proftpd mod_copy issue (CVE-2015-3306)

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

This is a little bit high for me.
I downloaded the debian/ubuntu pakages and created debdiffs (debdiff debian ubuntu)
I hope this helps somehow.

The pakages and the diffs are in the attachment.

Hi ft - unfortunately, there are no usable debdiffs in the tar file that you uploaded. Instructions on the security update packaging process can be found here:

  https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

Has this been released to 14.04 LTS?

This has not been fixed in 14.04 LTS. Came here after discovering hacking attempts. Sadly.

Anton, are you able to provide updates? See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for some information on preparing updates.

Thanks

Need help on this one?

Any update on these? I'm seeing ubuntu 14.04 servers hacked regularly because of this vulnerability.

Upstream released the fix a year ago or so already!

Thomasz, are you able to provide updates? See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for some information on preparing updates.

Thanks

I think backporting a package from 16.04 should be enough?

Attaching debdiff of upstream patch for trusty package. Precise is also vulnerable, so I will mark that as well while I work on that next.

My primary test before/after patch:

220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:10.129.53.2]
USER bmorton
331 Password required for bmorton
PASS *******
230 User bmorton logged in
site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto /tmp/passwd.copy
250 Copy successful

220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:10.129.53.2]
site cpfr /etc/passwd
Connection closed by foreign host.

Attaching debdiff of upstream patch for precise. Tested in same manner as trusty.

The attachment "Upstream patch applied for trusty" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Adding reworked patch for trusty that fixes an API issue with returning the error code/message and is more minimal and appropriate for a backported fix.

Adding reworked patch for precise that fixes an API issue with returning the error code/message and is more minimal and appropriate for a backported fix.

Hi Brian - Thanks for the debdiffs and your work to improve the security of Ubuntu. :)

During my review of the debdiffs, I noticed a few minor issues:

1) I had to run the debdiffs through dos2unix to make the patch utility happy
2) I had to add a single newline to the end of the debdiffs to make the patch utility happy
3) I adjusted the precise version from 1.3.4a-2 to 1.3.4a-1ubuntu0.1, as documented in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

As mentioned, these were minor issues and everything else looked good to me.

As for the backport, I think it was probably a good idea that you left out the configuration changes. It would have been better if the testing changes could have been included (assuming that the tests are run at build time, I haven't checked) but the patch is simple enough that I have confidence that it is correct.

Thanks again. I'll be uploading these changes soon.

This bug was fixed in the package proftpd-dfsg - 1.3.4a-1ubuntu0.1

---------------
proftpd-dfsg (1.3.4a-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: The mod_copy module in ProFTPD 1.3.4a allows remote
    attackers to read and write to arbitrary files via the site cpfr and
    site cpto commands. (LP: #1462311)
    - debian/patches/CVE-2015-3306.patch: adjust contrib/mod_copy.c to
      check authentication status. Based on upstream patch.
    - CVE-2015-3306

 -- Brian Morton <email address hidden> Sat, 4 Dec 2016 15:16:02 -0500

This bug was fixed in the package proftpd-dfsg - 1.3.5~rc3-2.1ubuntu2.1

---------------
proftpd-dfsg (1.3.5~rc3-2.1ubuntu2.1) trusty-security; urgency=low

  * SECURITY UPDATE: The mod_copy module in ProFTPD 1.3.5 allows remote
    attackers to read and write to arbitrary files via the site cpfr and
    site cpto commands. (LP: #1462311)
    - debian/patches/CVE-2015-3306.patch: adjust contrib/mod_copy.c to
      check authentication status. Based on upstream patch.
    - CVE-2015-3306

 -- Brian Morton <email address hidden> Sat, 4 Dec 2016 15:34:12 -0500