Bug 16579

Summary: pure-ftpd new DoS security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/654287/
Whiteboard: MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK
Source RPM: pure-ftpd-1.0.36-6.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-08-12 20:11:41 CEST 
Fedora has issued an advisory on August 7:
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163669.html

Fedora fixed it with this patch:
http://pkgs.fedoraproject.org/cgit/pure-ftpd.git/plain/pure-ftpd-1.0.36-glob-path-len.patch?h=f22&id=f87fe50f64c4dc3cdbab244048a06a2c2156e5d7

The upstream commit to fix it is linked from the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1233267

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-08-12 20:11:57 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-09-02 20:45:12 CEST 
Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated pure-ftpd packages fix security vulnerability:

It was reported that the process handling a user session could be crashed by
trying to match a file pattern longer than the maximum length for a path.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-August/163669.html
========================

Updated packages in core/updates_testing:
========================
pure-ftpd-1.0.36-3.1.mga4
pure-ftpd-anonymous-1.0.36-3.1.mga4
pure-ftpd-anon-upload-1.0.36-3.1.mga4
pure-ftpd-1.0.36-6.1.mga5
pure-ftpd-anonymous-1.0.36-6.1.mga5
pure-ftpd-anon-upload-1.0.36-6.1.mga5

from SRPMS:
pure-ftpd-1.0.36-3.1.mga4.src.rpm
pure-ftpd-1.0.36-6.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: pterjan => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 Brian Rockwell 2015-09-03 04:14:47 CEST 
Installed pure-ftpd verified it was only ftp server running on machine.

Ran transfers from Windows to box using binary transfer of ISO.  Worked fine
Used another box to do transfers from new uploads.  Worked fine

Started automatically upon reboot.

Approved for 64-bit

CC: (none) => brtians1
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK

Comment 3 Brian Rockwell 2015-09-03 06:59:30 CEST 
Mageia release 5 (Official) for i586


Ran transfers from Windows to box using binary transfer of ISO.  Worked fine
Used another box to do transfers from new uploads.  Worked fine.

Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA5-32-OK

Comment 4 William Kenney 2015-09-06 19:36:44 CEST 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
pure-ftpd pure-ftpd-anonymous pure-ftpd-anon-upload

default install of pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload

[root@localhost wilcal]# urpmi pure-ftpd
Package pure-ftpd-1.0.36-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anonymous
Package pure-ftpd-anonymous-1.0.36-3.mga4.i586 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anon-upload
Package pure-ftpd-anon-upload-1.0.36-3.mga4.i586 is already installed

I can ftp transfer, using FileZilla, files to and from the local client
I can ftp transfer, using FileZilla, files to and from the client under
test from a M5 system on the LAN

install pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload from updates_testing

Stop and restart pure-ftpd

[root@localhost wilcal]# urpmi pure-ftpd
Package pure-ftpd-1.0.36-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anonymous
Package pure-ftpd-anonymous-1.0.36-3.1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anon-upload
Package pure-ftpd-anon-upload-1.0.36-3.1.mga4.i586 is already installed

I can ftp transfer, using FileZilla, files to and from the local client
I can ftp transfer, using FileZilla, files to and from the client under
test from a M5 system on the LAN

CC: (none) => wilcal.int
Whiteboard: MGA4TOO MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA5-64-OK MGA5-32-OK

Comment 5 William Kenney 2015-09-06 20:07:27 CEST 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
pure-ftpd pure-ftpd-anonymous pure-ftpd-anon-upload

default install of pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload

[root@localhost wilcal]# urpmi pure-ftpd
Package pure-ftpd-1.0.36-3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anonymous
Package pure-ftpd-anonymous-1.0.36-3.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anon-upload
Package pure-ftpd-anon-upload-1.0.36-3.mga4.x86_64 is already installed

I can ftp transfer, using FileZilla, files to and from the local client
I can ftp transfer, using FileZilla, files to and from the client under
test from a M5 system on the LAN

install pure-ftpd pure-ftpd-anonymous & pure-ftpd-anon-upload from updates_testing

Stop and restart pure-ftpd

[root@localhost wilcal]# urpmi pure-ftpd
Package pure-ftpd-1.0.36-3.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anonymous
Package pure-ftpd-anonymous-1.0.36-3.1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi pure-ftpd-anon-upload
Package pure-ftpd-anon-upload-1.0.36-3.1.mga4.x86_64 is already installed

I can ftp transfer, using FileZilla, files to and from the local client
I can ftp transfer, using FileZilla, files to and from the client under
test from a M5 system on the LAN
William Kenney 2015-09-06 20:07:53 CEST

Whiteboard: MGA4TOO MGA4-32-OK MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK

Comment 6 William Kenney 2015-09-06 20:08:21 CEST 
This update works fine.
Testing complete for MGA4 & MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks
Comment 7 William Kenney 2015-09-06 20:10:17 CEST 
You get the honors Brian. Simply put and save "validated_update"
in the Keywords field and it's on it's way.
Comment 8 Brian Rockwell 2015-09-06 22:49:26 CEST 
I'll give it a try.

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK validated_update

Comment 9 David Walser 2015-09-07 00:20:31 CEST 
(In reply to Brian Rockwell from comment #8)
> I'll give it a try.

Nope.  It's a keyword, not a whiteboard entry.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK validated_update => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 10 Brian Rockwell 2015-09-07 01:15:56 CEST 
ok - I'll get it next time
Comment 11 claire robinson 2015-09-08 15:13:38 CEST 
Advisory uploaded.

Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-64-OK MGA5-32-OK

Comment 12 Mageia Robot 2015-09-08 19:57:46 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0355.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED