Hello community,
here is the log from the commit of package proftpd for openSUSE:Factory checked in at 2017-04-12 17:35:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/proftpd (Old)
and /work/SRC/openSUSE:Factory/.proftpd.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "proftpd"
Wed Apr 12 17:35:38 2017 rev:28 rq:486641 version:1.3.5d
Changes:
--------
--- /work/SRC/openSUSE:Factory/proftpd/proftpd.changes 2017-04-06 11:03:14.794286322 +0200
+++ /work/SRC/openSUSE:Factory/.proftpd.new/proftpd.changes 2017-04-12 18:19:03.517841216 +0200
@@ -1,0 +2,13 @@
+Fri Apr 7 20:49:37 UTC 2017 - chris@computersalat.de
+
+- fix for boo#1032443 (CVE-2017-7418)
+ * AllowChrootSymlinks not enforced by replacing a path component
+ with a symbolic link
+ * add upstream commit (ecff21e0d0e84f35c299ef91d7fda088e516d4ed)
+ as proftpd-AllowChrootSymlinks.patch
+- fix proftpd-tls.template
+ * reduce TLS protocols to TLSv1.1 and TLSv1.2
+ * disable TLSCACertificateFile
+ * add TLSCertificateChainFile
+
+-------------------------------------------------------------------
New:
----
proftpd-AllowChrootSymlinks.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ proftpd.spec ++++++
--- /var/tmp/diff_new_pack.FlhgXE/_old 2017-04-12 18:19:04.693674949 +0200
+++ /var/tmp/diff_new_pack.FlhgXE/_new 2017-04-12 18:19:04.697674383 +0200
@@ -18,10 +18,10 @@
Name: proftpd
Summary: Highly configurable GPL-licensed FTP server software
-# Please save your time and do not update to "rc" versions.
-# We only accept updates for "STABLE" Versions
License: GPL-2.0+
Group: Productivity/Networking/Ftp/Servers
+# Please save your time and do not update to "rc" versions.
+# We only accept updates for "STABLE" Versions
Version: 1.3.5d
Release: 0
Url: http://www.proftpd.org/
@@ -35,6 +35,10 @@
Source16: %{name}-tls.template
Source17: %{name}-limit.template
Source18: %{name}-ssl.README
+#PATCH-FIX-UPSTREAM (CVE-2017-7418):
+# AllowChrootSymlinks not enforced by replacing a path component with a symbolic link
+### github commit: ecff21e0d0e84f35c299ef91d7fda088e516d4ed
+Patch0: %{name}-AllowChrootSymlinks.patch
#PATCH-FIX-openSUSE: pam, logrotate, xinet
Patch100: %{name}-dist.patch
#PATCH-FIX-openSUSE: provide a useful default config
@@ -144,6 +148,8 @@
#gpg_verify %{S:1}
%setup -q
rm README.AIX
+%patch0 -p1
+#
%patch100
%patch101
%patch102
++++++ proftpd-AllowChrootSymlinks.patch ++++++
commit ecff21e0d0e84f35c299ef91d7fda088e516d4ed
Author: TJ Saunders
Date: Mon Mar 6 08:31:29 2017 -0800
Backporting recursive handling of DefaultRoot path, when AllowChrootSymlinks
is off, to 1.3.5 branch. (CVE-2017-7418)
diff --git a/modules/mod_auth.c b/modules/mod_auth.c
index 386576162..410215979 100644
--- a/modules/mod_auth.c
+++ b/modules/mod_auth.c
@@ -2,7 +2,7 @@
* ProFTPD - FTP server daemon
* Copyright (c) 1997, 1998 Public Flood Software
* Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2017 The ProFTPD Project team
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p, xaset_t *conf) {
return dir;
}
-/* Determine if the user (non-anon) needs a default root dir other than /.
- */
+static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
+ int res, xerrno = 0;
+ struct stat st;
+ char *ptr;
+
+ if (pathlen == 0) {
+ return 0;
+ }
+
+ pr_fs_clear_cache();
+ res = pr_fsio_lstat(path, &st);
+ if (res < 0) {
+ xerrno = errno;
+
+ pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+ strerror(xerrno));
+
+ errno = xerrno;
+ return -1;
+ }
+ if (S_ISLNK(st.st_mode)) {
+ errno = EPERM;
+ return -1;
+ }
+
+ /* To handle the case where a component further up the path might be a
+ * symlink (which lstat(2) will NOT handle), we walk the path backwards,
+ * calling ourselves recursively.
+ */
+
+ ptr = strrchr(path, '/');
+ if (ptr != NULL) {
+ char *new_path;
+ size_t new_pathlen;
+
+ pr_signals_handle();
+
+ new_pathlen = ptr - path;
+
+ /* Make sure our pointer actually changed position. */
+ if (new_pathlen == pathlen) {
+ return 0;
+ }
+
+ new_path = pstrndup(p, path, new_pathlen);
+
+ pr_log_debug(DEBUG10,
+ "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
+ new_path);
+ res = is_symlink_path(p, new_path, new_pathlen);
+ if (res < 0) {
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+/* Determine if the user (non-anon) needs a default root dir other than /. */
static int get_default_root(pool *p, int allow_symlinks, char **root) {
config_rec *c = NULL;
char *dir = NULL;
@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
if (allow_symlinks == FALSE) {
char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
- struct stat st;
size_t pathlen;
/* First, deal with any possible interpolation. dir_realpath() will
@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
path[pathlen-1] = '\0';
}
- pr_fs_clear_cache();
- res = pr_fsio_lstat(path, &st);
+ res = is_symlink_path(p, path, pathlen);
if (res < 0) {
- xerrno = errno;
-
- pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
- strerror(xerrno));
-
- errno = xerrno;
- return -1;
- }
+ if (errno == EPERM) {
+ pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
+ "(denied by AllowChrootSymlinks config)", path);
+ }
- if (S_ISLNK(st.st_mode)) {
- pr_log_pri(PR_LOG_WARNING,
- "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
- "config)", path);
errno = EPERM;
return -1;
}
++++++ proftpd-tls.template ++++++
--- /var/tmp/diff_new_pack.FlhgXE/_old 2017-04-12 18:19:04.801659679 +0200
+++ /var/tmp/diff_new_pack.FlhgXE/_new 2017-04-12 18:19:04.805659114 +0200
@@ -10,8 +10,9 @@
TLSEngine on
TLSLog /var/log/proftpd/tls.log
- # Support both SSLv3 and TLSv1
- TLSProtocol TLSv1 TLSv1.1 TLSv1.2
+ # Support both SSLv3 and TLSv1, but they should not be used
+ # (known to be weak)
+ TLSProtocol TLSv1.1 TLSv1.2
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
@@ -20,8 +21,11 @@
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
- # CA (or CA chain) the server trusts
- TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem
+ # CA (or CA chain) to verify client certs
+ #TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem
+
+ # CA (or CA chain) to verify certification path of server cert
+ TLSCertificateChainFile /etc/proftpd/ssl/proftpd.cacert.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off