Debian Bug report logs - #384454
ftpd: Does not handle symlink? NFS? home directory

version graph

Package: ftpd; Maintainer for ftpd is Alberto Gonzalez Iniesta <agi@inittab.org>; Source for ftpd is src:linux-ftpd.

Reported by: Paul Szabo <psz@maths.usyd.edu.au>

Date: Thu, 24 Aug 2006 11:34:22 UTC

Severity: critical

Tags: patch, security, upstream

Found in version linux-ftpd/0.17-20

Fixed in versions linux-ftpd/0.17-22, linux-ftpd/0.17-20sarge2

Done: Alberto Gonzalez Iniesta <agi@inittab.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ftpd: Does not handle symlink? NFS? home directory
Date: Thu, 24 Aug 2006 21:18:33 +1000
Package: ftpd
Version: 0.17-20
Severity: normal


I have my home directory within an NFS-mounted directory, and logging
in I get (just "/" instead of my home dir):

psz@asti:~$ /usr/bin/ftp asti
Connected to asti.maths.usyd.edu.au.
220 asti.maths.usyd.edu.au FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
Name (asti:psz): psz
331 Password required for psz.
Password:
230- No directory! Logging in with home=/
230- Linux asti.maths.usyd.edu.au 2.6.8-spm1.5 #1 SMP Mon Jul 17 07:05:34 EST 2006 i686 GNU/Linux
230- 
230- The programs included with the Debian GNU/Linux system are free software;
230- the exact distribution terms for each program are described in the
230- individual files in /usr/share/doc/*/copyright.
230- 
230- Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
230- permitted by applicable law.
230 User psz logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is current directory.
ftp> cd /users/amstaff/psz 
250 CWD command successful.
ftp> pwd
257 "/pisa/users/amstaff/psz" is current directory.
ftp> quit
221 Goodbye.
psz@asti:~$ 

I do not get this nonsense when logging in to the machine containing
my home dir. Settings that may be relevant to ftpd are:

psz@asti:~$ grep psz /etc/passwd
psz:x:1001:1001:Paul Szabo:/users/amstaff/psz:/bin/bash
psz@asti:~$ ls -l /etc/ftp*
-rw-r--r--  1 root root 76 Apr 18  2002 /etc/ftpchroot
-rw-r--r--  1 root root 91 Apr 18  2002 /etc/ftpusers
psz@asti:~$ grep . /etc/ftp*
/etc/ftpchroot:# /etc/ftpchroot: list of users who needs to be chrooted. See ftpchroot(5).
/etc/ftpusers:# /etc/ftpusers: list of users disallowed ftp access. See ftpusers(5).
/etc/ftpusers:root
/etc/ftpusers:ftp
/etc/ftpusers:anonymous
psz@asti:~$ grep bash /etc/shells
/bin/bash
/bin/rbash
psz@asti:~$ 

and to my home dir (my own trace_path utility):

psz@asti:~$ trace_path ~
Tracing path /users/amstaff/psz
Dir  /  (users/amstaff/psz to go)
Dir  /users  (amstaff/psz to go)
Link /users/amstaff -> /pisa/users/amstaff  (psz to go)
Dir  /  (pisa/users/amstaff/psz to go)
Dir  /pisa  (users/amstaff/psz to go)
Dir  /pisa/users  (amstaff/psz to go)
Dir  /pisa/users/amstaff  (psz to go)
Dir  /pisa/users/amstaff/psz
Traversed 7 directories, 1 links
psz@asti:~$ mount | grep users
/dev/sda6 on /usr/users type ext3 (rw,usrquota)
pisa:/usr/users on /pisa/users type nfs (rw,bg,rsize=8192,wsize=8192,addr=129.78.69.136)
psz@asti:~$ 


Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm1.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages ftpd depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  netbase                     4.21         Basic TCP/IP networking system

-- debconf information:
* ftpd/globattack:



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #10 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 384454@bugs.debian.org
Subject: Re: ftpd: Does not handle symlink? NFS? home directory
Date: Fri, 25 Aug 2006 08:52:03 +1000
A bit of testing indicates that the problem is not with the symlink
within the home directory path, but purely with it being hosted on
another machine via NFS: related to root_squash. The ftpd process,
while running as root before it sets UID/GID to the user logging in,
cannot access the home directory though should be able to stat() it:

root@asti:~# ls -l /users/amstaff/psz
ls: /users/amstaff/psz: Permission denied
root@asti:~# ls -ld /users/amstaff/psz
drwx------  46 psz amstaff 4096 Aug 25 07:50 /users/amstaff/psz

This guess verified with:

psz@asti:~$ chmod 755 ~     ### Now 'ftp asti' finds home directory OK
psz@asti:~$ chmod 700 ~     ### Back as it was, 'ftp asti' has problem

Seems that ftpd tries chdir() while still root, before setting UID:
surely it should set UID first, then chdir().

This seems a security risk. In the above scenario, I could arrange the
machine holding the home directory to return something that would
resolve to some normally inaccessible place like /root; and in fact
ftpd would then have that as my "current directory". (Annoying that
the final leaf cannot be a symlink; but if my home dir on asti was
/users/amstaff/psz/root then on pisa I could set /user/amstaff/psz to
by a symlink to /, so asti would resolve that as /root.) I do not know
what misdeeds I can do by having an otherwise inaccessible cwd.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #15 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 384454@bugs.debian.org
Subject: Re: ftpd: Does not handle symlink? NFS? home directory
Date: Fri, 25 Aug 2006 11:09:38 +1000
See also
http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/049014.html

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #20 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 384454@bugs.debian.org
Subject: Re: ftpd: Does not handle symlink? NFS? home directory
Date: Fri, 25 Aug 2006 13:54:17 +1000
I suggest the patch below. Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

--- linux-ftpd-0.17/ftpd/popen.c.bak	1999-07-16 11:12:54.000000000 +1000
+++ linux-ftpd-0.17/ftpd/popen.c	2006-08-25 13:31:33.950447078 +1000
@@ -169,8 +169,13 @@
 		 * XXX: this doesn't seem right... and shouldn't
 		 * we initgroups, or at least setgroups(0,0)?
 		 */
-		setgid(getegid());
-		setuid(i);
+
+/*
+ * PSz 25 Aug 06  Must check the return status of these setgid/setuid calls,
+ * see  http://www.bress.net/blog/archives/34-setuid-madness.html
+ */
+		if ( setgid(geteuid())	!= 0 ) _exit(1);
+		if ( setuid(i)		!= 0 ) _exit(1);
  
 #ifndef __linux__
 /* 
--- linux-ftpd-0.17/ftpd/ftpd.c.bak	2006-08-25 12:53:25.277537000 +1000
+++ linux-ftpd-0.17/ftpd/ftpd.c	2006-08-25 13:46:28.798975583 +1000
@@ -1159,6 +1159,13 @@
 		}
 		strcpy(pw->pw_dir, "/");
 		setenv("HOME", "/", 1);
+	}
+	/* PSz 25 Aug 06  chdir for real users done after setting UID */
+	if (seteuid((uid_t)pw->pw_uid) < 0) {
+		reply(550, "Can't set uid.");
+		goto bad;
+	}
+	if (guest || dochroot) { /* do nothing, handled above */
 	} else if (chdir(pw->pw_dir) < 0) {
 		if (chdir("/") < 0) {
 			reply(530, "User %s: can't change directory to %s.",
@@ -1167,10 +1174,7 @@
 		} else
 			lreply(230, "No directory! Logging in with home=/");
 	}
-	if (seteuid((uid_t)pw->pw_uid) < 0) {
-		reply(550, "Can't set uid.");
-		goto bad;
-	}
+
 	sigfillset(&allsigs);
 	sigprocmask(SIG_UNBLOCK,&allsigs,NULL);
 
@@ -1408,7 +1412,8 @@
 			goto bad;
 		sleep(tries);
 	}
-	(void) seteuid((uid_t)pw->pw_uid);
+/* PSz 25 Aug 06  Check return status */
+	if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
 	sigfillset(&allsigs);
 	sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
 
@@ -1440,7 +1445,8 @@
 bad:
 	/* Return the real value of errno (close may change it) */
 	t = errno;
-	(void) seteuid((uid_t)pw->pw_uid);
+/* PSz 25 Aug 06  Check return status */
+	if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
 	sigfillset (&allsigs);
 	sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
 	(void) close(s);



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #25 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 384454@bugs.debian.org
Subject: Re: ftpd: Does not handle symlink? NFS? home directory
Date: Fri, 25 Aug 2006 20:31:09 +1000
I wrote earlier:

> ... the final leaf cannot be a symlink ...
> ... do not know what misdeeds I can do ...

Too little coffee?

Yes, the final leaf can be a symlink. This is exploitable when a user
can control the resolution of his home directory: when he also owns
the directory above (or for NFS mounts owns the machine serving it).

Can access objects that were protected with permissions of directories
above. Many users are in the habit of having world-accessible
subdirectories and files, because their home dir has safe mode 700.
I see many /root/bin directories with mode 755, protected by /root
being mode 700. Much more fun if /root/bin was mode 777...

Please fix. Please issue DSA.

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Tags added: security, patch, upstream Request was from Paul Szabo <psz@maths.usyd.edu.au> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `critical' from `normal' Request was from Paul Szabo <psz@maths.usyd.edu.au> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 384454-close@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: 384454-close@bugs.debian.org
Subject: Bug#384454: fixed in linux-ftpd 0.17-22
Date: Fri, 15 Sep 2006 04:32:06 -0700
Source: linux-ftpd
Source-Version: 0.17-22

We believe that the bug you reported is fixed in the latest version of
linux-ftpd, which is due to be installed in the Debian FTP archive:

ftpd_0.17-22_i386.deb
  to pool/main/l/linux-ftpd/ftpd_0.17-22_i386.deb
linux-ftpd_0.17-22.diff.gz
  to pool/main/l/linux-ftpd/linux-ftpd_0.17-22.diff.gz
linux-ftpd_0.17-22.dsc
  to pool/main/l/linux-ftpd/linux-ftpd_0.17-22.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 384454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated linux-ftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 15 Sep 2006 13:14:25 +0200
Source: linux-ftpd
Binary: ftpd
Architecture: source i386
Version: 0.17-22
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 ftpd       - FTP server
Closes: 384454
Changes: 
 linux-ftpd (0.17-22) unstable; urgency=high
 .
   * Fixing two security bugs:
     - Fixed ftpd from doing chdir while runing as root.
       (Closes: #384454) Thanks a lot to Paul Szabo for finding out
       and the patch.
     - Check the return value from setuid calls to avoid running
       code as root. Thanks Paul Szabo for the patch.
Files: 
 d5e14064236d58ca0ed09912c9b7d628 598 net extra linux-ftpd_0.17-22.dsc
 00e259a59deb1f818abeb09e4aaef1c5 16423 net extra linux-ftpd_0.17-22.diff.gz
 fd3d3c41e7fedce9899dfe73f4a5f032 44072 net extra ftpd_0.17-22_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFCozKxRSvjkukAcMRAs3IAJ9s7iBTfDpkYnysWNRuChh9nWG4ggCgq29O
pCdAFBKD52fZpgIQt/93uDw=
=gXJz
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to "Stefan Cornelius" <stefan.cornelius@gmail.com>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #39 received at 384454@bugs.debian.org (full text, mbox):

From: "Stefan Cornelius" <stefan.cornelius@gmail.com>
To: 384454@bugs.debian.org
Subject: Broken patch?
Date: Wed, 22 Nov 2006 09:11:57 +0100
[Message part 1 (text/plain, inline)]
Hey, please check this here:

http://bugs.gentoo.org/show_bug.cgi?id=155317

I had a quick look this morning, and it seems like you included a broken
patch?

Cheers,

Stefan
[Message part 2 (text/html, inline)]

Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Paul Szabo <psz@maths.usyd.edu.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 384454-close@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: 384454-close@bugs.debian.org
Subject: Bug#384454: fixed in linux-ftpd 0.17-20sarge2
Date: Sat, 17 Feb 2007 12:10:15 +0000
Source: linux-ftpd
Source-Version: 0.17-20sarge2

We believe that the bug you reported is fixed in the latest version of
linux-ftpd, which is due to be installed in the Debian FTP archive:

ftpd_0.17-20sarge2_i386.deb
  to pool/main/l/linux-ftpd/ftpd_0.17-20sarge2_i386.deb
linux-ftpd_0.17-20sarge2.diff.gz
  to pool/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
linux-ftpd_0.17-20sarge2.dsc
  to pool/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 384454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated linux-ftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 25 Sep 2006 12:04:40 +0200
Source: linux-ftpd
Binary: ftpd
Architecture: source i386
Version: 0.17-20sarge2
Distribution: stable-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description: 
 ftpd       - FTP server
Closes: 384454
Changes: 
 linux-ftpd (0.17-20sarge2) stable-security; urgency=high
 .
   * Sarge security release.
   * Fixed ftpd from doing chdir while runing as root.
     (Closes: #384454) Thanks a lot to Paul Szabo for finding out
     and the patch. (CVE-2006-5778)
Files: 
 371222af9e3f445d8b1a0622f3a70382 610 net extra linux-ftpd_0.17-20sarge2.dsc
 f5f491564812db5d8783daa538c49186 46763 net extra linux-ftpd_0.17.orig.tar.gz
 3848d3d15b78aa4dd17b0e09c64b15a8 16034 net extra linux-ftpd_0.17-20sarge2.diff.gz
 10ce0c8367e83b1ce1419b244753dcc0 43310 net extra ftpd_0.17-20sarge2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFVO4wXm3vHE4uyloRAplsAKDPdPZw/VrKq5KXLEt2Pg9xMZ9z7ACgyF0O
g0W1srpyhg4eyyTRnyTEHRk=
=2E1u
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #49 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: 384454@bugs.debian.org
Subject: Re: Bug#384454 closed by Alberto Gonzalez Iniesta <agi@inittab.org> (Bug#384454: fixed in linux-ftpd 0.17-20sarge2)
Date: Sun, 18 Feb 2007 07:24:16 +1100
Dear Maintainer,

Yes, the bug in the patch was mine: meant to check the return status of
setgid(getegid()) but somehow managed to mis-type that into
setgid(geteuid()). Stupid mistake. Shame on me.

Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per
your latest "closure" message
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44
(or maybe 20 Nov 2006 as per
http://www.debian.org/security/2006/dsa-1217
or 13 Nov 2006 as the date on current
http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
) and contains the "wrong" patch.

So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in
sarge (==stable) 0.17-20sarge2. Please fix for sarge also.

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #54 received at 384454@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: Paul Szabo <psz@maths.usyd.edu.au>, 384454@bugs.debian.org
Subject: Re: Bug#384454: closed by Alberto Gonzalez Iniesta <agi@inittab.org> (Bug#384454: fixed in linux-ftpd 0.17-20sarge2)
Date: Sat, 17 Feb 2007 22:49:33 +0100
On Sun, Feb 18, 2007 at 07:24:16AM +1100, Paul Szabo wrote:
> Dear Maintainer,
> 
> Yes, the bug in the patch was mine: meant to check the return status of
> setgid(getegid()) but somehow managed to mis-type that into
> setgid(geteuid()). Stupid mistake. Shame on me.
> 
> Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per
> your latest "closure" message
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44
> (or maybe 20 Nov 2006 as per
> http://www.debian.org/security/2006/dsa-1217
> or 13 Nov 2006 as the date on current
> http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
> ) and contains the "wrong" patch.
> 
> So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in
> sarge (==stable) 0.17-20sarge2. Please fix for sarge also.

I sent the fix to the security team, but they decided to ignore it.
I wasn't in the mood to fight with them... Feel free to contact them at
team@security.debian.org. You can Cc me if you want.

Regards,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #59 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: team@security.debian.org
Cc: 384454@bugs.debian.org, agi@inittab.org
Subject: ftpd (was Bug#384454)
Date: Sun, 18 Feb 2007 21:34:49 +1100
Dear Security team,

A stupid little bug crept into (was left in) #384454 and DSA-1217.
My fault originally: I humbly apologize. Please correct it for sarge.

Thanks,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Alberto Gonzalez Iniesta <agi@inittab.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #64 received at 384454@bugs.debian.org (full text, mbox):

From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: team@security.debian.org, 384454@bugs.debian.org
Subject: Re: ftpd (was Bug#384454)
Date: Sun, 18 Feb 2007 11:56:22 +0100
[Message part 1 (text/plain, inline)]
On Sun, Feb 18, 2007 at 09:34:49PM +1100, Paul Szabo wrote:
> Dear Security team,
> 
> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.
> 

Hi all,

I already asked this, but it wasn't consired important by the sec team.
I'm attaching my previous mail.

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
[Message part 2 (message/rfc822, inline)]
From: Alberto Gonzalez Iniesta <agi@inittab.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: team@security.debian.org
Subject: Re: linux-ftpd update
Date: Sat, 25 Nov 2006 19:49:21 +0100
[Message part 3 (text/plain, inline)]
On Wed, Nov 22, 2006 at 12:05:34PM +0100, Moritz Muehlenhoff wrote:
> Alberto Gonzalez Iniesta wrote:
> > I just noticed that the package was updated two days ago. I hope I can
> > have a new one today. Or would it be faster if the Sec. Team just applies
> > the changed mention in my mail?
> >
> > Sorry for this.
> 
> If you can upload a fixed package today, go ahead. I don't think this will ever
> be triggered in practice, though. The intersection of people running 2.6
> kernels with nproc ressource limits in their PAM config and people running
> legacy netkit ftpds is most definitely empty.


Hi Moritz, the problem with the previous bug  was that 2.6 kernels DO
set proccess limits, whether we want them or not. And the ftpd
package installs a pamd.d configuration file with this line:
session     required        pam_limits.so

So I guess the problem was indeed there and possible to exploit.

Anyway, the patch we (and Gentoo) used introduced and new, easier to
exploit, bug. The ftpd server is running commands with EGID 'root'
instead of the user's one.

And as you know, this is not kernel or local configuration dependant.

I've just uploaded a fixed version to Sid. 

Please find attached the diff file for linux-ftpd_0.17-20sarge3. With
the following differences from linux-ftpd_0.17-20sarge2:

---- CUT ------ CUT ------
diff -u linux-ftpd-0.17/ftpd/popen.c linux-ftpd-0.17/ftpd/popen.c
--- linux-ftpd-0.17/ftpd/popen.c
+++ linux-ftpd-0.17/ftpd/popen.c
@@ -174,7 +174,7 @@
  * PSz 25 Aug 06  Must check the return status of these setgid/setuid calls,
  * see  http://www.bress.net/blog/archives/34-setuid-madness.html
  */
-               if ( setgid(geteuid())  != 0 ) _exit(1);
+               if ( setgid(getegid())  != 0 ) _exit(1);
                if ( setuid(i)          != 0 ) _exit(1);
 #ifndef __linux__
--- linux-ftpd-0.17/debian/changelog
+++ linux-ftpd-0.17/debian/changelog
@@ -1,3 +1,13 @@
+linux-ftpd (0.17-20sarge3) stable-security; urgency=high
+
+  * Sarge security release.
+  * Corrected typo in patch used in previous upload that
+    made the server run some commands with EGID 'root'.
+    Thanks to Matt Power (for finding out) and
+    Stefan Cornelius from Gentoo (for warning me).
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sat, 25 Nov 2006 19:38:59 +0100
+
---- CUT ------ CUT ------

Regards,

Alberto


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
[linux-ftpd_0.17-20sarge3.diff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #69 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: team@security.debian.org
Cc: 384454@bugs.debian.org, agi@inittab.org
Subject: ftpd (was Bug#384454)
Date: Wed, 21 Feb 2007 10:37:12 +1100
Dear Security team,

> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.

Please see also:

  http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052578.html

(and bugtraq if/when they accept).

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#384454; Package ftpd. Full text and rfc822 format available.

Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>. Full text and rfc822 format available.

Message #74 received at 384454@bugs.debian.org (full text, mbox):

From: Paul Szabo <psz@maths.usyd.edu.au>
To: team@security.debian.org
Cc: 384454@bugs.debian.org
Subject: ftpd (was Bug#384454)
Date: Thu, 22 Feb 2007 08:11:46 +1100
Dear Security team,

I wrote:

> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.
> Please see also:
>   http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052578.html
> (and bugtraq if/when they accept).

Bugtraq accepted also:

  http://www.securityfocus.com/archive/1/460742

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 22:22:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 20:11:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.