Bug#859729: unblock: proftpd-dfsg/1.3.5b-4

Francesco P. Lovergine frankie at debian.org
Thu Apr 6 13:51:46 UTC 2017 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package proftpd-dfsg

The new package fixes CVE-2017-7418 and closes #859592 with
only one relevant new quilt patch.

unblock proftpd-dfsg/1.3.5b-4

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Francesco P. Lovergine
-------------- next part --------------
diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog	2017-01-31 09:20:06.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/changelog	2017-04-05 15:57:53.000000000 +0200
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4) unstable; urgency=medium
+
+  * Added patch CVE-2017-7418 to add recursive handling of DefalutRoot path.
+    (closes: #859592)
+
+ -- Francesco Paolo Lovergine <frankie at debian.org>  Wed, 05 Apr 2017 15:57:53 +0200
+
 proftpd-dfsg (1.3.5b-3) unstable; urgency=medium
 
   * Updated debian/proftpd-basic.NEWS to include information already present
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418
--- proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418	2017-04-05 15:57:53.000000000 +0200
@@ -0,0 +1,109 @@
+Index: proftpd-dfsg/modules/mod_auth.c
+===================================================================
+--- proftpd-dfsg.orig/modules/mod_auth.c
++++ proftpd-dfsg/modules/mod_auth.c
+@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p,
+   return dir;
+ }
+ 
+-/* Determine if the user (non-anon) needs a default root dir other than /.
+- */
++static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
++  int res, xerrno = 0;
++  struct stat st;
++  char *ptr;
+ 
++  if (pathlen == 0) {
++    return 0;
++  }
++
++  pr_fs_clear_cache();
++  res = pr_fsio_lstat(path, &st);
++  if (res < 0) {
++    xerrno = errno;
++
++    pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
++      strerror(xerrno));
++
++    errno = xerrno;
++    return -1;
++  }
++
++  if (S_ISLNK(st.st_mode)) {
++    errno = EPERM;
++    return -1;
++  }
++
++  /* To handle the case where a component further up the path might be a
++   * symlink (which lstat(2) will NOT handle), we walk the path backwards,
++   * calling ourselves recursively.
++   */
++
++  ptr = strrchr(path, '/');
++  if (ptr != NULL) {
++    char *new_path;
++    size_t new_pathlen;
++
++    pr_signals_handle();
++
++    new_pathlen = ptr - path;
++
++    /* Make sure our pointer actually changed position. */
++    if (new_pathlen == pathlen) {
++      return 0;
++    }
++
++    new_path = pstrndup(p, path, new_pathlen);
++
++    pr_log_debug(DEBUG10,
++      "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
++      new_path);
++    res = is_symlink_path(p, new_path, new_pathlen);
++    if (res < 0) {
++      return -1;
++    }
++  }
++
++  return 0;
++}
++
++/* Determine if the user (non-anon) needs a default root dir other than /. */
+ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+   config_rec *c = NULL;
+   char *dir = NULL;
+@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int
+ 
+       if (allow_symlinks == FALSE) {
+         char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
+-        struct stat st;
+         size_t pathlen;
+ 
+         /* First, deal with any possible interpolation.  dir_realpath() will
+@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int
+           path[pathlen-1] = '\0';
+         }
+ 
+-        pr_fs_clear_cache();
+-        res = pr_fsio_lstat(path, &st);
++        res = is_symlink_path(p, path, pathlen);
+         if (res < 0) {
+-          xerrno = errno;
+-
+-          pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+-            strerror(xerrno));
+-
+-          errno = xerrno;
+-          return -1;
+-        }
++          if (errno == EPERM) {
++            pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
++              "(denied by AllowChrootSymlinks config)", path);
++          }
+ 
+-        if (S_ISLNK(st.st_mode)) {
+-          pr_log_pri(PR_LOG_WARNING,
+-            "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
+-            "config)", path);
+           errno = EPERM;
+           return -1;
+         }
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series	2017-01-31 09:20:06.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/series	2017-04-05 15:57:53.000000000 +0200
@@ -14,3 +14,4 @@
 FTBS_on_Hurd
 reproducible_build
 not_read_whole_passwd_db
+CVE-2017-7418

More information about the Pkg-proftpd-maintainers mailing list