Bug 26251

Summary: proftpd new security issue CVE-2020-9273
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: proftpd-1.3.5e-4.2.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-02-24 23:33:39 CET 
Debian-LTS has issued an advisory on February 21:
https://www.debian.org/lts/security/2020/dla-2115

Mageia 7 is also affected.
David Walser 2020-02-24 23:33:47 CET

Whiteboard: (none) => MGA7TOO

David Walser 2020-02-24 23:35:30 CET

Status comment: (none) => Patches available from upstream and Debian

Comment 1 David Walser 2020-02-27 22:43:31 CET 
Debian has issued an advisory for this on February 26:
https://www.debian.org/security/2020/dsa-4635
Comment 2 David Walser 2020-02-27 23:25:31 CET 
This is fixed upstream in 1.3.6c.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Source RPM: proftpd-1.3.6c-2.mga8.src.rpm => proftpd-1.3.5e-4.2.mga7.src.rpm

Comment 3 David GEIGER 2020-02-28 05:29:29 CET 
Done for mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2020-02-28 06:13:21 CET 
Advisory:
========================

Updated proftpd packages fix security vulnerability:

Antonio Morales discovered an use-after-free flaw in the memory pool allocator
in ProFTPD. Interrupting current data transfers can corrupt the ProFTPD memory
pool, leading to denial of service, or potentially the execution of arbitrary
code (CVE-2020-9273).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9273
https://www.debian.org/security/2020/dsa-4635
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.5e-4.3.mga7
proftpd-devel-1.3.5e-4.3.mga7
proftpd-mod_ctrls_admin-1.3.5e-4.3.mga7
proftpd-mod_ifsession-1.3.5e-4.3.mga7
proftpd-mod_ldap-1.3.5e-4.3.mga7
proftpd-mod_quotatab-1.3.5e-4.3.mga7
proftpd-mod_quotatab_file-1.3.5e-4.3.mga7
proftpd-mod_quotatab_ldap-1.3.5e-4.3.mga7
proftpd-mod_quotatab_sql-1.3.5e-4.3.mga7
proftpd-mod_quotatab_radius-1.3.5e-4.3.mga7
proftpd-mod_radius-1.3.5e-4.3.mga7
proftpd-mod_ratio-1.3.5e-4.3.mga7
proftpd-mod_rewrite-1.3.5e-4.3.mga7
proftpd-mod_site_misc-1.3.5e-4.3.mga7
proftpd-mod_sql-1.3.5e-4.3.mga7
proftpd-mod_sql_mysql-1.3.5e-4.3.mga7
proftpd-mod_sql_postgres-1.3.5e-4.3.mga7
proftpd-mod_sql_sqlite-1.3.5e-4.3.mga7
proftpd-mod_sql_passwd-1.3.5e-4.3.mga7
proftpd-mod_tls-1.3.5e-4.3.mga7
proftpd-mod_tls_shmcache-1.3.5e-4.3.mga7
proftpd-mod_tls_memcache-1.3.5e-4.3.mga7
proftpd-mod_autohost-1.3.5e-4.3.mga7
proftpd-mod_case-1.3.5e-4.3.mga7
proftpd-mod_gss-1.3.5e-4.3.mga7
proftpd-mod_load-1.3.5e-4.3.mga7
proftpd-mod_shaper-1.3.5e-4.3.mga7
proftpd-mod_wrap-1.3.5e-4.3.mga7
proftpd-mod_wrap_file-1.3.5e-4.3.mga7
proftpd-mod_wrap_sql-1.3.5e-4.3.mga7
proftpd-mod_ban-1.3.5e-4.3.mga7
proftpd-mod_vroot-1.3.5e-4.3.mga7
proftpd-mod_sftp-1.3.5e-4.3.mga7
proftpd-mod_sftp_pam-1.3.5e-4.3.mga7
proftpd-mod_sftp_sql-1.3.5e-4.3.mga7
proftpd-mod_memcache-1.3.5e-4.3.mga7

from proftpd-1.3.5e-4.3.mga7.src.rpm

Assignee: mrambo => qa-bugs
Status comment: Patches available from upstream and Debian => (none)

Comment 5 Herman Viaene 2020-02-29 11:24:29 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
# systemctl  start proftpd
# systemctl -l status proftpd
● proftpd.service - LSB: ProFTPD FTP server
   Loaded: loaded (/etc/rc.d/init.d/proftpd; generated)
   Active: active (running) since Sat 2020-02-29 11:11:47 CET; 2s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 15656 ExecStart=/etc/rc.d/init.d/proftpd start (code=exited, status=0/SUCCESS)
   Memory: 4.3M
   CGroup: /system.slice/proftpd.service
           └─15668 proftpd: (accepting connections)

Feb 29 11:11:47 mach5.hviaene.thuis systemd[1]: Starting LSB: ProFTPD FTP server...
Feb 29 11:11:47 mach5.hviaene.thuis proftpd[15656]: Starting proftpd[  OK  ]
Feb 29 11:11:47 mach5.hviaene.thuis systemd[1]: Started LSB: ProFTPD FTP server.

Then connected from desktop PC on my LAN to the laptop and did transfer in borh directions.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-03-01 14:25:51 CET 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 David Walser 2020-03-02 22:01:58 CET 
openSUSE has issued an advisory for this on March 1:
https://lists.opensuse.org/opensuse-updates/2020-03/msg00010.html

I don't *think* we're vulnerable to CVE-2020-9272, because it looks from the SPEC like we link to the system libcap library (but it'd be nice if someone can confirm that), which should make us OK according to:
https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-9272.html
Thomas Backlund 2020-03-06 13:59:39 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2020-03-06 17:15:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0120.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED