Bug#859729: unblock: proftpd-dfsg/1.3.5b-4
Francesco P. Lovergine
frankie at debian.org
Thu Apr 6 13:51:46 UTC 2017
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
Please unblock package proftpd-dfsg
The new package fixes CVE-2017-7418 and closes #859592 with
only one relevant new quilt patch.
unblock proftpd-dfsg/1.3.5b-4
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Francesco P. Lovergine
-------------- next part --------------
diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog 2017-01-31 09:20:06.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/changelog 2017-04-05 15:57:53.000000000 +0200
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4) unstable; urgency=medium
+
+ * Added patch CVE-2017-7418 to add recursive handling of DefalutRoot path.
+ (closes: #859592)
+
+ -- Francesco Paolo Lovergine <frankie at debian.org> Wed, 05 Apr 2017 15:57:53 +0200
+
proftpd-dfsg (1.3.5b-3) unstable; urgency=medium
* Updated debian/proftpd-basic.NEWS to include information already present
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418
--- proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 2017-04-05 15:57:53.000000000 +0200
@@ -0,0 +1,109 @@
+Index: proftpd-dfsg/modules/mod_auth.c
+===================================================================
+--- proftpd-dfsg.orig/modules/mod_auth.c
++++ proftpd-dfsg/modules/mod_auth.c
+@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p,
+ return dir;
+ }
+
+-/* Determine if the user (non-anon) needs a default root dir other than /.
+- */
++static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
++ int res, xerrno = 0;
++ struct stat st;
++ char *ptr;
+
++ if (pathlen == 0) {
++ return 0;
++ }
++
++ pr_fs_clear_cache();
++ res = pr_fsio_lstat(path, &st);
++ if (res < 0) {
++ xerrno = errno;
++
++ pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
++ strerror(xerrno));
++
++ errno = xerrno;
++ return -1;
++ }
++
++ if (S_ISLNK(st.st_mode)) {
++ errno = EPERM;
++ return -1;
++ }
++
++ /* To handle the case where a component further up the path might be a
++ * symlink (which lstat(2) will NOT handle), we walk the path backwards,
++ * calling ourselves recursively.
++ */
++
++ ptr = strrchr(path, '/');
++ if (ptr != NULL) {
++ char *new_path;
++ size_t new_pathlen;
++
++ pr_signals_handle();
++
++ new_pathlen = ptr - path;
++
++ /* Make sure our pointer actually changed position. */
++ if (new_pathlen == pathlen) {
++ return 0;
++ }
++
++ new_path = pstrndup(p, path, new_pathlen);
++
++ pr_log_debug(DEBUG10,
++ "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
++ new_path);
++ res = is_symlink_path(p, new_path, new_pathlen);
++ if (res < 0) {
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
++/* Determine if the user (non-anon) needs a default root dir other than /. */
+ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+ config_rec *c = NULL;
+ char *dir = NULL;
+@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int
+
+ if (allow_symlinks == FALSE) {
+ char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
+- struct stat st;
+ size_t pathlen;
+
+ /* First, deal with any possible interpolation. dir_realpath() will
+@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int
+ path[pathlen-1] = '\0';
+ }
+
+- pr_fs_clear_cache();
+- res = pr_fsio_lstat(path, &st);
++ res = is_symlink_path(p, path, pathlen);
+ if (res < 0) {
+- xerrno = errno;
+-
+- pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+- strerror(xerrno));
+-
+- errno = xerrno;
+- return -1;
+- }
++ if (errno == EPERM) {
++ pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
++ "(denied by AllowChrootSymlinks config)", path);
++ }
+
+- if (S_ISLNK(st.st_mode)) {
+- pr_log_pri(PR_LOG_WARNING,
+- "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
+- "config)", path);
+ errno = EPERM;
+ return -1;
+ }
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series 2017-01-31 09:20:06.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/series 2017-04-05 15:57:53.000000000 +0200
@@ -14,3 +14,4 @@
FTBS_on_Hurd
reproducible_build
not_read_whole_passwd_db
+CVE-2017-7418
More information about the Pkg-proftpd-maintainers
mailing list