| Summary: | <net-ftp/proftpd-1.3.5a: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (CVE-2015-3306) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | bernd, net-ftp, proxy-maint, slyfox, voyageur |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B3 [noglsa/cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 550644 | ||
| Bug Blocks: | |||
|
Description
Hanno Böck
2015-04-15 00:35:55 UTC
This took hours. For starters diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 526ee3a..879dee2 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES is not necessary in a patch for gentoo. Files mod_copy.c & doc/contrib/mod_copy.html it seems have been patched by other commits since the release of proftpd-1.3.5, added to portage (16 May 2014). Attempting backporting, they had to be completely re-based. The file tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm took as it came with the patch. Since they were made in different styles, the final sec patch comes in 2 patches. ~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl" ebuild proftpd-1.3.5- r2.ebuild compile yielded >>> Source compiled. *proftpd-1.3.5-r2 (27 May 2015) 27 May 2015; Ian Delaney <idella4@gentoo.org> +files/CVE-2015-3306-test.patch, +files/CVE-2015-3306.patch, +proftpd-1.3.5-r2.ebuild: revbump; security patch (split into 2) wrt bug #546644, address qa issues by repoman for deps requiring slot operator This would now require fast track stabilising. Arches: ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 > ~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl" ebuild > proftpd-1.3.5- > r2.ebuild compile > > yielded > > >>> Source compiled. You need USE=copy as well: bug #550644 Upstream release a new version with a fix. > - Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy. Pushed as: >*proftpd-1.3.5a (30 May 2015) > > 30 May 2015; Sergei Trofimovich <slyfox@gentoo.org> +proftpd-1.3.5a.ebuild: > Version bump: fixes security bug #546644 aka CVE-2015-3306: Unauthenticated > copying of files via SITE CPFR/CPTO in mod_copy (USE=copy). Please stabilize for: alpha amd64 arm hppa ia64 pc64 ppc sparc x86 Thanks! Arches, please test and mark stable: =proftpd-1.3.5a Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you! CVE-2015-3306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3306): The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. (In reply to Yury German from comment #5) > =proftpd-1.3.5a You forgot something. Stable for HPPA. amd64 stable x86 stable Stable for PPC64. arm stable ppc stable alpha stable sparc stable ia64 stable. Cleanup, please! GLSA vote: no. Cleaned all old versions as:
> 25 Jul 2015; Sergei Trofimovich <slyfox@gentoo.org>
> -files/proftpd-1.3.4d-memset-fix.patch,
> -files/proftpd-1.3.4d-sftp-kbdint-max-responses-bug3973.patch,
> -files/proftpd-1.3.4e-link-tests.patch,
> -files/proftpd-1.3.5-netaddr-segv.patch, -proftpd-1.3.4d.ebuild,
> -proftpd-1.3.4e.ebuild, -proftpd-1.3.5-r1.ebuild, -proftpd-1.3.5.ebuild:
> Clean old vulnerabe versions (bug #546644).
GLSA Vote: No Thank you all. Closing as noglsa. |
