Your message dated Thu, 06 Apr 2017 16:37:00 +0000
with message-id <f9d1e9f0-1a27-0348-d5f3-f31339b7e...@thykier.net>
and subject line Re: Bug#859729: unblock: proftpd-dfsg/1.3.5b-4
has caused the Debian Bug report #859729,
regarding unblock: proftpd-dfsg/1.3.5b-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
859729: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859729
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package proftpd-dfsg
The new package fixes CVE-2017-7418 and closes #859592 with
only one relevant new quilt patch.
unblock proftpd-dfsg/1.3.5b-4
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Francesco P. Lovergine
diff -Nru proftpd-dfsg-1.3.5b/debian/changelog
proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog 2017-01-31 09:20:06.000000000
+0100
+++ proftpd-dfsg-1.3.5b/debian/changelog 2017-04-05 15:57:53.000000000
+0200
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4) unstable; urgency=medium
+
+ * Added patch CVE-2017-7418 to add recursive handling of DefalutRoot path.
+ (closes: #859592)
+
+ -- Francesco Paolo Lovergine <fran...@debian.org> Wed, 05 Apr 2017 15:57:53
+0200
+
proftpd-dfsg (1.3.5b-3) unstable; urgency=medium
* Updated debian/proftpd-basic.NEWS to include information already present
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418
proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418
--- proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 1970-01-01
01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 2017-04-05
15:57:53.000000000 +0200
@@ -0,0 +1,109 @@
+Index: proftpd-dfsg/modules/mod_auth.c
+===================================================================
+--- proftpd-dfsg.orig/modules/mod_auth.c
++++ proftpd-dfsg/modules/mod_auth.c
+@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p,
+ return dir;
+ }
+
+-/* Determine if the user (non-anon) needs a default root dir other than /.
+- */
++static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
++ int res, xerrno = 0;
++ struct stat st;
++ char *ptr;
+
++ if (pathlen == 0) {
++ return 0;
++ }
++
++ pr_fs_clear_cache();
++ res = pr_fsio_lstat(path, &st);
++ if (res < 0) {
++ xerrno = errno;
++
++ pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
++ strerror(xerrno));
++
++ errno = xerrno;
++ return -1;
++ }
++
++ if (S_ISLNK(st.st_mode)) {
++ errno = EPERM;
++ return -1;
++ }
++
++ /* To handle the case where a component further up the path might be a
++ * symlink (which lstat(2) will NOT handle), we walk the path backwards,
++ * calling ourselves recursively.
++ */
++
++ ptr = strrchr(path, '/');
++ if (ptr != NULL) {
++ char *new_path;
++ size_t new_pathlen;
++
++ pr_signals_handle();
++
++ new_pathlen = ptr - path;
++
++ /* Make sure our pointer actually changed position. */
++ if (new_pathlen == pathlen) {
++ return 0;
++ }
++
++ new_path = pstrndup(p, path, new_pathlen);
++
++ pr_log_debug(DEBUG10,
++ "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
++ new_path);
++ res = is_symlink_path(p, new_path, new_pathlen);
++ if (res < 0) {
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
++/* Determine if the user (non-anon) needs a default root dir other than /. */
+ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+ config_rec *c = NULL;
+ char *dir = NULL;
+@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int
+
+ if (allow_symlinks == FALSE) {
+ char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
+- struct stat st;
+ size_t pathlen;
+
+ /* First, deal with any possible interpolation. dir_realpath() will
+@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int
+ path[pathlen-1] = '\0';
+ }
+
+- pr_fs_clear_cache();
+- res = pr_fsio_lstat(path, &st);
++ res = is_symlink_path(p, path, pathlen);
+ if (res < 0) {
+- xerrno = errno;
+-
+- pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+- strerror(xerrno));
+-
+- errno = xerrno;
+- return -1;
+- }
++ if (errno == EPERM) {
++ pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
++ "(denied by AllowChrootSymlinks config)", path);
++ }
+
+- if (S_ISLNK(st.st_mode)) {
+- pr_log_pri(PR_LOG_WARNING,
+- "error: DefaultRoot %s is a symlink (denied by
AllowChrootSymlinks "
+- "config)", path);
+ errno = EPERM;
+ return -1;
+ }
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series
proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series 2017-01-31 09:20:06.000000000
+0100
+++ proftpd-dfsg-1.3.5b/debian/patches/series 2017-04-05 15:57:53.000000000
+0200
@@ -14,3 +14,4 @@
FTBS_on_Hurd
reproducible_build
not_read_whole_passwd_db
+CVE-2017-7418
--- End Message ---
--- Begin Message ---
Francesco P. Lovergine:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
>
> Please unblock package proftpd-dfsg
>
> The new package fixes CVE-2017-7418 and closes #859592 with
> only one relevant new quilt patch.
>
> unblock proftpd-dfsg/1.3.5b-4
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
