Debian Bug report logs -
#384454
ftpd: Does not handle symlink? NFS? home directory
Reported by: Paul Szabo <psz@maths.usyd.edu.au>
Date: Thu, 24 Aug 2006 11:34:22 UTC
Severity: critical
Tags: patch, security, upstream
Found in version linux-ftpd/0.17-20
Fixed in versions linux-ftpd/0.17-22, linux-ftpd/0.17-20sarge2
Done: Alberto Gonzalez Iniesta <agi@inittab.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
New Bug report received and forwarded. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ftpd
Version: 0.17-20
Severity: normal
I have my home directory within an NFS-mounted directory, and logging
in I get (just "/" instead of my home dir):
psz@asti:~$ /usr/bin/ftp asti
Connected to asti.maths.usyd.edu.au.
220 asti.maths.usyd.edu.au FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
Name (asti:psz): psz
331 Password required for psz.
Password:
230- No directory! Logging in with home=/
230- Linux asti.maths.usyd.edu.au 2.6.8-spm1.5 #1 SMP Mon Jul 17 07:05:34 EST 2006 i686 GNU/Linux
230-
230- The programs included with the Debian GNU/Linux system are free software;
230- the exact distribution terms for each program are described in the
230- individual files in /usr/share/doc/*/copyright.
230-
230- Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
230- permitted by applicable law.
230 User psz logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is current directory.
ftp> cd /users/amstaff/psz
250 CWD command successful.
ftp> pwd
257 "/pisa/users/amstaff/psz" is current directory.
ftp> quit
221 Goodbye.
psz@asti:~$
I do not get this nonsense when logging in to the machine containing
my home dir. Settings that may be relevant to ftpd are:
psz@asti:~$ grep psz /etc/passwd
psz:x:1001:1001:Paul Szabo:/users/amstaff/psz:/bin/bash
psz@asti:~$ ls -l /etc/ftp*
-rw-r--r-- 1 root root 76 Apr 18 2002 /etc/ftpchroot
-rw-r--r-- 1 root root 91 Apr 18 2002 /etc/ftpusers
psz@asti:~$ grep . /etc/ftp*
/etc/ftpchroot:# /etc/ftpchroot: list of users who needs to be chrooted. See ftpchroot(5).
/etc/ftpusers:# /etc/ftpusers: list of users disallowed ftp access. See ftpusers(5).
/etc/ftpusers:root
/etc/ftpusers:ftp
/etc/ftpusers:anonymous
psz@asti:~$ grep bash /etc/shells
/bin/bash
/bin/rbash
psz@asti:~$
and to my home dir (my own trace_path utility):
psz@asti:~$ trace_path ~
Tracing path /users/amstaff/psz
Dir / (users/amstaff/psz to go)
Dir /users (amstaff/psz to go)
Link /users/amstaff -> /pisa/users/amstaff (psz to go)
Dir / (pisa/users/amstaff/psz to go)
Dir /pisa (users/amstaff/psz to go)
Dir /pisa/users (amstaff/psz to go)
Dir /pisa/users/amstaff (psz to go)
Dir /pisa/users/amstaff/psz
Traversed 7 directories, 1 links
psz@asti:~$ mount | grep users
/dev/sda6 on /usr/users type ext3 (rw,usrquota)
pisa:/usr/users on /pisa/users type nfs (rw,bg,rsize=8192,wsize=8192,addr=129.78.69.136)
psz@asti:~$
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-spm1.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ftpd depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii netbase 4.21 Basic TCP/IP networking system
-- debconf information:
* ftpd/globattack:
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #10 received at 384454@bugs.debian.org (full text, mbox, reply):
A bit of testing indicates that the problem is not with the symlink
within the home directory path, but purely with it being hosted on
another machine via NFS: related to root_squash. The ftpd process,
while running as root before it sets UID/GID to the user logging in,
cannot access the home directory though should be able to stat() it:
root@asti:~# ls -l /users/amstaff/psz
ls: /users/amstaff/psz: Permission denied
root@asti:~# ls -ld /users/amstaff/psz
drwx------ 46 psz amstaff 4096 Aug 25 07:50 /users/amstaff/psz
This guess verified with:
psz@asti:~$ chmod 755 ~ ### Now 'ftp asti' finds home directory OK
psz@asti:~$ chmod 700 ~ ### Back as it was, 'ftp asti' has problem
Seems that ftpd tries chdir() while still root, before setting UID:
surely it should set UID first, then chdir().
This seems a security risk. In the above scenario, I could arrange the
machine holding the home directory to return something that would
resolve to some normally inaccessible place like /root; and in fact
ftpd would then have that as my "current directory". (Annoying that
the final leaf cannot be a symlink; but if my home dir on asti was
/users/amstaff/psz/root then on pisa I could set /user/amstaff/psz to
by a symlink to /, so asti would resolve that as /root.) I do not know
what misdeeds I can do by having an otherwise inaccessible cwd.
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #15 received at 384454@bugs.debian.org (full text, mbox, reply):
See also
http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/049014.html
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #20 received at 384454@bugs.debian.org (full text, mbox, reply):
I suggest the patch below. Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
--- linux-ftpd-0.17/ftpd/popen.c.bak 1999-07-16 11:12:54.000000000 +1000
+++ linux-ftpd-0.17/ftpd/popen.c 2006-08-25 13:31:33.950447078 +1000
@@ -169,8 +169,13 @@
* XXX: this doesn't seem right... and shouldn't
* we initgroups, or at least setgroups(0,0)?
*/
- setgid(getegid());
- setuid(i);
+
+/*
+ * PSz 25 Aug 06 Must check the return status of these setgid/setuid calls,
+ * see http://www.bress.net/blog/archives/34-setuid-madness.html
+ */
+ if ( setgid(geteuid()) != 0 ) _exit(1);
+ if ( setuid(i) != 0 ) _exit(1);
#ifndef __linux__
/*
--- linux-ftpd-0.17/ftpd/ftpd.c.bak 2006-08-25 12:53:25.277537000 +1000
+++ linux-ftpd-0.17/ftpd/ftpd.c 2006-08-25 13:46:28.798975583 +1000
@@ -1159,6 +1159,13 @@
}
strcpy(pw->pw_dir, "/");
setenv("HOME", "/", 1);
+ }
+ /* PSz 25 Aug 06 chdir for real users done after setting UID */
+ if (seteuid((uid_t)pw->pw_uid) < 0) {
+ reply(550, "Can't set uid.");
+ goto bad;
+ }
+ if (guest || dochroot) { /* do nothing, handled above */
} else if (chdir(pw->pw_dir) < 0) {
if (chdir("/") < 0) {
reply(530, "User %s: can't change directory to %s.",
@@ -1167,10 +1174,7 @@
} else
lreply(230, "No directory! Logging in with home=/");
}
- if (seteuid((uid_t)pw->pw_uid) < 0) {
- reply(550, "Can't set uid.");
- goto bad;
- }
+
sigfillset(&allsigs);
sigprocmask(SIG_UNBLOCK,&allsigs,NULL);
@@ -1408,7 +1412,8 @@
goto bad;
sleep(tries);
}
- (void) seteuid((uid_t)pw->pw_uid);
+/* PSz 25 Aug 06 Check return status */
+ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
sigfillset(&allsigs);
sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
@@ -1440,7 +1445,8 @@
bad:
/* Return the real value of errno (close may change it) */
t = errno;
- (void) seteuid((uid_t)pw->pw_uid);
+/* PSz 25 Aug 06 Check return status */
+ if (seteuid((uid_t)pw->pw_uid) != 0) _exit(1);
sigfillset (&allsigs);
sigprocmask (SIG_UNBLOCK, &allsigs, NULL);
(void) close(s);
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #25 received at 384454@bugs.debian.org (full text, mbox, reply):
I wrote earlier:
> ... the final leaf cannot be a symlink ...
> ... do not know what misdeeds I can do ...
Too little coffee?
Yes, the final leaf can be a symlink. This is exploitable when a user
can control the resolution of his home directory: when he also owns
the directory above (or for NFS mounts owns the machine serving it).
Can access objects that were protected with permissions of directories
above. Many users are in the habit of having world-accessible
subdirectories and files, because their home dir has safe mode 700.
I see many /root/bin directories with mode 755, protected by /root
being mode 700. Much more fun if /root/bin was mode 777...
Please fix. Please issue DSA.
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Tags added: security, patch, upstream
Request was from Paul Szabo <psz@maths.usyd.edu.au>
to control@bugs.debian.org
.
(full text, mbox, link).
Severity set to `critical' from `normal'
Request was from Paul Szabo <psz@maths.usyd.edu.au>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #34 received at 384454-close@bugs.debian.org (full text, mbox, reply):
Source: linux-ftpd
Source-Version: 0.17-22
We believe that the bug you reported is fixed in the latest version of
linux-ftpd, which is due to be installed in the Debian FTP archive:
ftpd_0.17-22_i386.deb
to pool/main/l/linux-ftpd/ftpd_0.17-22_i386.deb
linux-ftpd_0.17-22.diff.gz
to pool/main/l/linux-ftpd/linux-ftpd_0.17-22.diff.gz
linux-ftpd_0.17-22.dsc
to pool/main/l/linux-ftpd/linux-ftpd_0.17-22.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 384454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated linux-ftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 15 Sep 2006 13:14:25 +0200
Source: linux-ftpd
Binary: ftpd
Architecture: source i386
Version: 0.17-22
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
ftpd - FTP server
Closes: 384454
Changes:
linux-ftpd (0.17-22) unstable; urgency=high
.
* Fixing two security bugs:
- Fixed ftpd from doing chdir while runing as root.
(Closes: #384454) Thanks a lot to Paul Szabo for finding out
and the patch.
- Check the return value from setuid calls to avoid running
code as root. Thanks Paul Szabo for the patch.
Files:
d5e14064236d58ca0ed09912c9b7d628 598 net extra linux-ftpd_0.17-22.dsc
00e259a59deb1f818abeb09e4aaef1c5 16423 net extra linux-ftpd_0.17-22.diff.gz
fd3d3c41e7fedce9899dfe73f4a5f032 44072 net extra ftpd_0.17-22_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFCozKxRSvjkukAcMRAs3IAJ9s7iBTfDpkYnysWNRuChh9nWG4ggCgq29O
pCdAFBKD52fZpgIQt/93uDw=
=gXJz
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to "Stefan Cornelius" <stefan.cornelius@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #39 received at 384454@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hey, please check this here:
http://bugs.gentoo.org/show_bug.cgi?id=155317
I had a quick look this morning, and it seems like you included a broken
patch?
Cheers,
Stefan
[Message part 2 (text/html, inline)]
Reply sent to Alberto Gonzalez Iniesta <agi@inittab.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #44 received at 384454-close@bugs.debian.org (full text, mbox, reply):
Source: linux-ftpd
Source-Version: 0.17-20sarge2
We believe that the bug you reported is fixed in the latest version of
linux-ftpd, which is due to be installed in the Debian FTP archive:
ftpd_0.17-20sarge2_i386.deb
to pool/main/l/linux-ftpd/ftpd_0.17-20sarge2_i386.deb
linux-ftpd_0.17-20sarge2.diff.gz
to pool/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
linux-ftpd_0.17-20sarge2.dsc
to pool/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 384454@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated linux-ftpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 25 Sep 2006 12:04:40 +0200
Source: linux-ftpd
Binary: ftpd
Architecture: source i386
Version: 0.17-20sarge2
Distribution: stable-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
ftpd - FTP server
Closes: 384454
Changes:
linux-ftpd (0.17-20sarge2) stable-security; urgency=high
.
* Sarge security release.
* Fixed ftpd from doing chdir while runing as root.
(Closes: #384454) Thanks a lot to Paul Szabo for finding out
and the patch. (CVE-2006-5778)
Files:
371222af9e3f445d8b1a0622f3a70382 610 net extra linux-ftpd_0.17-20sarge2.dsc
f5f491564812db5d8783daa538c49186 46763 net extra linux-ftpd_0.17.orig.tar.gz
3848d3d15b78aa4dd17b0e09c64b15a8 16034 net extra linux-ftpd_0.17-20sarge2.diff.gz
10ce0c8367e83b1ce1419b244753dcc0 43310 net extra ftpd_0.17-20sarge2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFVO4wXm3vHE4uyloRAplsAKDPdPZw/VrKq5KXLEt2Pg9xMZ9z7ACgyF0O
g0W1srpyhg4eyyTRnyTEHRk=
=2E1u
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #49 received at 384454@bugs.debian.org (full text, mbox, reply):
Dear Maintainer,
Yes, the bug in the patch was mine: meant to check the return status of
setgid(getegid()) but somehow managed to mis-type that into
setgid(geteuid()). Stupid mistake. Shame on me.
Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per
your latest "closure" message
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44
(or maybe 20 Nov 2006 as per
http://www.debian.org/security/2006/dsa-1217
or 13 Nov 2006 as the date on current
http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
) and contains the "wrong" patch.
So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in
sarge (==stable) 0.17-20sarge2. Please fix for sarge also.
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Alberto Gonzalez Iniesta <agi@inittab.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #54 received at 384454@bugs.debian.org (full text, mbox, reply):
On Sun, Feb 18, 2007 at 07:24:16AM +1100, Paul Szabo wrote:
> Dear Maintainer,
>
> Yes, the bug in the patch was mine: meant to check the return status of
> setgid(getegid()) but somehow managed to mis-type that into
> setgid(geteuid()). Stupid mistake. Shame on me.
>
> Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per
> your latest "closure" message
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44
> (or maybe 20 Nov 2006 as per
> http://www.debian.org/security/2006/dsa-1217
> or 13 Nov 2006 as the date on current
> http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz
> ) and contains the "wrong" patch.
>
> So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in
> sarge (==stable) 0.17-20sarge2. Please fix for sarge also.
I sent the fix to the security team, but they decided to ignore it.
I wasn't in the mood to fight with them... Feel free to contact them at
team@security.debian.org. You can Cc me if you want.
Regards,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #59 received at 384454@bugs.debian.org (full text, mbox, reply):
Dear Security team,
A stupid little bug crept into (was left in) #384454 and DSA-1217.
My fault originally: I humbly apologize. Please correct it for sarge.
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Alberto Gonzalez Iniesta <agi@inittab.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #64 received at 384454@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Feb 18, 2007 at 09:34:49PM +1100, Paul Szabo wrote:
> Dear Security team,
>
> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.
>
Hi all,
I already asked this, but it wasn't consired important by the sec team.
I'm attaching my previous mail.
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
On Wed, Nov 22, 2006 at 12:05:34PM +0100, Moritz Muehlenhoff wrote:
> Alberto Gonzalez Iniesta wrote:
> > I just noticed that the package was updated two days ago. I hope I can
> > have a new one today. Or would it be faster if the Sec. Team just applies
> > the changed mention in my mail?
> >
> > Sorry for this.
>
> If you can upload a fixed package today, go ahead. I don't think this will ever
> be triggered in practice, though. The intersection of people running 2.6
> kernels with nproc ressource limits in their PAM config and people running
> legacy netkit ftpds is most definitely empty.
Hi Moritz, the problem with the previous bug was that 2.6 kernels DO
set proccess limits, whether we want them or not. And the ftpd
package installs a pamd.d configuration file with this line:
session required pam_limits.so
So I guess the problem was indeed there and possible to exploit.
Anyway, the patch we (and Gentoo) used introduced and new, easier to
exploit, bug. The ftpd server is running commands with EGID 'root'
instead of the user's one.
And as you know, this is not kernel or local configuration dependant.
I've just uploaded a fixed version to Sid.
Please find attached the diff file for linux-ftpd_0.17-20sarge3. With
the following differences from linux-ftpd_0.17-20sarge2:
---- CUT ------ CUT ------
diff -u linux-ftpd-0.17/ftpd/popen.c linux-ftpd-0.17/ftpd/popen.c
--- linux-ftpd-0.17/ftpd/popen.c
+++ linux-ftpd-0.17/ftpd/popen.c
@@ -174,7 +174,7 @@
* PSz 25 Aug 06 Must check the return status of these setgid/setuid calls,
* see http://www.bress.net/blog/archives/34-setuid-madness.html
*/
- if ( setgid(geteuid()) != 0 ) _exit(1);
+ if ( setgid(getegid()) != 0 ) _exit(1);
if ( setuid(i) != 0 ) _exit(1);
#ifndef __linux__
--- linux-ftpd-0.17/debian/changelog
+++ linux-ftpd-0.17/debian/changelog
@@ -1,3 +1,13 @@
+linux-ftpd (0.17-20sarge3) stable-security; urgency=high
+
+ * Sarge security release.
+ * Corrected typo in patch used in previous upload that
+ made the server run some commands with EGID 'root'.
+ Thanks to Matt Power (for finding out) and
+ Stefan Cornelius from Gentoo (for warning me).
+
+ -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 25 Nov 2006 19:38:59 +0100
+
---- CUT ------ CUT ------
Regards,
Alberto
--
Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred | http://inittab.com
Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
[linux-ftpd_0.17-20sarge3.diff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #69 received at 384454@bugs.debian.org (full text, mbox, reply):
Dear Security team,
> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.
Please see also:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052578.html
(and bugtraq if/when they accept).
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Information forwarded to debian-bugs-dist@lists.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>
:
Bug#384454
; Package ftpd
.
(full text, mbox, link).
Acknowledgement sent to Paul Szabo <psz@maths.usyd.edu.au>
:
Extra info received and forwarded to list. Copy sent to Alberto Gonzalez Iniesta <agi@inittab.org>
.
(full text, mbox, link).
Message #74 received at 384454@bugs.debian.org (full text, mbox, reply):
Dear Security team,
I wrote:
> A stupid little bug crept into (was left in) #384454 and DSA-1217.
> My fault originally: I humbly apologize. Please correct it for sarge.
> Please see also:
> http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052578.html
> (and bugtraq if/when they accept).
Bugtraq accepted also:
http://www.securityfocus.com/archive/1/460742
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 22:22:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:55:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.