Debian Bug report logs - #697524
proftpd-basic: CVE-2012-6095: Possible symlink race when applying UserOwner

version graph

Package: proftpd-basic; Maintainer for proftpd-basic is ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>; Source for proftpd-basic is src:proftpd-dfsg.

Reported by: Jann Horn <jannhorn@googlemail.com>

Date: Sun, 6 Jan 2013 15:21:01 UTC

Severity: normal

Tags: security

Found in version proftpd-dfsg/1.3.4a-2

Fixed in version proftpd-dfsg/1.3.4a-3

Done: "Francesco P. Lovergine" <frankie@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jannhorn@googlemail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#697524; Package proftpd-basic. (Sun, 06 Jan 2013 15:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jann Horn <jannhorn@googlemail.com>:
New Bug report received and forwarded. Copy sent to jannhorn@googlemail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>. (Sun, 06 Jan 2013 15:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jann Horn <jannhorn@googlemail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: proftpd-basic: Apply upstream bugfix for upstream bug #3841 – Possible symlink race when applying UserOwner
Date: Sun, 06 Jan 2013 16:19:13 +0100
Package: proftpd-basic
Version: 1.3.4a-2+b1
Severity: normal
Tags: security

There's a symlink race that could lead to root access in some configurations. See here:
http://bugs.proftpd.org/show_bug.cgi?id=3841

There's an upstream bugfix, so that should probably be backported.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages proftpd-basic depends on:
ii  adduser         3.113+nmu3
ii  debconf         1.5.49
ii  debianutils     4.3.2
ii  libacl1         2.2.51-8
ii  libc6           2.13-37
ii  libcap2         1:2.22-1.2
ii  libncurses5     5.9-10
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1
ii  libpcre3        1:8.30-5
ii  libssl1.0.0     1.0.1c-4
ii  libtinfo5       5.9-10
ii  libwrap0        7.6.q-24
ii  netbase         5.0
ii  sed             4.2.1-10
ii  ucf             3.0025+nmu3
ii  update-inetd    4.43
ii  zlib1g          1:1.2.7.dfsg-13

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openbsd-inetd [inet-superserver]  0.20091229-2
ii  openssl                           1.0.1c-4
pn  proftpd-doc                       <none>
pn  proftpd-mod-ldap                  <none>
pn  proftpd-mod-mysql                 <none>
pn  proftpd-mod-odbc                  <none>
pn  proftpd-mod-pgsql                 <none>
pn  proftpd-mod-sqlite                <none>

-- debconf information excluded



Information forwarded to debian-bugs-dist@lists.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#697524; Package proftpd-basic. (Mon, 07 Jan 2013 21:36:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>. (Mon, 07 Jan 2013 21:36:09 GMT) Full text and rfc822 format available.

Message #10 received at 697524@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Jann Horn <jannhorn@googlemail.com>, 697524@bugs.debian.org
Subject: Re: Bug#697524: proftpd-basic: Apply upstream bugfix for upstream bug #3841 – Possible symlink race when applying UserOwner
Date: Mon, 7 Jan 2013 22:35:26 +0100
[Message part 1 (text/plain, inline)]
Control: retitle -1 proftpd-basic: CVE-2012-6095: Possible symlink race when applying UserOwner

Hi

On Sun, Jan 06, 2013 at 04:19:13PM +0100, Jann Horn wrote:
> Package: proftpd-basic
> Version: 1.3.4a-2+b1
> Severity: normal
> Tags: security
> 
> There's a symlink race that could lead to root access in some configurations. See here:
> http://bugs.proftpd.org/show_bug.cgi?id=3841
> 
> There's an upstream bugfix, so that should probably be backported.

A CVE was assigned to this issue: CVE-2012-6095. Please include this
CVE in changelog when fixing this issue.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'proftpd-basic: CVE-2012-6095: Possible symlink race when applying UserOwner' from 'proftpd-basic: Apply upstream bugfix for upstream bug #3841 – Possible symlink race when applying UserOwner' Request was from Salvatore Bonaccorso <carnil@debian.org> to 697524-submit@bugs.debian.org. (Mon, 07 Jan 2013 21:36:09 GMT) Full text and rfc822 format available.

Reply sent to "Francesco P. Lovergine" <frankie@debian.org>:
You have taken responsibility. (Tue, 08 Jan 2013 14:48:12 GMT) Full text and rfc822 format available.

Notification sent to Jann Horn <jannhorn@googlemail.com>:
Bug acknowledged by developer. (Tue, 08 Jan 2013 14:48:12 GMT) Full text and rfc822 format available.

Message #17 received at 697524-done@bugs.debian.org (full text, mbox):

From: "Francesco P. Lovergine" <frankie@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 697524-done@bugs.debian.org
Cc: Jann Horn <jannhorn@googlemail.com>
Subject: Re: Bug#697524: proftpd-basic: Apply upstream bugfix for upstream bug #3841 – Possible symlink race when applying UserOwner
Date: Tue, 8 Jan 2013 15:19:23 +0100
Package: proftpd-basic
Version: 1.3.4a-3

Fixed in unstable. Backported to 1.3.3 and stable (via DSA).

-- 
Francesco P. Lovergine



No longer marked as fixed in versions proftpd-basic/1.3.4a-3. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 31 Oct 2013 20:07:50 GMT) Full text and rfc822 format available.

Marked as fixed in versions proftpd-dfsg/1.3.4a-3. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 31 Oct 2013 20:07:51 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 29 Nov 2013 07:30:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 06:26:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.