Bug#825271: vsftpd: deny_file not preventing upload anymore

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#825271: vsftpd: deny_file not preventing upload anymore
From: Philipp Pausakerl <philipp.pausakerl@wu.ac.at>
Date: Wed, 25 May 2016 12:49:01 +0200
Message-id: <[🔎] 20160525104901.29287.38358.reportbug@cran.r-project.org>
Reply-to: Philipp Pausakerl <philipp.pausakerl@wu.ac.at>, 825271@bugs.debian.org

Package: vsftpd
Version: 3.0.2-17+deb8u1
Severity: normal

Dear Maintainer,


We have upgraded the system from wheezy to jessie. After the upgrade we noticed that the deny_file option in vsftpd.conf no longer prevents file with specified filenames to be uploaded.   
The syntax we used for specifying filenames is identical with the one we use in hide_file where it works as intended.

There is no mention of this change in behaviour in the changelogs.
Maybe the issue is related to vulnerability fix CVE-2015-1419 (Fix config option "deny_file" not always being handled correctly)


-- Package-specific info:

-- System Information:
Debian Release: 8.4
  APT prefers stable 
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vsftpd depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  dialog                 1.2-20140911-1
ii  init-system-helpers    1.22
ii  libc6                  2.19-18+deb8u4
ii  libcap2                1:2.24-8
ii  libpam-modules         1.1.8-3.1+deb8u1+b1
ii  libpam0g               1.1.8-3.1+deb8u1+b1
ii  libssl1.0.0            1.0.1k-3+deb8u5
ii  libwrap0               7.6.q-25
ii  netbase                5.3

Versions of packages vsftpd recommends:
ii  logrotate  3.8.7-1+b1
ii  ssl-cert   1.0.35

vsftpd suggests no packages.

-- Configuration Files:
/etc/logrotate.d/vsftpd changed:
/var/log/vsftpd.log
{
	create 640 root 
	# ftpd doesn't handle SIGHUP properly
	compress
	missingok
	notifempty
	rotate 104
	weekly
}

/etc/vsftpd.conf changed:
listen=YES
anonymous_enable=YES
write_enable=YES
anon_root=/srv/ftp/
anon_umask=017
anon_upload_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=1200
data_connection_timeout=600
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
pasv_max_port=59000
pasv_min_port=41001
log_ftp_protocol=NO
deny_file={*.txt}
user_config_dir=/etc/vsftpd/vsftpd_user_conf


-- debconf information:
  vsftpd/username: ftp
  vsftpd/directory: /srv/ftp

Reply to:

Prev by Date: xl2tpd is marked for autoremoval from testing
Next by Date: Bug#825277: gadmintools: Project URL no more valid
Previous by thread: Bug#825220: fwanalog: please Build-Depend on rename
Next by thread: Bug#825277: gadmintools: Project URL no more valid
Index(es):
- Date
- Thread