Fedora has issued an advisory on February 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AHZG5FPCRMCB6Z3L7FPICC6BZ5ZATFTO/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from Fedora
Assigning to Pascal as the registered maintainer, CC Stig as the main recent committer of 'pure-ftpd'.
Assignee: bugsquad => pterjanCC: (none) => smelror
Debian-LTS has issued an advisory on February 27: https://www.debian.org/lts/security/2020/dla-2123 It fixes an additional security issue.
Summary: pure-ftpd new security issue CVE-2019-20176 => pure-ftpd new security issues CVE-2019-20176 and CVE-2020-9274Status comment: Patch available from Fedora => Patches available from Fedora and Debian
We should probably update it in cauldron to 1.0.49 at the same time. I'll first backport the patch to 1.0.47 to update 7.
I added patches for those 3 into pure-ftpd-1.0.47-6.mga7: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9365 I guess testing that listing a directory still works would be the main thing.
Thanks Pascal! Advisory: ======================== Updated pure-ftpd packages fix security vulnerabilities: An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c. (CVE-2019-9274). An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c (CVE-2019-9365). In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir function in ls.c (CVE-2019-20176). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9274 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9365 ======================== Updated packages in core/updates_testing: ======================== pure-ftpd-1.0.47-6.mga7 pure-ftpd-anonymous-1.0.47-6.mga7 pure-ftpd-anon-upload-1.0.47-6.mga7 from pure-ftpd-1.0.47-6.mga7.src.rpm
CC: (none) => pterjanAssignee: pterjan => qa-bugsVersion: Cauldron => 7Status comment: Patches available from Fedora and Debian => (none)Whiteboard: MGA7TOO => (none)
Sorry I didn't apply one of the patches, this is fixed in -7
pure-ftpd-1.0.47-7.mga7 pure-ftpd-anonymous-1.0.47-7.mga7 pure-ftpd-anon-upload-1.0.47-7.mga7 from pure-ftpd-1.0.47-7.mga7.src.rpm
MGA7-64 Plasma on Lenovo B50 No installation issues. On this laptop: # systemctl -l status pure-ftpd ● pure-ftpd.service - LSB: Pure FTPd FTP server Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated) Active: inactive (dead) Docs: man:systemd-sysv-generator(8) Mar 03 16:31:40 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path> Mar 03 16:31:40 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path> Mar 03 16:31:41 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path> Mar 03 16:31:41 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/pure-ftpd.service:22: PIDFile= references path> # systemctl start pure-ftpd # systemctl -l status pure-ftpd ● pure-ftpd.service - LSB: Pure FTPd FTP server Loaded: loaded (/etc/rc.d/init.d/pure-ftpd; generated) Active: active (running) since Tue 2020-03-03 16:37:32 CET; 3s ago Docs: man:systemd-sysv-generator(8) Process: 17084 ExecStart=/etc/rc.d/init.d/pure-ftpd start (code=exited, status=0/SUCCESS) Main PID: 17095 (pure-ftpd) Memory: 2.1M CGroup: /system.slice/pure-ftpd.service └─17095 /usr/sbin/pure-ftpd /etc/pure-ftpd/pure-ftpd.conf Mar 03 16:37:31 mach5.hviaene.thuis systemd[1]: Starting LSB: Pure FTPd FTP server... Mar 03 16:37:32 mach5.hviaene.thuis pure-ftpd[17084]: Starting Pure-ftpd: [ OK ] Mar 03 16:37:32 mach5.hviaene.thuis systemd[1]: Started LSB: Pure FTPd FTP server. Then used ftp command on desltop PC on Lan to login and transfer some files in the two directions, all OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0128.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED