017-7418
new file mode 100644
index 0000000..ac42c33
--- /dev/null
+++ b/debian/patches/CVE-2017-7418
@@ -0,0 +1,109 @@
+Index: proftpd-dfsg/modules/mod_auth.c
+===================================================================
+--- proftpd-dfsg.orig/modules/mod_auth.c
++++ proftpd-dfsg/modules/mod_auth.c
+@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p,
+ return dir;
+ }
+
+-/* Determine if the user (non-anon) needs a default root dir other than /.
+- */
++static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
++ int res, xerrno = 0;
++ struct stat st;
++ char *ptr;
+
++ if (pathlen == 0) {
++ return 0;
++ }
++
++ pr_fs_clear_cache();
++ res = pr_fsio_lstat(path, &st);
++ if (res < 0) {
++ xerrno = errno;
++
++ pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
++ strerror(xerrno));
++
++ errno = xerrno;
++ return -1;
++ }
++
++ if (S_ISLNK(st.st_mode)) {
++ errno = EPERM;
++ return -1;
++ }
++
++ /* To handle the case where a component further up the path might be a
++ * symlink (which lstat(2) will NOT handle), we walk the path backwards,
++ * calling ourselves recursively.
++ */
++
++ ptr = strrchr(path, '/');
++ if (ptr != NULL) {
++ char *new_path;
++ size_t new_pathlen;
++
++ pr_signals_handle();
++
++ new_pathlen = ptr - path;
++
++ /* Make sure our pointer actually changed position. */
++ if (new_pathlen == pathlen) {
++ return 0;
++ }
++
++ new_path = pstrndup(p, path, new_pathlen);
++
++ pr_log_debug(DEBUG10,
++ "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
++ new_path);
++ res = is_symlink_path(p, new_path, new_pathlen);
++ if (res < 0) {
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
++/* Determine if the user (non-anon) needs a default root dir other than /. */
+ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+ config_rec *c = NULL;
+ char *dir = NULL;
+@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int
+
+ if (allow_symlinks == FALSE) {
+ char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
+- struct stat st;
+ size_t pathlen;
+
+ /* First, deal with any possible interpolation. dir_realpath() will
+@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int
+ path[pathlen-1] = '\0';
+ }
+
+- pr_fs_clear_cache();
+- res = pr_fsio_lstat(path, &st);
++ res = is_symlink_path(p, path, pathlen);
+ if (res < 0) {
+- xerrno = errno;
+-
+- pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+- strerror(xerrno));
+-
+- errno = xerrno;
+- return -1;
+- }
++ if (errno == EPERM) {
++ pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
++ "(denied by AllowChrootSymlinks config)", path);
++ }
+
+- if (S_ISLNK(st.st_mode)) {
+- pr_log_pri(PR_LOG_WARNING,
+- "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
+- "config)", path);
+ errno = EPERM;
+ return -1;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b1b7fae..71ea360 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,4 @@ contrib_hardening_flags
FTBS_on_Hurd
reproducible_build
not_read_whole_passwd_db
+CVE-2017-7418
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-proftpd/proftpd-dfsg.git
More information about the Pkg-proftpd-maintainers
mailing list