Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 546644 (CVE-2015-3306) - <net-ftp/proftpd-1.3.5a: Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy (CVE-2015-3306)
Summary: <net-ftp/proftpd-1.3.5a: Unauthenticated copying of files via SITE CPFR/CPTO ...
Status: RESOLVED FIXED
Alias: CVE-2015-3306
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa/cve]
Keywords:
Depends on: 550644
Blocks:
  Show dependency tree
 
Reported: 2015-04-15 00:35 UTC by Hanno Böck
Modified: 2015-08-04 13:52 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-04-15 00:35:55 UTC
This sounds rather serious:
https://github.com/proftpd/proftpd/pull/109
http://bugs.proftpd.org/show_bug.cgi?id=4169

I don't know how widespread the use of the mod_copy module is. There is no upstream release with the fix yet (and it's been a week since this was publicly fixed...), probably should be backported.
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2015-05-27 05:45:06 UTC
This took hours. For starters

diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index 526ee3a..879dee2 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES

is not necessary in a patch for gentoo. Files mod_copy.c & 
doc/contrib/mod_copy.html it seems have been patched by other commits since the release of proftpd-1.3.5, added to portage (16 May 2014). Attempting backporting, they had to be completely re-based.  The file tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm took as it came with the patch. 
Since they were made in different styles, the final sec patch comes in 2 patches.

~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl"  ebuild proftpd-1.3.5-
r2.ebuild compile

yielded

>>> Source compiled.

*proftpd-1.3.5-r2 (27 May 2015)

  27 May 2015; Ian Delaney <idella4@gentoo.org> +files/CVE-2015-3306-test.patch,
  +files/CVE-2015-3306.patch, +proftpd-1.3.5-r2.ebuild:
  revbump; security patch (split into 2) wrt bug #546644, address qa issues by
  repoman for deps requiring slot operator

This would now require fast track stabilising.

Arches:   ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2015-05-29 08:25:01 UTC
> ~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl"  ebuild
> proftpd-1.3.5-
> r2.ebuild compile
> 
> yielded
> 
> >>> Source compiled.

You need USE=copy as well: bug #550644
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2015-05-30 21:05:22 UTC
Upstream release a new version with a fix.

> - Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by
  mod_copy.

Pushed as:

>*proftpd-1.3.5a (30 May 2015)
>
>  30 May 2015; Sergei Trofimovich <slyfox@gentoo.org> +proftpd-1.3.5a.ebuild:
>  Version bump: fixes security bug #546644 aka CVE-2015-3306: Unauthenticated
>  copying of files via SITE CPFR/CPTO in mod_copy (USE=copy).

Please stabilize for:
    alpha amd64 arm hppa ia64 pc64 ppc sparc x86

Thanks!
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-05-30 23:49:04 UTC
Arches, please test and mark stable:

=proftpd-1.3.5a

Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-05-30 23:50:38 UTC
CVE-2015-3306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3306):
  The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and
  write to arbitrary files via the site cpfr and site cpto commands.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-31 07:45:52 UTC
(In reply to Yury German from comment #5)
> =proftpd-1.3.5a

You forgot something.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-01 05:17:31 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-01 09:26:23 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-01 09:27:07 UTC
x86 stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2015-06-03 05:38:22 UTC
Stable for PPC64.
Comment 12 Markus Meier gentoo-dev 2015-06-11 19:10:07 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-06-24 07:56:02 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-03 08:57:08 UTC
alpha stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-07-23 09:37:01 UTC
sparc stable
Comment 16 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-24 10:30:44 UTC
ia64 stable.

Cleanup, please!

GLSA vote: no.
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2015-07-25 08:48:20 UTC
Cleaned all old versions as:

>  25 Jul 2015; Sergei Trofimovich <slyfox@gentoo.org>
>  -files/proftpd-1.3.4d-memset-fix.patch,
>  -files/proftpd-1.3.4d-sftp-kbdint-max-responses-bug3973.patch,
>  -files/proftpd-1.3.4e-link-tests.patch,
>  -files/proftpd-1.3.5-netaddr-segv.patch, -proftpd-1.3.4d.ebuild,
>  -proftpd-1.3.4e.ebuild, -proftpd-1.3.5-r1.ebuild, -proftpd-1.3.5.ebuild:
>  Clean old vulnerabe versions (bug #546644).
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-08-04 13:52:44 UTC
GLSA Vote: No

Thank you all. Closing as noglsa.