Bug#859729: marked as done (unblock: proftpd-dfsg/1.3.5b-4)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#859729: marked as done (unblock: proftpd-dfsg/1.3.5b-4)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 06 Apr 2017 16:42:03 +0000
Message-id: <[🔎] handler.859729.D859729.149149672627467.ackdone@bugs.debian.org>
References: <f9d1e9f0-1a27-0348-d5f3-f31339b7e3b7@thykier.net> <[🔎] 20170406135146.x4ztouernuqrvtwy@ba.issia.cnr.it>

Your message dated Thu, 06 Apr 2017 16:37:00 +0000
with message-id <f9d1e9f0-1a27-0348-d5f3-f31339b7e3b7@thykier.net>
and subject line Re: Bug#859729: unblock: proftpd-dfsg/1.3.5b-4
has caused the Debian Bug report #859729,
regarding unblock: proftpd-dfsg/1.3.5b-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859729: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859729
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: proftpd-dfsg/1.3.5b-4
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Thu, 6 Apr 2017 15:51:46 +0200
Message-id: <[🔎] 20170406135146.x4ztouernuqrvtwy@ba.issia.cnr.it>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package proftpd-dfsg

The new package fixes CVE-2017-7418 and closes #859592 with
only one relevant new quilt patch.

unblock proftpd-dfsg/1.3.5b-4

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Francesco P. Lovergine

diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog	2017-01-31 09:20:06.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/changelog	2017-04-05 15:57:53.000000000 +0200
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4) unstable; urgency=medium
+
+  * Added patch CVE-2017-7418 to add recursive handling of DefalutRoot path.
+    (closes: #859592)
+
+ -- Francesco Paolo Lovergine <frankie@debian.org>  Wed, 05 Apr 2017 15:57:53 +0200
+
 proftpd-dfsg (1.3.5b-3) unstable; urgency=medium
 
   * Updated debian/proftpd-basic.NEWS to include information already present
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418 proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418
--- proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/CVE-2017-7418	2017-04-05 15:57:53.000000000 +0200
@@ -0,0 +1,109 @@
+Index: proftpd-dfsg/modules/mod_auth.c
+===================================================================
+--- proftpd-dfsg.orig/modules/mod_auth.c
++++ proftpd-dfsg/modules/mod_auth.c
+@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p,
+   return dir;
+ }
+ 
+-/* Determine if the user (non-anon) needs a default root dir other than /.
+- */
++static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
++  int res, xerrno = 0;
++  struct stat st;
++  char *ptr;
+ 
++  if (pathlen == 0) {
++    return 0;
++  }
++
++  pr_fs_clear_cache();
++  res = pr_fsio_lstat(path, &st);
++  if (res < 0) {
++    xerrno = errno;
++
++    pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
++      strerror(xerrno));
++
++    errno = xerrno;
++    return -1;
++  }
++
++  if (S_ISLNK(st.st_mode)) {
++    errno = EPERM;
++    return -1;
++  }
++
++  /* To handle the case where a component further up the path might be a
++   * symlink (which lstat(2) will NOT handle), we walk the path backwards,
++   * calling ourselves recursively.
++   */
++
++  ptr = strrchr(path, '/');
++  if (ptr != NULL) {
++    char *new_path;
++    size_t new_pathlen;
++
++    pr_signals_handle();
++
++    new_pathlen = ptr - path;
++
++    /* Make sure our pointer actually changed position. */
++    if (new_pathlen == pathlen) {
++      return 0;
++    }
++
++    new_path = pstrndup(p, path, new_pathlen);
++
++    pr_log_debug(DEBUG10,
++      "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
++      new_path);
++    res = is_symlink_path(p, new_path, new_pathlen);
++    if (res < 0) {
++      return -1;
++    }
++  }
++
++  return 0;
++}
++
++/* Determine if the user (non-anon) needs a default root dir other than /. */
+ static int get_default_root(pool *p, int allow_symlinks, char **root) {
+   config_rec *c = NULL;
+   char *dir = NULL;
+@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int
+ 
+       if (allow_symlinks == FALSE) {
+         char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
+-        struct stat st;
+         size_t pathlen;
+ 
+         /* First, deal with any possible interpolation.  dir_realpath() will
+@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int
+           path[pathlen-1] = '\0';
+         }
+ 
+-        pr_fs_clear_cache();
+-        res = pr_fsio_lstat(path, &st);
++        res = is_symlink_path(p, path, pathlen);
+         if (res < 0) {
+-          xerrno = errno;
+-
+-          pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+-            strerror(xerrno));
+-
+-          errno = xerrno;
+-          return -1;
+-        }
++          if (errno == EPERM) {
++            pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
++              "(denied by AllowChrootSymlinks config)", path);
++          }
+ 
+-        if (S_ISLNK(st.st_mode)) {
+-          pr_log_pri(PR_LOG_WARNING,
+-            "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
+-            "config)", path);
+           errno = EPERM;
+           return -1;
+         }
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series	2017-01-31 09:20:06.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/series	2017-04-05 15:57:53.000000000 +0200
@@ -14,3 +14,4 @@
 FTBS_on_Hurd
 reproducible_build
 not_read_whole_passwd_db
+CVE-2017-7418

--- End Message ---

--- Begin Message ---

To: "Francesco P. Lovergine" <frankie@debian.org>, 859729-done@bugs.debian.org

Subject: Re: Bug#859729: unblock: proftpd-dfsg/1.3.5b-4

From: Niels Thykier <niels@thykier.net>

Date: Thu, 06 Apr 2017 16:37:00 +0000

Message-id: <f9d1e9f0-1a27-0348-d5f3-f31339b7e3b7@thykier.net>

In-reply-to: <[🔎] 20170406135146.x4ztouernuqrvtwy@ba.issia.cnr.it>

References: <[🔎] 20170406135146.x4ztouernuqrvtwy@ba.issia.cnr.it>
Francesco P. Lovergine:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package proftpd-dfsg
> 
> The new package fixes CVE-2017-7418 and closes #859592 with
> only one relevant new quilt patch.
> 
> unblock proftpd-dfsg/1.3.5b-4
> 
> [...]

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#859729: unblock: proftpd-dfsg/1.3.5b-4
  - From: "Francesco P. Lovergine" <frankie@debian.org>

Prev by Date: Bug#859736: unblock: ibus-anthy/1.5.9-2
Next by Date: Bug#859736: marked as done (unblock: ibus-anthy/1.5.9-2)
Previous by thread: Bug#859729: unblock: proftpd-dfsg/1.3.5b-4
Next by thread: Bug#859736: unblock: ibus-anthy/1.5.9-2
Index(es):
- Date
- Thread