Bug 15436

Summary: vsftpd new security issue CVE-2015-1419
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/630002/
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK advisory
Source RPM: vsftpd-3.0.2-7.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-05 21:00:36 CET 
OpenSuSE has issued an advisory today (March 5):
http://lists.opensuse.org/opensuse-updates/2015-03/msg00012.html

The security issue was originally fixed long ago in our package by vsftpd-2.1.0-filter.patch.  Apparently that fix was rendered ineffective once vsftpd was updated to version 3.0.2.  OpenSuSE has enhanced the patch to make it effective again:
https://bugzilla.suse.com/show_bug.cgi?id=915522

Updated patch added in Mageia 4 and Cauldron SVN.  Freeze push requested.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-05 21:00:43 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-05 21:45:40 CET 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated vsftpd package fixes security vulnerability:

The vsftp daemon was not handling the "deny_file" option properly, allowing
unauthorized access in some specific scenarios (CVE-2015-1419).

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1419
http://lists.opensuse.org/opensuse-updates/2015-03/msg00012.html
========================

Updated packages in core/updates_testing:
========================
vsftpd-3.0.2-4.1.mga4

from vsftpd-3.0.2-4.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 Herman Viaene 2015-03-07 10:46:26 CET 
MGA4-32 on AcerD620 Xfce.
No installation issues.
Refer to bug 10962 Comment 5 for test.
I had to additionally install heimdal-ftp as it is not included in default installation.
Made the changes to /etc/vsftpd/vsftpd.conf as described in testcase.
Made sure no other ftp service was running, started vsftpd service.
At CLI as normal user:
$ ftp localhost
Connected to localhost.
220 (vsFTPd 3.0.2)
Trying GSSAPI...
The server doesn't support the FTP security extensions.

*** Using plaintext user and password ***

Name (localhost:xxxx): 
331 Please specify the password.
Password: <wrong password>
530 Login incorrect.
ftp: Login failed.
ftp> bye
221 Goodbye.
[xxxx@yyyy ~]$ ftp localhost
Connected to localhost.
220 (vsFTPd 3.0.2)
Trying GSSAPI...
The server doesn't support the FTP security extensions.

*** Using plaintext user and password ***

Name (localhost:xxxx):      
331 Please specify the password.
Password: <correct password>
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

Comment 3 Herman Viaene 2015-03-10 11:58:07 CET 
MGA4-64 on HP Probook 6555b KDE
No installation issues.
Followed same procedure as above Comment 2 and get the same results.

Whiteboard: MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 RĂ©mi Verschelde 2015-03-10 12:32:10 CET 
Advisory uploaded, validating. Please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Mageia Robot 2015-03-10 17:49:06 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0103.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED