Bug 21783 - pure-ftpd new security issue CVE-2017-12170
Summary: pure-ftpd new security issue CVE-2017-12170
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-29 12:20 CEST by David Walser
Modified: 2018-02-06 07:26 CET (History)
6 users (show)

See Also:
Source RPM: pure-ftpd-1.0.46-1.mga7.src.rpm
CVE: CVE-2017-12170
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-09-29 12:20:22 CEST 
Fedora has issued an advisory on September 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/377GOOKDT66IY5TCU6WVXZOENVHNQTJO/

They fixed it in this commit:
http://pkgs.fedoraproject.org/cgit/rpms/pure-ftpd.git/commit/?h=f26&id=749308ee9d298aae7dc182debdd77b702a6d7e46

Our package may be affected in Cauldron, but older versions wouldn't be.
David Walser 2017-12-31 00:47:43 CET

Component: RPM Packages => Security
QA Contact: (none) => security

Stig-Ørjan Smelror 2018-01-23 10:01:45 CET

Assignee: cjw => smelror
CC: (none) => smelror

Comment 1 Stig-Ørjan Smelror 2018-01-23 10:30:43 CET 
Hi.

Pure-ftpd 1.0.47 has been pushed to Cauldron with the patch from Fedora.

Cheers,
Stig
Stig-Ørjan Smelror 2018-01-23 10:39:38 CET

Whiteboard: (none) => MGA6TOO

Comment 2 Stig-Ørjan Smelror 2018-01-23 11:07:22 CET 
Pure-ftpd 1.0.47 uploaded to 6/updates_testing.

Files:
pure-ftpd-1.0.47-1.mga6.rpm
pure-ftpd-anon-upload-1.0.47-1.mga6.rpm
pure-ftpd-anonymous-1.0.47-1.mga6.rpm
pure-ftpd-debuginfo-1.0.47-1.mga6.rpm

From:
pure-ftpd-1.0.47-1.mga6.src.rpm


Cheers,
Stig

Assignee: smelror => qa-bugs

Comment 3 Shlomi Fish 2018-01-23 11:14:51 CET 
Removing cauldron.

CC: (none) => shlomif
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 Stig-Ørjan Smelror 2018-01-23 11:31:22 CET 
Advisory:
========================

This is an update fixing loading the configuration file. 

References:
CVE-2017-12170 pure-ftpd:
Ignoring existing configuration after update due to packaging error
https://bugzilla.redhat.com/show_bug.cgi?id=1493114
https://nvd.nist.gov/vuln/detail/CVE-2017-12170


Updated packages in core/updates_testing:
========================
pure-ftpd-1.0.47-1.mga6
pure-ftpd-anon-upload-1.0.47-1.mga6
pure-ftpd-anonymous-1.0.47-1.mga6
pure-ftpd-debuginfo-1.0.47-1.mga6

from pure-ftpd-1.0.47-1.mga6.src.rpm
Stig-Ørjan Smelror 2018-01-23 11:32:23 CET

CVE: (none) => CVE-2017-12170

Comment 5 Len Lawrence 2018-01-28 20:54:51 CET 
Mageia 6 :: x86_64

Not sure what is happening here.  The online documentation recommended a somewhat esoteric procedure for running this.  Installed the pre-update packages and used systemctl to enable and start pure-ftpd as a service.
That seemed to work and it was possible to invoke ftp at the commandline and transfer files across the LAN - the simplest test I could think of.

Updated the packages and tried this again but then it would not restart - the control process exited immediately.

Tried removing the packages and reinstalling but it still failed to start.
Last try, as root:
# pure-ftpd  &

It worked OK that way for a user.  So is this the way it is meant to be used?

CC: (none) => tarazed25

Comment 6 Stig-Ørjan Smelror 2018-01-28 22:43:58 CET 
Len.

Thanks for your report. This issue has been fixed and pure-ftpd is building now.

Will let you know when the new build is available.

Cheers,
Stig
Comment 7 Stig-Ørjan Smelror 2018-01-28 22:53:58 CET 
Advisory:
========================

This is an update fixing loading the configuration file. 

References:
CVE-2017-12170 pure-ftpd:
Ignoring existing configuration after update due to packaging error
https://bugzilla.redhat.com/show_bug.cgi?id=1493114
https://nvd.nist.gov/vuln/detail/CVE-2017-12170


Updated packages in core/updates_testing:
========================
pure-ftpd-1.0.47-1.1.mga6
pure-ftpd-anon-upload-1.0.47-1.1.mga6
pure-ftpd-anonymous-1.0.47-1.1.mga6
pure-ftpd-debuginfo-1.0.47-1.1.mga6

from pure-ftpd-1.0.47-1.1.mga6.src.rpm
Stig-Ørjan Smelror 2018-01-28 22:54:23 CET

Keywords: (none) => advisory

Thomas Backlund 2018-01-28 23:06:16 CET

Keywords: advisory => (none)
CC: (none) => tmb

Comment 8 Len Lawrence 2018-01-29 12:29:46 CET 
Mageia 6 :: x86_64

Updated pure-ftpd packages and finally figured out how it starts.  systemctl indicated that it was enabled as a service and after a reboot showed that it was running normally.  Double-checked that the process was there.
$ ps aux | grep pure-ftpd
root      2522  0.0  0.0  46668   680 ?        Ss   10:42   0:00 pure-ftpd (SERVER)

There is a problem though.  How does one override /bin/ftp when using the command line for local operations?  Or does the ftp command automatically use the service if it is running?
Comment 9 Stig-Ørjan Smelror 2018-02-01 10:58:57 CET 
Hi Len.

I don't like the ftp command. On every install I do, I install ncftp.

But as far as pure-ftpd concerns, it looks like it's running as it should.

Cheers,
Stig
Comment 10 Len Lawrence 2018-02-01 16:14:52 CET 
Thanks Stig.  Reading between the lines that indicates that ftp would be using pure-ftp.  However I shall install ncftp and use that to finish the report.
Comment 11 Len Lawrence 2018-02-01 17:56:39 CET 
Logged in to another machine on the LAN and exercized some of the commands like copying a file to the host machine.  The shell commands all seemed to work OK.
$ ncftp -u lcl -p <password> belexeuli
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 192.168.1.156...                                                  
ProFTPD 1.3.5e Server (ProFTPD Default Installation) [192.168.1.156]
Logging in...                                                                   
User lcl logged in
Logged in to belexeuli.                                                         
ncftp /home/lcl > cd ruby/local
ncftp /home/lcl/ruby/local > get psrepair.rb
psrepair.rb:                                           300.00 B   10.09 kB/s  
ncftp /home/lcl/ruby/local > cd
ncftp /home/lcl >
.......
Lost connection
ncftp> open -u lcl -p <password> belexeuli
Connecting to 192.168.1.156...                                                  
ProFTPD 1.3.5e Server (ProFTPD Default Installation) [192.168.1.156]
Logging in...                                                                   
User lcl logged in
Logged in to belexeuli.                                                         
ncftp /home/lcl > put LochEck_0003.jpg
LochEck_0003.jpg:                                       12.59 MB    4.72 MB/s  
ncftp /home/lcl > quit

Tried an external site:
$ ncftp ftp://128.10.252.10/pub/
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 128.10.252.10...                                                  
::ffff:128.10.252.10 FTP server ready
Logging in...                                                                   
Anonymous access granted, restrictions apply
Logged in to 128.10.252.10.                                                     
Current remote directory is /pub.
ncftp /pub > ls
advisories/  doc/         ls-lR        tools/
dict/        lists/       os/
ncftp /pub > ls dict
dictionaries/  local/         README.txt     wordlists/
ncftp /pub > cd dict
------------------------------------------------------------------------
                          Purdue University

                       CERIAS - Security Archive
                ------------------------------------
                Center for Education and Research in
                 Information Assurance and Security
                   
                   All comments may be directed to
                 security-archive@cerias.purdue.edu
------------------------------------------------------------------------

This is a collection of miscellaneous dictionary files from many places,
it is currently a bit messy, so look through and find what you want.

CWD command successful
ncftp /pub/dict > ls dictionaries
DanKlein/          English/           Hindi/             Swedish/
DEC-collection/    Finnish/           Italian/
Dutch/             German/            Norwegian/
ncftp /pub/dict > cd dictionaries/Dutch
ncftp ...ict/dictionaries/Dutch > 
ncftp ...ict/dictionaries/Dutch > get words.dutch.Z
words.dutch.Z:                        779056 bytes  443.48 kB/s               
ncftp ...ict/dictionaries/Dutch > quit

This all works as well as expected.  Giving it a 64-bit OK.

Whiteboard: (none) => MGA6-64-OK

Comment 12 Len Lawrence 2018-02-01 20:26:19 CET 
Rider to comment 11:
Noting the ProFTPD notice on the belexeuli login I tried the connection from the other end (belexeuli) to check which server vega was using.  Installed pure-ftpd on belexeuli and rebooted.
Opened a FTP session on belexeuli:
$ ftp vega
Connected to vega.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.

which clinches it.  Everything is OK.
Len Lawrence 2018-02-05 23:17:36 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-02-06 05:51:22 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 13 Mageia Robot 2018-02-06 07:26:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0108.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.