Hello community, here is the log from the commit of package proftpd for openSUSE:Factory checked in at 2017-04-12 17:35:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/proftpd (Old) and /work/SRC/openSUSE:Factory/.proftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "proftpd" Wed Apr 12 17:35:38 2017 rev:28 rq:486641 version:1.3.5d Changes: -------- --- /work/SRC/openSUSE:Factory/proftpd/proftpd.changes 2017-04-06 11:03:14.794286322 +0200 +++ /work/SRC/openSUSE:Factory/.proftpd.new/proftpd.changes 2017-04-12 18:19:03.517841216 +0200 @@ -1,0 +2,13 @@ +Fri Apr 7 20:49:37 UTC 2017 - chris@computersalat.de + +- fix for boo#1032443 (CVE-2017-7418) + * AllowChrootSymlinks not enforced by replacing a path component + with a symbolic link + * add upstream commit (ecff21e0d0e84f35c299ef91d7fda088e516d4ed) + as proftpd-AllowChrootSymlinks.patch +- fix proftpd-tls.template + * reduce TLS protocols to TLSv1.1 and TLSv1.2 + * disable TLSCACertificateFile + * add TLSCertificateChainFile + +------------------------------------------------------------------- New: ---- proftpd-AllowChrootSymlinks.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ proftpd.spec ++++++ --- /var/tmp/diff_new_pack.FlhgXE/_old 2017-04-12 18:19:04.693674949 +0200 +++ /var/tmp/diff_new_pack.FlhgXE/_new 2017-04-12 18:19:04.697674383 +0200 @@ -18,10 +18,10 @@ Name: proftpd Summary: Highly configurable GPL-licensed FTP server software -# Please save your time and do not update to "rc" versions. -# We only accept updates for "STABLE" Versions License: GPL-2.0+ Group: Productivity/Networking/Ftp/Servers +# Please save your time and do not update to "rc" versions. +# We only accept updates for "STABLE" Versions Version: 1.3.5d Release: 0 Url: http://www.proftpd.org/ @@ -35,6 +35,10 @@ Source16: %{name}-tls.template Source17: %{name}-limit.template Source18: %{name}-ssl.README +#PATCH-FIX-UPSTREAM (CVE-2017-7418): +# AllowChrootSymlinks not enforced by replacing a path component with a symbolic link +### github commit: ecff21e0d0e84f35c299ef91d7fda088e516d4ed +Patch0: %{name}-AllowChrootSymlinks.patch #PATCH-FIX-openSUSE: pam, logrotate, xinet Patch100: %{name}-dist.patch #PATCH-FIX-openSUSE: provide a useful default config @@ -144,6 +148,8 @@ #gpg_verify %{S:1} %setup -q rm README.AIX +%patch0 -p1 +# %patch100 %patch101 %patch102 ++++++ proftpd-AllowChrootSymlinks.patch ++++++ commit ecff21e0d0e84f35c299ef91d7fda088e516d4ed Author: TJ Saunders <tj@castaglia.org> Date: Mon Mar 6 08:31:29 2017 -0800 Backporting recursive handling of DefaultRoot path, when AllowChrootSymlinks is off, to 1.3.5 branch. (CVE-2017-7418) diff --git a/modules/mod_auth.c b/modules/mod_auth.c index 386576162..410215979 100644 --- a/modules/mod_auth.c +++ b/modules/mod_auth.c @@ -2,7 +2,7 @@ * ProFTPD - FTP server daemon * Copyright (c) 1997, 1998 Public Flood Software * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net> - * Copyright (c) 2001-2016 The ProFTPD Project team + * Copyright (c) 2001-2017 The ProFTPD Project team * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p, xaset_t *conf) { return dir; } -/* Determine if the user (non-anon) needs a default root dir other than /. - */ +static int is_symlink_path(pool *p, const char *path, size_t pathlen) { + int res, xerrno = 0; + struct stat st; + char *ptr; + + if (pathlen == 0) { + return 0; + } + + pr_fs_clear_cache(); + res = pr_fsio_lstat(path, &st); + if (res < 0) { + xerrno = errno; + + pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path, + strerror(xerrno)); + + errno = xerrno; + return -1; + } + if (S_ISLNK(st.st_mode)) { + errno = EPERM; + return -1; + } + + /* To handle the case where a component further up the path might be a + * symlink (which lstat(2) will NOT handle), we walk the path backwards, + * calling ourselves recursively. + */ + + ptr = strrchr(path, '/'); + if (ptr != NULL) { + char *new_path; + size_t new_pathlen; + + pr_signals_handle(); + + new_pathlen = ptr - path; + + /* Make sure our pointer actually changed position. */ + if (new_pathlen == pathlen) { + return 0; + } + + new_path = pstrndup(p, path, new_pathlen); + + pr_log_debug(DEBUG10, + "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path, + new_path); + res = is_symlink_path(p, new_path, new_pathlen); + if (res < 0) { + return -1; + } + } + + return 0; +} + +/* Determine if the user (non-anon) needs a default root dir other than /. */ static int get_default_root(pool *p, int allow_symlinks, char **root) { config_rec *c = NULL; char *dir = NULL; @@ -733,7 +790,6 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) { if (allow_symlinks == FALSE) { char *path, target_path[PR_TUNABLE_PATH_MAX + 1]; - struct stat st; size_t pathlen; /* First, deal with any possible interpolation. dir_realpath() will @@ -764,22 +820,13 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) { path[pathlen-1] = '\0'; } - pr_fs_clear_cache(); - res = pr_fsio_lstat(path, &st); + res = is_symlink_path(p, path, pathlen); if (res < 0) { - xerrno = errno; - - pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path, - strerror(xerrno)); - - errno = xerrno; - return -1; - } + if (errno == EPERM) { + pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink " + "(denied by AllowChrootSymlinks config)", path); + } - if (S_ISLNK(st.st_mode)) { - pr_log_pri(PR_LOG_WARNING, - "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks " - "config)", path); errno = EPERM; return -1; } ++++++ proftpd-tls.template ++++++ --- /var/tmp/diff_new_pack.FlhgXE/_old 2017-04-12 18:19:04.801659679 +0200 +++ /var/tmp/diff_new_pack.FlhgXE/_new 2017-04-12 18:19:04.805659114 +0200 @@ -10,8 +10,9 @@ TLSEngine on TLSLog /var/log/proftpd/tls.log - # Support both SSLv3 and TLSv1 - TLSProtocol TLSv1 TLSv1.1 TLSv1.2 + # Support both SSLv3 and TLSv1, but they should not be used + # (known to be weak) + TLSProtocol TLSv1.1 TLSv1.2 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off @@ -20,8 +21,11 @@ TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem - # CA (or CA chain) the server trusts - TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem + # CA (or CA chain) to verify client certs + #TLSCACertificateFile /etc/proftpd/ssl/proftpd.cacert.pem + + # CA (or CA chain) to verify certification path of server cert + TLSCertificateChainFile /etc/proftpd/ssl/proftpd.cacert.pem # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off