Bug 26229

Summary: pure-ftpd new security issues CVE-2019-20176 and CVE-2020-9274
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, pterjan, smelror, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: pure-ftpd-1.0.47-6.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-02-20 22:09:41 CET 
Fedora has issued an advisory on February 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AHZG5FPCRMCB6Z3L7FPICC6BZ5ZATFTO/

Mageia 7 is also affected.
David Walser 2020-02-20 22:09:54 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-02-21 17:53:46 CET

Status comment: (none) => Patch available from Fedora

Comment 1 Lewis Smith 2020-02-21 21:20:39 CET 
Assigning to Pascal as the registered maintainer, CC Stig as the main recent committer of 'pure-ftpd'.

Assignee: bugsquad => pterjan
CC: (none) => smelror

Comment 2 David Walser 2020-03-02 21:06:02 CET 
Debian-LTS has issued an advisory on February 27:
https://www.debian.org/lts/security/2020/dla-2123

It fixes an additional security issue.

Summary: pure-ftpd new security issue CVE-2019-20176 => pure-ftpd new security issues CVE-2019-20176 and CVE-2020-9274
Status comment: Patch available from Fedora => Patches available from Fedora and Debian

Comment 3 Pascal Terjan 2020-03-02 22:16:14 CET 
We should probably update it in cauldron to 1.0.49 at the same time.

I'll first backport the patch to 1.0.47 to update 7.
Comment 4 Pascal Terjan 2020-03-02 22:30:05 CET 
I added patches for those 3 into pure-ftpd-1.0.47-6.mga7:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9365

I guess testing that listing a directory still works would be the main thing.
Comment 5 David Walser 2020-03-02 22:37:51 CET 
Thanks Pascal!

Advisory:
========================

Updated pure-ftpd packages fix security vulnerabilities:

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer
vulnerability has been detected in the diraliases linked list. When the
*lookup_alias(const char alias) or print_aliases(void) function is called, they
fail to correctly detect the end of the linked list and try to access a
non-existent list member. This is related to init_aliases in diraliases.c.
(CVE-2019-9274).

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has
been detected in the pure_strcmp function in utils.c (CVE-2019-9365).

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir
function in ls.c (CVE-2019-20176).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9365
========================

Updated packages in core/updates_testing:
========================
pure-ftpd-1.0.47-6.mga7
pure-ftpd-anonymous-1.0.47-6.mga7
pure-ftpd-anon-upload-1.0.47-6.mga7

from pure-ftpd-1.0.47-6.mga7.src.rpm

CC: (none) => pterjan
Assignee: pterjan => qa-bugs
Version: Cauldron => 7
Status comment: Patches available from Fedora and Debian => (none)
Whiteboard: MGA7TOO => (none)

Comment 6 Pascal Terjan 2020-03-02 22:44:23 CET 
Sorry I didn't apply one of the patches, this is fixed in -7
Comment 7 David Walser 2020-03-03 02:18:33 CET 
pure-ftpd-1.0.47-7.mga7
pure-ftpd-anonymous-1.0.47-7.mga7
pure-ftpd-anon-upload-1.0.47-7.mga7

from pure-ftpd-1.0.47-7.mga7.src.rpm
Comment 8 Herman Viaene 2020-03-03 16:48:16 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
On this laptop:
# systemctl -l status pure-ftpd
● pure-ftpd.service - LSB: Pure FTPd FTP server
   Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

Mar 03 16:31:40 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path>
Mar 03 16:31:40 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path>
Mar 03 16:31:41 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path>
Mar 03 16:31:41 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path>

# systemctl  start pure-ftpd

# systemctl -l status pure-ftpd
● pure-ftpd.service - LSB: Pure FTPd FTP server
   Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated)
   Active: active (running) since Tue 2020-03-03 16:37:32 CET; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 17084 ExecStart=/etc/rc.d/init.d/pure-ftpd start (code=exited, status=0/SUCCESS)
 Main PID: 17095 (pure-ftpd)
   Memory: 2.1M
   CGroup: /system.slice/pure-ftpd.service
           └─17095 /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf

Mar 03 16:37:31 mach5.hviaene.thuis systemd[1]: Starting LSB: Pure FTPd FTP server...
Mar 03 16:37:32 mach5.hviaene.thuis pure-ftpd[17084]: Starting Pure-ftpd: [  OK  ]
Mar 03 16:37:32 mach5.hviaene.thuis systemd[1]: Started LSB: Pure FTPd FTP server.

Then used ftp command on desltop PC on Lan to login and transfer some files  in the two directions, all OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2020-03-04 16:36:38 CET 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 15:29:04 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 10 Mageia Robot 2020-03-06 17:16:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0128.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED