[proftpd-dfsg] 01/03: New upstream version 1.3.5e

Francesco Lovergine frankie at moszumanska.debian.org
Fri Jul 7 11:18:08 UTC 2017 

This is an automated email from the git hooks/post-receive script.

frankie pushed a commit to branch master
in repository proftpd-dfsg.

commit 625802bc21fa2510d93b9a8708435a810760678c
Author: Francesco Paolo Lovergine <frankie at debian.org>
Date:   Fri Jul 7 12:06:25 2017 +0200

    New upstream version 1.3.5e
---
 NEWS                          |  8 +++++
 RELEASE_NOTES                 |  8 +++++
 contrib/dist/rpm/proftpd.spec |  2 +-
 contrib/mod_sftp/mac.c        | 35 ++++++++++--------
 include/version.h             |  4 +--
 modules/mod_auth.c            | 83 +++++++++++++++++++++++++++++++++----------
 6 files changed, 104 insertions(+), 36 deletions(-)

diff --git a/NEWS b/NEWS
index de2c98b..2734c74 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,14 @@
   where `N' is the bug number.
 -----------------------------------------------------------------------------
 
+1.3.5e - Released 09-Apr-2017
+--------------------------------
+- Bug 4287 - SFTP clients using umac-64 at openssh.com digest fail to connect.
+- Bug 4288 - SFTP rekeying failure with ProFTPD 1.3.5d, caused by null
+  pointer dereference.
+- Bug 4295 - AllowChrootSymlinks off does not check entire DefaultRoot path
+  for symlinks (CVE-2017-7418).
+
 1.3.5d - Released 15-Jan-2017
 --------------------------------
 - Bug 4283 - All FTP logins treated as anonymous logins again.  This is a
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index b67256b..21a22ad 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -6,6 +6,14 @@ This file contains a description of the major changes to ProFTPD for the
 releases.  More information on these changes can be found in the NEWS and
 ChangeLog files.
 
+1.3.5e
+---------
+  + Fixed SFTP issue with umac-64 at openssh.com digest/MAC.
+  + Fixed regression with mod_sftp rekeying.
+  + Backported fix for "AllowChrootSymlinks off" checking each component
+    for symlinks (CVE-2017-7418).
+
+
 1.3.5d
 ---------
 
diff --git a/contrib/dist/rpm/proftpd.spec b/contrib/dist/rpm/proftpd.spec
index c79b07d..bc8251f 100644
--- a/contrib/dist/rpm/proftpd.spec
+++ b/contrib/dist/rpm/proftpd.spec
@@ -48,7 +48,7 @@
 #
 # NOTE: rpmbuild is really bloody stupid, and CANNOT handle a leading '#'
 # character followed by a '%' character.  
-%global release_cand_version      d
+%global release_cand_version      e
 
 %global usecvsversion             0%{?_with_cvs:1}
 
diff --git a/contrib/mod_sftp/mac.c b/contrib/mod_sftp/mac.c
index e5713b3..2b12e04 100644
--- a/contrib/mod_sftp/mac.c
+++ b/contrib/mod_sftp/mac.c
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - mod_sftp MACs
- * Copyright (c) 2008-2016 TJ Saunders
+ * Copyright (c) 2008-2017 TJ Saunders
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -103,6 +103,7 @@ static unsigned int get_next_write_index(void) {
 static void switch_read_mac(void) {
   /* First we can clear the read MAC, kept from rekeying. */
   if (read_macs[read_mac_idx].key) {
+    clear_mac(&(read_macs[read_mac_idx]));
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     HMAC_CTX_reset(hmac_read_ctxs[read_mac_idx]);
 #elif OPENSSL_VERSION_NUMBER > 0x000907000L
@@ -111,7 +112,9 @@ static void switch_read_mac(void) {
     HMAC_cleanup(hmac_read_ctxs[read_mac_idx]);
 #endif
 
-    umac_reset(umac_read_ctxs[read_mac_idx]);
+    if (umac_read_ctxs[read_mac_idx] != NULL) {
+      umac_reset(umac_read_ctxs[read_mac_idx]);
+    }
 
     mac_blockszs[read_mac_idx] = 0; 
 
@@ -137,7 +140,9 @@ static void switch_write_mac(void) {
     HMAC_cleanup(hmac_write_ctxs[write_mac_idx]);
 #endif
 
-    umac_reset(umac_write_ctxs[write_mac_idx]);
+    if (umac_write_ctxs[write_mac_idx] != NULL) {
+      umac_reset(umac_write_ctxs[write_mac_idx]);
+    }
 
     /* Now we can switch the index. */
     if (write_mac_idx == 1) {
@@ -626,6 +631,11 @@ int sftp_mac_set_read_algo(const char *algo) {
     idx = get_next_read_index();
   }
 
+  if (umac_read_ctxs[idx] != NULL) {
+    umac_delete(umac_read_ctxs[idx]);
+    umac_read_ctxs[idx] = NULL;
+  }
+
   read_macs[idx].digest = sftp_crypto_get_digest(algo, &mac_len);
   if (read_macs[idx].digest == NULL) {
     return -1;
@@ -634,6 +644,7 @@ int sftp_mac_set_read_algo(const char *algo) {
   read_macs[idx].algo = algo;
   if (strncmp(read_macs[idx].algo, "umac-64 at openssh.com", 12) == 0) {
     read_macs[idx].algo_type = SFTP_MAC_ALGO_TYPE_UMAC64;
+    umac_read_ctxs[idx] = umac_alloc();
 
   } else {
     read_macs[idx].algo_type = SFTP_MAC_ALGO_TYPE_HMAC;
@@ -730,6 +741,11 @@ int sftp_mac_set_write_algo(const char *algo) {
     idx = get_next_write_index();
   }
 
+  if (umac_write_ctxs[idx] != NULL) {
+    umac_delete(umac_write_ctxs[idx]);
+    umac_write_ctxs[idx] = NULL;
+  }
+
   write_macs[idx].digest = sftp_crypto_get_digest(algo, &mac_len);
   if (write_macs[idx].digest == NULL) {
     return -1;
@@ -738,6 +754,7 @@ int sftp_mac_set_write_algo(const char *algo) {
   write_macs[idx].algo = algo;
   if (strncmp(write_macs[idx].algo, "umac-64 at openssh.com", 12) == 0) {
     write_macs[idx].algo_type = SFTP_MAC_ALGO_TYPE_UMAC64;
+    umac_write_ctxs[idx] = umac_alloc();
 
   } else {
     write_macs[idx].algo_type = SFTP_MAC_ALGO_TYPE_HMAC;
@@ -846,17 +863,5 @@ int sftp_mac_free(void) {
   HMAC_CTX_free(hmac_write_ctxs[1]);
 #endif /* OpenSSL-1.1.0 and later */
 
-  umac_delete(umac_read_ctxs[0]);
-  umac_read_ctxs[0] = NULL;
-
-  umac_delete(umac_read_ctxs[1]);
-  umac_read_ctxs[1] = NULL;
-
-  umac_delete(umac_write_ctxs[0]);
-  umac_write_ctxs[0] = NULL;
-
-  umac_delete(umac_write_ctxs[1]);
-  umac_write_ctxs[1] = NULL;
-
   return 0;
 }
diff --git a/include/version.h b/include/version.h
index 8fe3652..f06055a 100644
--- a/include/version.h
+++ b/include/version.h
@@ -1,8 +1,8 @@
 #include "buildstamp.h"
 
 /* Application version (in various forms) */
-#define PROFTPD_VERSION_NUMBER		0x0001030510
-#define PROFTPD_VERSION_TEXT		"1.3.5d"
+#define PROFTPD_VERSION_NUMBER		0x0001030511
+#define PROFTPD_VERSION_TEXT		"1.3.5e"
 
 /* Module API version */
 #define PR_MODULE_API_VERSION		0x20
diff --git a/modules/mod_auth.c b/modules/mod_auth.c
index 3865761..4102159 100644
--- a/modules/mod_auth.c
+++ b/modules/mod_auth.c
@@ -2,7 +2,7 @@
  * ProFTPD - FTP server daemon
  * Copyright (c) 1997, 1998 Public Flood Software
  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver at tos.net>
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2017 The ProFTPD Project team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -688,9 +688,66 @@ static char *get_default_chdir(pool *p, xaset_t *conf) {
   return dir;
 }
 
-/* Determine if the user (non-anon) needs a default root dir other than /.
- */
+static int is_symlink_path(pool *p, const char *path, size_t pathlen) {
+  int res, xerrno = 0;
+  struct stat st;
+  char *ptr;
+
+  if (pathlen == 0) {
+    return 0;
+  }
+
+  pr_fs_clear_cache();
+  res = pr_fsio_lstat(path, &st);
+  if (res < 0) {
+    xerrno = errno;
+
+    pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
+      strerror(xerrno));
+
+    errno = xerrno;
+    return -1;
+  }
 
+  if (S_ISLNK(st.st_mode)) {
+    errno = EPERM;
+    return -1;
+  }
+
+  /* To handle the case where a component further up the path might be a
+   * symlink (which lstat(2) will NOT handle), we walk the path backwards,
+   * calling ourselves recursively.
+   */
+
+  ptr = strrchr(path, '/');
+  if (ptr != NULL) {
+    char *new_path;
+    size_t new_pathlen;
+
+    pr_signals_handle();
+
+    new_pathlen = ptr - path;
+
+    /* Make sure our pointer actually changed position. */
+    if (new_pathlen == pathlen) {
+      return 0;
+    }
+
+    new_path = pstrndup(p, path, new_pathlen);
+
+    pr_log_debug(DEBUG10,
+      "AllowChrootSymlink: path '%s' not a symlink, checking '%s'", path,
+      new_path);
+    res = is_symlink_path(p, new_path, new_pathlen);
+    if (res < 0) {
+      return -1;
+    }
+  }
+
+  return 0;
+}
+
+/* Determine if the user (non-anon) needs a default root dir other than /. */
 static int get_default_root(pool *p, int allow_symlinks, char **root) {
   config_rec *c = NULL;
   char *dir = NULL;
@@ -733,7 +790,6 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
 
       if (allow_symlinks == FALSE) {
         char *path, target_path[PR_TUNABLE_PATH_MAX + 1];
-        struct stat st;
         size_t pathlen;
 
         /* First, deal with any possible interpolation.  dir_realpath() will
@@ -764,22 +820,13 @@ static int get_default_root(pool *p, int allow_symlinks, char **root) {
           path[pathlen-1] = '\0';
         }
 
-        pr_fs_clear_cache();
-        res = pr_fsio_lstat(path, &st);
+        res = is_symlink_path(p, path, pathlen);
         if (res < 0) {
-          xerrno = errno;
-
-          pr_log_pri(PR_LOG_WARNING, "error: unable to check %s: %s", path,
-            strerror(xerrno));
-
-          errno = xerrno;
-          return -1;
-        }
+          if (errno == EPERM) {
+            pr_log_pri(PR_LOG_WARNING, "error: DefaultRoot %s is a symlink "
+              "(denied by AllowChrootSymlinks config)", path);
+          }
 
-        if (S_ISLNK(st.st_mode)) {
-          pr_log_pri(PR_LOG_WARNING,
-            "error: DefaultRoot %s is a symlink (denied by AllowChrootSymlinks "
-            "config)", path);
           errno = EPERM;
           return -1;
         }

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-proftpd/proftpd-dfsg.git

More information about the Pkg-proftpd-maintainers mailing list