From the Frox-Mailinglist: -----------snip------------- Version 0.7.18 of frox has just been released. The most important update it contains is for a bug in 0.7.16 and 0.7.17 that prevents Deny ACLs from being parsed properly. If you are using either of these versions and use Deny ACLs to prevent access from/to certain servers then you should upgrade. The main impact of this bug is that frox can be used to contact hosts that the administrator intended to block. If frox is listening on a publically accessable interface frox may also be used to proxy ftp requests for anauthorised sites. The security of the machine running frox is not compromised. Other changes include some improvements to logging, an extra http proxy option, and optional support for proftpd style altering of argv[] - see the changelog at http://www.hollo.org/frox/ChangeLog James ----------snap--------------------- Reproducible: Always Steps to Reproduce:
Created attachment 50568 [details] frox-0.7.18.ebuild New release and Security Fix.
frox-0.7.18 commited. Test plan: emerge frox-0.7.18 cp /etc/frox.conf.example /etc/frox.conf Change the following line in /etc/frox.conf DoNTP yes using ncftp set it up to use a firewall. grep ^[^#] /home/dan/.ncftp/firewall firewall-type=1 firewall-host=127.0.0.1 firewall-port=2121 firewall-exception-list=.local,localhost,localdomain passive=on use ncftp to connect to your favourite ftp site.
NOTE POTENTIAL BUG WITH VIRUS SCANNING: Enabling the virusscanner line in the sample config file (emerged with clamav) grep ^[^#] /etc/frox.conf Listen 127.0.0.1 Port 2121 ResolvLoadHack wontresolve.doesntexist.abc User ftpproxy User ftpproxy Group ftpproxy WorkingDir /var/spool/frox LogLevel 20 LogFile /var/log/frox/frox-log PidFile /var/run/frox/frox.pid BounceDefend yes VirusScanner '"/usr/bin/clamscan" "%s"' VSOK 0 DoNTP yes MaxForks 10 MaxForksPerHost 4 ACL Allow * - * Running the proxy with a ftp fetch as above generates a virus found message always when realy it is a file not found. The following is the strace: strace -fe trace=process frox -f /etc/frox.conf execve("/usr/sbin/frox", ["frox", "-f", "/etc/frox.conf"], [/* 56 vars */]) = 0 clone(Process 19625 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7fc57c8) = 19625 [pid 19624] exit_group(0) = ? clone(Process 19626 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7fc57c8) = 19626 [pid 19626] clone(Process 19627 attached child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7fc57c8) = 19627 [pid 19626] wait4(-1, Process 19626 suspended <unfinished ...> [pid 19627] execve("/usr/bin/clamscan", ["/usr/bin/clamscan", "//tmp/VS_19626"], [/* 56 vars */]) = -1 ENOENT (No such file or directory) [pid 19627] exit_group(-1) = ? Process 19626 resumed Process 19627 detached [pid 19626] <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 255}], 0, NULL) = 19627 [pid 19626] --- SIGCHLD (Child exited) @ 0 (0) -- Should be passing /var/spool/frox/tmp/VS_19626 to the virus scanner IMHO. This has been reported to the author.
amd64 please test and mark stable.
amd64 stable
Security this one is ready for GLSA, please cast your vote.
i vote no glsa
OK for no GLSA, closing.
