On 01/07/2013 09:55 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > proFTPD upstream has recently released v1.3.5.rc1 release: [1] > http://proftpd.org/docs/NEWS-1.3.5rc1 correcting one security > issue: > > A time-of-check time-of-use (TOCTOU) race condition flaw was found > in the way ProFTPD, flexible, stable and highly-configurable FTP > server, handled MKD/XMKD FTP commands when the UserOwner directive > was involved. A local attacker could use this flaw to possibly > escalate their privileges via symbolic-link attacks on > directories, created by ProFTPD prior the UserOwner ownership was > applied. > > Upstream bug report: [2] > http://bugs.proftpd.org/show_bug.cgi?id=3841 > > Relevant upstream patch: [3] > http://bugs.proftpd.org/show_bug.cgi?id=3841#c8 > > References: [4] > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697524 [5] > https://bugzilla.redhat.com/show_bug.cgi?id=892715 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat > Security Response Team > Please use CVE-2012-6095 for this issue.
CC: (none) => bersuit.vera, dmorganecSource RPM: (none) => proftpd
*** This bug has been marked as a duplicate of bug 8691 ***
Status: NEW => RESOLVEDResolution: (none) => DUPLICATE