oss-sec mailing list archives

Re: vsftpd problem in deny_hosts

From: Marcus Meissner <meissner () suse de>
Date: Tue, 3 Feb 2015 15:23:37 +0100

On Tue, Feb 03, 2015 at 12:45:24PM +0300, Solar Designer wrote:

On Tue, Feb 03, 2015 at 09:28:36AM +0100, Marcus Meissner wrote:

IBM reported to us a problem in vsftpd deny_hosts problem.

CVE-2015-1419

https://bugzilla.novell.com/show_bug.cgi?id=915522

Description;
 Set the option "deny_file" in /etc/vsftpd.conf on a top-directory (for example "deny_file=/home/*")
 Then log in with ftp and try to cd to "/home/" first, which will fail, then try to cd to "/./home/" which will 
succeed!
 The latter case shouldn't be possible as well!


What does upstream say about this?  (CC'ing.)


Due to internal communication troubles we had not contacted upstream.

Sorry for that. :(

Ciao, Marcus

Current thread:

vsftpd problem in deny_hosts Marcus Meissner (Feb 03)
- Re: vsftpd problem in deny_hosts Solar Designer (Feb 03)
  - Re: vsftpd problem in deny_hosts Marcus Meissner (Feb 03)
  - Re: vsftpd problem in deny_hosts Moritz Muehlenhoff (Feb 03)
    - Re: vsftpd problem in deny_hosts Chris Evans (Feb 03)
    - Re: vsftpd problem in deny_hosts Joshua J. Drake (Feb 03)