This sounds rather serious: https://github.com/proftpd/proftpd/pull/109 http://bugs.proftpd.org/show_bug.cgi?id=4169 I don't know how widespread the use of the mod_copy module is. There is no upstream release with the fix yet (and it's been a week since this was publicly fixed...), probably should be backported.
https://github.com/proftpd/proftpd/commit/35b65aaf7219be474f621a874ec77c85d9ec794d.patch
This took hours. For starters diff --git a/RELEASE_NOTES b/RELEASE_NOTES index 526ee3a..879dee2 100644 --- a/RELEASE_NOTES +++ b/RELEASE_NOTES is not necessary in a patch for gentoo. Files mod_copy.c & doc/contrib/mod_copy.html it seems have been patched by other commits since the release of proftpd-1.3.5, added to portage (16 May 2014). Attempting backporting, they had to be completely re-based. The file tests/t/lib/ProFTPD/Tests/Modules/mod_copy.pm took as it came with the patch. Since they were made in different styles, the final sec patch comes in 2 patches. ~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl" ebuild proftpd-1.3.5- r2.ebuild compile yielded >>> Source compiled. *proftpd-1.3.5-r2 (27 May 2015) 27 May 2015; Ian Delaney <idella4@gentoo.org> +files/CVE-2015-3306-test.patch, +files/CVE-2015-3306.patch, +proftpd-1.3.5-r2.ebuild: revbump; security patch (split into 2) wrt bug #546644, address qa issues by repoman for deps requiring slot operator This would now require fast track stabilising. Arches: ~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86
> ~/cvsPortage/gentoo-x86/net-ftp/proftpd $ USE="ssl openssl" ebuild > proftpd-1.3.5- > r2.ebuild compile > > yielded > > >>> Source compiled. You need USE=copy as well: bug #550644
Upstream release a new version with a fix. > - Bug 4169 - Unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy. Pushed as: >*proftpd-1.3.5a (30 May 2015) > > 30 May 2015; Sergei Trofimovich <slyfox@gentoo.org> +proftpd-1.3.5a.ebuild: > Version bump: fixes security bug #546644 aka CVE-2015-3306: Unauthenticated > copying of files via SITE CPFR/CPTO in mod_copy (USE=copy). Please stabilize for: alpha amd64 arm hppa ia64 pc64 ppc sparc x86 Thanks!
Arches, please test and mark stable: =proftpd-1.3.5a Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86" Thank you!
CVE-2015-3306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3306): The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
(In reply to Yury German from comment #5) > =proftpd-1.3.5a You forgot something.
Stable for HPPA.
amd64 stable
x86 stable
Stable for PPC64.
arm stable
ppc stable
alpha stable
sparc stable
ia64 stable. Cleanup, please! GLSA vote: no.
Cleaned all old versions as: > 25 Jul 2015; Sergei Trofimovich <slyfox@gentoo.org> > -files/proftpd-1.3.4d-memset-fix.patch, > -files/proftpd-1.3.4d-sftp-kbdint-max-responses-bug3973.patch, > -files/proftpd-1.3.4e-link-tests.patch, > -files/proftpd-1.3.5-netaddr-segv.patch, -proftpd-1.3.4d.ebuild, > -proftpd-1.3.4e.ebuild, -proftpd-1.3.5-r1.ebuild, -proftpd-1.3.5.ebuild: > Clean old vulnerabe versions (bug #546644).
GLSA Vote: No Thank you all. Closing as noglsa.