Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 49496

Summary: net-ftp/proftpd privilege escalation
Product: Gentoo Security Reporter: Florian Schilhabel (RETIRED) <ruth>
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blkdeath
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Florian Schilhabel (RETIRED) gentoo-dev 2004-04-30 07:12:31 UTC 
the following is a copy from abugtraq posting:

Package:             proftpd
Vulnerability:       privilege escalation
OpenPKG Specific:    no

Affected Packages:     
<= proftpd-1.2.9-20040207
<= proftpd-1.2.9-2.0.0

Description:
  A portability workaround was applied in version 1.2.9 of the FTP
  server ProFTPD [1]. As a side-effect, CIDR based (aaa.bbb.ccc.ddd/NN)
  ACL entries in "Allow" and "Deny" directives act like an "AllowAll"
  directive and so FTP clients are granted access to files and
  directories although the server configuration might explicitly deny
  this [2].

i think it would be wise to apply the patch from
http://bugs.proftpd.org/show_bug.cgi?id=2267
, do a backport from version 1.2.10rc1 to current stable version
or mark version 1.2.10rc1 as stable...
so long
rootshell


Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Brandon Hale (RETIRED) gentoo-dev 2004-04-30 09:57:45 UTC 
Stewart, would you mind checking this one out? Apply the patch or bump to .10_rc1, your call.. otherwise security@ will do a bump.
Comment 2 Brandon Hale (RETIRED) gentoo-dev 2004-05-04 09:28:45 UTC 
I bumped to 1.2.9-r2 with the patch, and removed affected versions.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-05-05 03:02:07 UTC 
1.2.9 (affected) was : x86 sparc hppa ~alpha ppc ~mips
1.2.9-r2 (unaffected) currently is : ~x86 ~sparc hppa ~alpha ~ppc ~mips amd64

x86, sparc, ppc : please test and mark stable accordingly.
Comment 4 Jason Wever (RETIRED) gentoo-dev 2004-05-05 19:24:59 UTC 
Stable on sparc.
Comment 5 Jon Portnoy (RETIRED) gentoo-dev 2004-05-05 19:37:44 UTC 
Stable on x86
Comment 6 David Holm (RETIRED) gentoo-dev 2004-05-06 04:52:39 UTC 
Stable on ppc
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-06 05:01:25 UTC 
Thanks everyone. Ready for a GLSA draft.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 08:37:59 UTC 
GLSA 200405-09