Bug 8691 - proftpd new security issue CVE-2012-6095
: proftpd new security issue CVE-2012-6095
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/532540/
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
: 8884
  Show dependency treegraph
 
Reported: 2013-01-15 00:49 CET by David Walser
Modified: 2013-02-06 22:43 CET (History)
3 users (show)

See Also:
Source RPM: proftpd-1.3.3g-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2013-01-15 00:49:33 CET
Debian has issued an advisory on January 13:
http://www.debian.org/security/2013/dsa-2606

Patched packages uploaded for Mageia 2 and Cauldron.

Patch also checked into Mageia 1 SVN.

Advisory:
========================

Updated proftpd packages fix security vulnerability:

It has been discovered that in ProFTPd, an FTP server, an attacker on the
same physical host as the server may be able to perform a symlink attack
allowing to elevate privileges in some configurations (CVE-2012-6095).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6095
http://www.debian.org/security/2013/dsa-2606
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.3g-1.1.mga2
proftpd-devel-1.3.3g-1.1.mga2
proftpd-mod_ctrls_admin-1.3.3g-1.1.mga2
proftpd-mod_ifsession-1.3.3g-1.1.mga2
proftpd-mod_ldap-1.3.3g-1.1.mga2
proftpd-mod_quotatab-1.3.3g-1.1.mga2
proftpd-mod_quotatab_file-1.3.3g-1.1.mga2
proftpd-mod_quotatab_ldap-1.3.3g-1.1.mga2
proftpd-mod_quotatab_sql-1.3.3g-1.1.mga2
proftpd-mod_quotatab_radius-1.3.3g-1.1.mga2
proftpd-mod_radius-1.3.3g-1.1.mga2
proftpd-mod_ratio-1.3.3g-1.1.mga2
proftpd-mod_rewrite-1.3.3g-1.1.mga2
proftpd-mod_site_misc-1.3.3g-1.1.mga2
proftpd-mod_sql-1.3.3g-1.1.mga2
proftpd-mod_sql_mysql-1.3.3g-1.1.mga2
proftpd-mod_sql_postgres-1.3.3g-1.1.mga2
proftpd-mod_sql_passwd-1.3.3g-1.1.mga2
proftpd-mod_tls-1.3.3g-1.1.mga2
proftpd-mod_autohost-1.3.3g-1.1.mga2
proftpd-mod_case-1.3.3g-1.1.mga2
proftpd-mod_gss-1.3.3g-1.1.mga2
proftpd-mod_load-1.3.3g-1.1.mga2
proftpd-mod_shaper-1.3.3g-1.1.mga2
proftpd-mod_time-1.3.3g-1.1.mga2
proftpd-mod_wrap-1.3.3g-1.1.mga2
proftpd-mod_wrap_file-1.3.3g-1.1.mga2
proftpd-mod_wrap_sql-1.3.3g-1.1.mga2
proftpd-mod_ban-1.3.3g-1.1.mga2
proftpd-mod_vroot-1.3.3g-1.1.mga2
proftpd-mod_sftp-1.3.3g-1.1.mga2

from proftpd-1.3.3g-1.1.mga2.src.rpm
Comment 1 claire robinson 2013-01-15 01:32:30 CET
PoC: http://bugs.proftpd.org/show_bug.cgi?id=3841

Be careful using foo/etc. I'd recommend creating /test with root:root ownership or something to play with instead and MKD foo/test.
Comment 2 claire robinson 2013-01-15 01:38:51 CET
Does the build run the testsuite David?

It's mentioned on the PoC bug report and seems to come with the source.
Comment 3 David Walser 2013-01-15 01:56:42 CET
(In reply to comment #2)
> Does the build run the testsuite David?
> 
> It's mentioned on the PoC bug report and seems to come with the source.

Unfortunately, no.  Also, if the fix upstream added a test to the test suite, that wasn't included in the patches backported by Debian that I used.  I don't see anything for that in the patches attached to the upstream bug either.
Comment 4 claire robinson 2013-01-22 10:52:21 CET
This is showing as having a missing signature x86_64
Comment 5 David Walser 2013-01-22 20:58:16 CET
Rebuilt to fix the missing signature.

Advisory:
========================

Updated proftpd packages fix security vulnerability:

It has been discovered that in ProFTPd, an FTP server, an attacker on the
same physical host as the server may be able to perform a symlink attack
allowing to elevate privileges in some configurations (CVE-2012-6095).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6095
http://www.debian.org/security/2013/dsa-2606
========================

Updated packages in core/updates_testing:
========================
proftpd-1.3.3g-1.2.mga2
proftpd-devel-1.3.3g-1.2.mga2
proftpd-mod_ctrls_admin-1.3.3g-1.2.mga2
proftpd-mod_ifsession-1.3.3g-1.2.mga2
proftpd-mod_ldap-1.3.3g-1.2.mga2
proftpd-mod_quotatab-1.3.3g-1.2.mga2
proftpd-mod_quotatab_file-1.3.3g-1.2.mga2
proftpd-mod_quotatab_ldap-1.3.3g-1.2.mga2
proftpd-mod_quotatab_sql-1.3.3g-1.2.mga2
proftpd-mod_quotatab_radius-1.3.3g-1.2.mga2
proftpd-mod_radius-1.3.3g-1.2.mga2
proftpd-mod_ratio-1.3.3g-1.2.mga2
proftpd-mod_rewrite-1.3.3g-1.2.mga2
proftpd-mod_site_misc-1.3.3g-1.2.mga2
proftpd-mod_sql-1.3.3g-1.2.mga2
proftpd-mod_sql_mysql-1.3.3g-1.2.mga2
proftpd-mod_sql_postgres-1.3.3g-1.2.mga2
proftpd-mod_sql_passwd-1.3.3g-1.2.mga2
proftpd-mod_tls-1.3.3g-1.2.mga2
proftpd-mod_autohost-1.3.3g-1.2.mga2
proftpd-mod_case-1.3.3g-1.2.mga2
proftpd-mod_gss-1.3.3g-1.2.mga2
proftpd-mod_load-1.3.3g-1.2.mga2
proftpd-mod_shaper-1.3.3g-1.2.mga2
proftpd-mod_time-1.3.3g-1.2.mga2
proftpd-mod_wrap-1.3.3g-1.2.mga2
proftpd-mod_wrap_file-1.3.3g-1.2.mga2
proftpd-mod_wrap_sql-1.3.3g-1.2.mga2
proftpd-mod_ban-1.3.3g-1.2.mga2
proftpd-mod_vroot-1.3.3g-1.2.mga2
proftpd-mod_sftp-1.3.3g-1.2.mga2

from proftpd-1.3.3g-1.2.mga2.src.rpm
Comment 6 Manuel Hiebel 2013-01-30 14:45:33 CET
*** Bug 8654 has been marked as a duplicate of this bug. ***
Comment 7 claire robinson 2013-01-30 18:44:25 CET
depchecked ok
Comment 8 claire robinson 2013-01-31 10:23:03 CET
I've not been able to reproduce this so just testing proftpd basics x86_64
Comment 9 claire robinson 2013-01-31 10:38:11 CET
Testing complete mga2 64

Just testing I can log in with my user account and access files in my home directory.

Bug 8911 created for the testsuite
Comment 10 claire robinson 2013-02-01 17:49:00 CET
Similar testing mga2 32

Validating

Advisory & srpm in comment 5

Can sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 11 Thomas Backlund 2013-02-06 22:43:45 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0024

Note You need to log in before you can comment on or make changes to this bug.