rpm/proftpd
SHA256
1
0
Fork 0
forked from pool/proftpd
Code Pull Requests Activity

Accepting request 486641 from network

Browse Source 
fix for boo#1032443 (CVE-2017-7418) (forwarded request 486640 from computersalat)

OBS-URL: https://build.opensuse.org/request/show/486641
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/proftpd?expand=0&rev=28
This commit is contained in:
Yuchen Lin 2017-04-12 15:35:38 +00:00 committed by Git OBS Bridge
commit f2d636d9f0
4 changed files with 154 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
proftpd-AllowChrootSymlinks.patch Normal file
View File

@ -0,0 +1,125 @@
commit ecff21e0d0e84f35c299ef91d7fda088e516d4ed
Author: TJ Saunders <tj@castaglia.org>
Date: Mon Mar 6 08:31:29 2017 -0800
Backporting recursive handling of DefaultRoot path, when AllowChrootSymlinks
is off, to 1.3.5 branch. (CVE-2017-7418)
diff --git a/modules/mod_auth.c b/modules/mod_auth.c
index 386576162..410215979 100644
--- a/modules/mod_auth.c
+++ b/modules/mod_auth.c
@@ -2,7 +2,7 @@
* ProFTPD - FTP server daemon
* Copyright (c) 1997, 1998 Public Flood Software
* Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2017 The ProFTPD Project team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p, xaset_t *conf) {
return dir;
}
-/* Determine if the user (non-anon) needs a default root dir other than /.
- */
+static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
+ int res, xerrno = 0;
+ struct stat st;
+ char *ptr;
+
+ if (pathlen == 0) {
+ return 0;
+ }
+
+ pr_fs_clear_cache();
+ res = pr_fsio_lstat(path, &st);
+ if (res < 0) {
+ xerrno = errno;
+
+ pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+ strerror(xerrno));
+
+ errno = xerrno;
+ return -1;
+ }
+ if (S_ISLNK(st.st_mode)) {
+ errno = EPERM;
+ return -1;
+ }
+
+ /* To handle the case where a component further up the path might be a
+ * symlink (which lstat(2) will NOT handle), we walk the path backwards,
+ * calling ourselves recursively.
+ */
+
+ ptr = strrchr(path, '/');
+ if (ptr != NULL) {
+ char *new_path;
+ size_t new_pathlen;
+
+ pr_signals_handle();
+
+ new_pathlen = ptr - path;
+
+ /* Make sure our pointer actually changed position. */
+ if (new_pathlen == pathlen) {
+ return 0;
+ }
+
+ new_path = pstrndup(p, path, new_pathlen);
+
+ pr_log_debug(DEBUG10,
+ "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
+ new_path);
+ res = is_symlink_path(p, new_path, new_pathlen);
+ if (res < 0) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/* Determine if the user (non-anon) needs a default root dir other than /. */
static int get_default_root(pool *p, int allow_symlinks, char **root) {
config_rec *c = NULL;
char *dir = NULL;
@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
if (allow_symlinks == FALSE) {
char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
- struct stat st;
size_t pathlen;
/* First, deal with any possible interpolation. dir_realpath() will
@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
path[pathlen-1] = '\0';
}
- pr_fs_clear_cache();
- res = pr_fsio_lstat(path, &st);
+ res = is_symlink_path(p, path, pathlen);
if (res < 0) {
- xerrno = errno;
-
- pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
- strerror(xerrno));
-
- errno = xerrno;
- return -1;
- }
+ if (errno == EPERM) {
+ pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
+ "(denied by AllowChrootSymlinks config)", path);
+ }
- if (S_ISLNK(st.st_mode)) {
- pr_log_pri(PR_LOG_WARNING,
- "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
- "config)", path);
errno = EPERM;
return -1;
}

12
proftpd-tls.template
View File

@ -10,8 +10,9 @@
TLSEngine on TLSEngine on
TLSLog /var/log/proftpd/tls.log TLSLog /var/log/proftpd/tls.log
# Support both SSLv3 and TLSv1 # Support both SSLv3 and TLSv1, but they should not be used
TLSProtocol TLSv1 TLSv1.1 TLSv1.2 # (known to be weak)
TLSProtocol TLSv1.1 TLSv1.2
# Are clients required to use FTP over TLS when talking to this server? # Are clients required to use FTP over TLS when talking to this server?
TLSRequired off TLSRequired off
@ -20,8 +21,11 @@
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
# CA (or CA chain) the server trusts # CA (or CA chain) to verify client certs
TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem #TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem
# CA (or CA chain) to verify certification path of server cert
TLSCertificateChainFile /etc/proftpd/ssl/proftpd.cacert.pem
# Authenticate clients that want to use FTP over TLS? # Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off TLSVerifyClient off

13
proftpd.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Fri Apr 7 20:49:37 UTC 2017 - chris@computersalat.de
- fix for boo#1032443 (CVE-2017-7418)
* AllowChrootSymlinks not enforced by replacing a path component
with a symbolic link
* add upstream commit (ecff21e0d0e84f35c299ef91d7fda088e516d4ed)
as proftpd-AllowChrootSymlinks.patch
- fix proftpd-tls.template
* reduce TLS protocols to TLSv1.1 and TLSv1.2
* disable TLSCACertificateFile
* add TLSCertificateChainFile
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 23 15:05:22 UTC 2017 - jengelh@inai.de Thu Mar 23 15:05:22 UTC 2017 - jengelh@inai.de

10
proftpd.spec
View File

@ -18,10 +18,10 @@
Name: proftpd Name: proftpd
Summary: Highly configurable GPL-licensed FTP server software Summary: Highly configurable GPL-licensed FTP server software
# Please save your time and do not update to "rc" versions.
# We only accept updates for "STABLE" Versions
License: GPL-2.0+ License: GPL-2.0+
Group: Productivity/Networking/Ftp/Servers Group: Productivity/Networking/Ftp/Servers
# Please save your time and do not update to "rc" versions.
# We only accept updates for "STABLE" Versions
Version: 1.3.5d Version: 1.3.5d
Release: 0 Release: 0
Url: http://www.proftpd.org/ Url: http://www.proftpd.org/
@ -35,6 +35,10 @@ Source15: %{name}.keyring
Source16: %{name}-tls.template Source16: %{name}-tls.template
Source17: %{name}-limit.template Source17: %{name}-limit.template
Source18: %{name}-ssl.README Source18: %{name}-ssl.README
#PATCH-FIX-UPSTREAM (CVE-2017-7418):
# AllowChrootSymlinks not enforced by replacing a path component with a symbolic link
### github commit: ecff21e0d0e84f35c299ef91d7fda088e516d4ed
Patch0: %{name}-AllowChrootSymlinks.patch
#PATCH-FIX-openSUSE: pam, logrotate, xinet #PATCH-FIX-openSUSE: pam, logrotate, xinet
Patch100: %{name}-dist.patch Patch100: %{name}-dist.patch
#PATCH-FIX-openSUSE: provide a useful default config #PATCH-FIX-openSUSE: provide a useful default config
@ -144,6 +148,8 @@ Here are Documentation for ProFTPD
#gpg_verify %{S:1} #gpg_verify %{S:1}
%setup -q %setup -q
rm README.AIX rm README.AIX
%patch0 -p1
#
%patch100 %patch100
%patch101 %patch101
%patch102 %patch102