Debian Bug report logs -
#697524
proftpd-basic: CVE-2012-6095: Possible symlink race when applying UserOwner
Reported by: Jann Horn <jannhorn@googlemail.com>
Date: Sun, 6 Jan 2013 15:21:01 UTC
Severity: normal
Tags: security
Found in version proftpd-dfsg/1.3.4a-2
Fixed in version proftpd-dfsg/1.3.4a-3
Done: "Francesco P. Lovergine" <frankie@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jannhorn@googlemail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#697524; Package proftpd-basic.
(Sun, 06 Jan 2013 15:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jann Horn <jannhorn@googlemail.com>:
New Bug report received and forwarded. Copy sent to jannhorn@googlemail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Sun, 06 Jan 2013 15:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: proftpd-basic
Version: 1.3.4a-2+b1
Severity: normal
Tags: security
There's a symlink race that could lead to root access in some configurations. See here:
http://bugs.proftpd.org/show_bug.cgi?id=3841
There's an upstream bugfix, so that should probably be backported.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages proftpd-basic depends on:
ii adduser 3.113+nmu3
ii debconf 1.5.49
ii debianutils 4.3.2
ii libacl1 2.2.51-8
ii libc6 2.13-37
ii libcap2 1:2.22-1.2
ii libncurses5 5.9-10
ii libpam-runtime 1.1.3-7.1
ii libpam0g 1.1.3-7.1
ii libpcre3 1:8.30-5
ii libssl1.0.0 1.0.1c-4
ii libtinfo5 5.9-10
ii libwrap0 7.6.q-24
ii netbase 5.0
ii sed 4.2.1-10
ii ucf 3.0025+nmu3
ii update-inetd 4.43
ii zlib1g 1:1.2.7.dfsg-13
proftpd-basic recommends no packages.
Versions of packages proftpd-basic suggests:
ii openbsd-inetd [inet-superserver] 0.20091229-2
ii openssl 1.0.1c-4
pn proftpd-doc <none>
pn proftpd-mod-ldap <none>
pn proftpd-mod-mysql <none>
pn proftpd-mod-odbc <none>
pn proftpd-mod-pgsql <none>
pn proftpd-mod-sqlite <none>
-- debconf information excluded
Information forwarded
to debian-bugs-dist@lists.debian.org, ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>:
Bug#697524; Package proftpd-basic.
(Mon, 07 Jan 2013 21:36:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to ProFTPD Maintainance Team <pkg-proftpd-maintainers@lists.alioth.debian.org>.
(Mon, 07 Jan 2013 21:36:09 GMT) (full text, mbox, link).
Message #10 received at 697524@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: retitle -1 proftpd-basic: CVE-2012-6095: Possible symlink race when applying UserOwner
Hi
On Sun, Jan 06, 2013 at 04:19:13PM +0100, Jann Horn wrote:
> Package: proftpd-basic
> Version: 1.3.4a-2+b1
> Severity: normal
> Tags: security
>
> There's a symlink race that could lead to root access in some configurations. See here:
> http://bugs.proftpd.org/show_bug.cgi?id=3841
>
> There's an upstream bugfix, so that should probably be backported.
A CVE was assigned to this issue: CVE-2012-6095. Please include this
CVE in changelog when fixing this issue.
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'proftpd-basic: CVE-2012-6095: Possible symlink race when applying UserOwner' from 'proftpd-basic: Apply upstream bugfix for upstream bug #3841 – Possible symlink race when applying UserOwner'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 697524-submit@bugs.debian.org.
(Mon, 07 Jan 2013 21:36:09 GMT) (full text, mbox, link).
Reply sent
to "Francesco P. Lovergine" <frankie@debian.org>:
You have taken responsibility.
(Tue, 08 Jan 2013 14:48:12 GMT) (full text, mbox, link).
Notification sent
to Jann Horn <jannhorn@googlemail.com>:
Bug acknowledged by developer.
(Tue, 08 Jan 2013 14:48:12 GMT) (full text, mbox, link).
Message #17 received at 697524-done@bugs.debian.org (full text, mbox, reply):
Package: proftpd-basic
Version: 1.3.4a-3
Fixed in unstable. Backported to 1.3.3 and stable (via DSA).
--
Francesco P. Lovergine
No longer marked as fixed in versions proftpd-basic/1.3.4a-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Thu, 31 Oct 2013 20:07:50 GMT) (full text, mbox, link).
Marked as fixed in versions proftpd-dfsg/1.3.4a-3.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Thu, 31 Oct 2013 20:07:51 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 29 Nov 2013 07:30:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:43:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon