Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 158122

Summary: net-ftp/proftpd: mod_ctrls Privilege Escalation (CVE-2006-6563)
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: chtekk
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.coresecurity.com/?module=ContentMod&action=item&id=1594
Whiteboard: C1 [glsa] aetius
Package list:
Runtime testing required: ---

Description Matt Drew (RETIRED) gentoo-dev 2006-12-14 04:33:36 UTC 
http://secunia.com/advisories/23371/

local privilege escalation to root.

mod_ctrls is disabled by default in upstream (according to the advisory), and is only exploitable by local users who have access to the controls via an ACL in the conf file.

Version 1.3.1rc1 is the fixed version, should be available in their CVS.
Comment 1 Matt Drew (RETIRED) gentoo-dev 2006-12-14 04:57:11 UTC 
fixing summary.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-14 08:06:43 UTC 
/* (no) comment */
Comment 3 Luca Longinotti (RETIRED) gentoo-dev 2006-12-20 15:15:16 UTC 
net-ftp/proftpd-1.3.1_rc1 is in the tree, fixing all the known vulns and bugs we had to patch before, and it seems to work very well, so do your magic, security team and archs! ;)
Best regards, CHTEKK.

PS: we pass --enable-ctrls by default, so I'm pretty sure we have mod_ctrls or at least the sending of controls enabled by default (bug was in src/ctrls.c).
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-21 01:49:38 UTC 
Hi arches team, please test mark stable if appropriate: net-ftp/proftpd-1.3.1_rc1
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-21 03:18:53 UTC 
ppc stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2006-12-21 06:49:50 UTC 
ppc64 stable
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-12-21 06:56:50 UTC 
sparc stable.
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2006-12-21 10:49:14 UTC 
*poof*
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-23 02:55:40 UTC 
Alpha stable.
Comment 10 René Nussbaumer (RETIRED) gentoo-dev 2006-12-24 14:31:54 UTC 
Stable on hppa. Sorry for delay.
Comment 11 Matt Drew (RETIRED) gentoo-dev 2007-01-12 18:27:36 UTC 
pinging amd64.
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-01-23 10:18:40 UTC 
amd64 stable
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 19:05:28 UTC 
Late ! :(((

GLSA request filed.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-13 23:55:37 UTC 
GLSA 200702-02, thanks to everybody.