614714 – (CVE-2017-7418) <net-ftp/proftpd-1.3.5e: Unspecified vulnerability (CVE-2017-7418)

Bug 614714 (CVE-2017-7418) - <net-ftp/proftpd-1.3.5e: Unspecified vulnerability (CVE-2017-7418)

Summary: <net-ftp/proftpd-1.3.5e: Unspecified vulnerability (CVE-2017-7418)

Status:	RESOLVED FIXED

Alias:	CVE-2017-7418

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-04-05 01:54 UTC by GLSAMaker/CVETool Bot
Modified:	2017-04-30 12:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=net-ftp/proftpd-1.3.5e
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2017-04-05 01:54:21 UTC

CVE-2017-7418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7418):
  ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home
  directory of a user could contain a symbolic link through the
  AllowChrootSymlinks configuration option, but checks only the last path
  component when enforcing AllowChrootSymlinks. Attackers with local access
  could bypass the AllowChrootSymlinks control by replacing a path component
  (other than the last one) with a symbolic link. The threat model includes an
  attacker who is not granted full filesystem access by a hosting provider,
  but can reconfigure the home directory of an FTP user.

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2017-04-10 07:47:01 UTC

Pushed two releases that fix this CVE: 1.3.5.e and 1.3.6 as https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e06b831037753f343442c645c66d2ab29a41d75

Comment 2 Yury German Gentoo Infrastructure

2017-04-11 21:36:33 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2017-04-12 21:09:33 UTC

We are ready to stabilize
    =net-ftp/proftpd-1.3.5e
on the following arches:
    alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2017-04-15 09:53:57 UTC

Stable for HPPA.

Comment 5 Agostino Sarubbo gentoo-dev

2017-04-17 07:36:54 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2017-04-17 08:03:36 UTC

x86 stable

Comment 7 Michael Weber (RETIRED) gentoo-dev

2017-04-17 23:40:41 UTC

arm ppc64 stable.

Comment 8 Michael Weber (RETIRED) gentoo-dev

2017-04-18 06:44:53 UTC

ppc stable.

Comment 9 Tobias Klausmann (RETIRED) gentoo-dev

2017-04-22 07:36:30 UTC

Stable on alpha.

Comment 10 Agostino Sarubbo gentoo-dev

2017-04-27 11:26:58 UTC

sparc stable

Comment 11 Yury German Gentoo Infrastructure

2017-04-28 01:20:21 UTC

Arches, Thank you for your work. All security supported arches done.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2017-04-29 21:46:46 UTC

Dropped old as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eecb6564211d3fcd2ad7063f53ac04c2da41bf3

Comment 13 Yury German Gentoo Infrastructure

2017-04-30 12:10:15 UTC

Maintainer(s), Thank you for your work.