oss-sec mailing list archives

CVE Request -- proFTPD (X < 1.3.5.rc1): Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 7 Jan 2013 11:55:54 -0500 (EST)

Hello Kurt, Steve, vendors,

  proFTPD upstream has recently released v1.3.5.rc1 release:
[1] http://proftpd.org/docs/NEWS-1.3.5rc1
correcting one security issue:

A time-of-check time-of-use (TOCTOU) race condition
flaw was found in the way ProFTPD, flexible, stable
and highly-configurable FTP server, handled MKD/XMKD
FTP commands when the UserOwner directive was involved.
A local attacker could use this flaw to possibly escalate
their privileges via symbolic-link attacks on directories,
created by ProFTPD prior the UserOwner ownership was applied.

Upstream bug report:
[2] http://bugs.proftpd.org/show_bug.cgi?id=3841

Relevant upstream patch:
[3] http://bugs.proftpd.org/show_bug.cgi?id=3841#c8

References:
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697524
[5] https://bugzilla.redhat.com/show_bug.cgi?id=892715

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- proFTPD (X < 1.3.5.rc1): Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory Jan Lieskovsky (Jan 07)
- Re: CVE Request -- proFTPD (X < 1.3.5.rc1): Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory Kurt Seifried (Jan 07)