Your message dated Thu, 12 Dec 2024 10:32:09 +0000
with message-id <e1tlgul-00fjec...@fasolo.debian.org>
and subject line Bug#1082326: fixed in proftpd-dfsg 1.3.8+dfsg-4+deb12u4
has caused the Debian Bug report #1082326,
regarding proftpd-dfsg: CVE-2024-48651: Supplemental group inheritance grants
unintended access to GID 0 due to lack of supplemental groups from mod_sql
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1082326: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082326
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: proftpd-core
Version: 1.3.8+dfsg-4+deb12u3
Severity: grave
We've run into a problem with proftpd + mod_sftp + mod_sql, where a
user with no supplemental groups will incorrectly inherit supplemental
groups from the parent process. In ProFTPD Version 1.3.5, this
behavior resulted in users gaining supplemental membership in nogroup,
which had minimal security implications. In 1.3.8, it appears that the
parent process retains supplemental GID 0, which is inherited by child
processes and not overwritten if the authenticated user has no
supplemental groups.
On proftpd startup, the toplevel process supplemental groups were
previously set to those system groups associated with the user
specified in the User directive along with the group specified in the
Group directive. With the default config and system group membership,
this arrangement historically resulted in nogroup being the only
supplemental group. Since membership in nogroup provides essentially
no additional privilege, previous versions masked what appears to be a
longstanding (but questionable) behavior in proftpd where if a user
has no supplemental groups, the supplemental group memberships
inherited from the parent process are not discarded.
Unfortunately, the fix for
https://github.com/proftpd/proftpd/issues/808 removes code which
previously caused proftpd to overwrite its supplemental group
membership when configured to run as non-root. As a result, the
parent's supplemental group memberships at startup time (notably
supplemental GID 0) are retained and will be inherited by child
processes even if the User and Group directives are present. Users
with no supplemental groups of their own will keep this inherited
supplemental GID, granting them access to files/directories owned by
the root group.
--
Brian Ristuccia
--- End Message ---
--- Begin Message ---
Source: proftpd-dfsg
Source-Version: 1.3.8+dfsg-4+deb12u4
Done: Hilmar Preuße <hill...@debian.org>
We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1082...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilmar Preuße <hill...@debian.org> (supplier of updated proftpd-dfsg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Nov 2024 23:32:48 +0100
Source: proftpd-dfsg
Architecture: source
Version: 1.3.8+dfsg-4+deb12u4
Distribution: bookworm-security
Urgency: high
Maintainer: ProFTPD Maintainance Team
<pkg-proftpd-maintain...@alioth-lists.debian.net>
Changed-By: Hilmar Preuße <hill...@debian.org>
Closes: 1082326
Changes:
proftpd-dfsg (1.3.8+dfsg-4+deb12u4) bookworm-security; urgency=high
.
* Add my Debian E-Mail address to Field Uploaders.
* Patch for issue Issue #1830 (Closes: #1082326).
Supplemental Group Inheritance Grants Unintended Access to GID 0
(CVE-2024-48651).
Checksums-Sha1:
969a8216d8a53a42c0973421f8543a3c24401b96 3437
proftpd-dfsg_1.3.8+dfsg-4+deb12u4.dsc
a3a3cb2f11d74d68d2324a667cb01858048485b8 19437185
proftpd-dfsg_1.3.8+dfsg.orig.tar.gz
e0797ae4e53c67663feb49f347637e7d5aebff22 88616
proftpd-dfsg_1.3.8+dfsg-4+deb12u4.debian.tar.xz
f1dfdc74f305f08d986f23626f11095195065a6b 6086
proftpd-dfsg_1.3.8+dfsg-4+deb12u4_source.buildinfo
Checksums-Sha256:
eadfe9d117bee0d05ae278c8e4a10c5a65d389c7800e22ce404ec795546d1522 3437
proftpd-dfsg_1.3.8+dfsg-4+deb12u4.dsc
b80e706614949e04f250fadea0a5e424da7c8fe43f30dbadbbbbac8dc0220ead 19437185
proftpd-dfsg_1.3.8+dfsg.orig.tar.gz
72bf334caa2279936715fa43001a0ec64cc0ccaefe7676592866df1cdf77279c 88616
proftpd-dfsg_1.3.8+dfsg-4+deb12u4.debian.tar.xz
9115de8e8f304c55b4b586cc9dcd1b1812301711de77d129e2a8b6cc6a215a3a 6086
proftpd-dfsg_1.3.8+dfsg-4+deb12u4_source.buildinfo
Files:
17d0e10429e2f613279418439758bfd0 3437 net optional
proftpd-dfsg_1.3.8+dfsg-4+deb12u4.dsc
6cdf6413cdeb1ad7f0f45469a221f52a 19437185 net optional
proftpd-dfsg_1.3.8+dfsg.orig.tar.gz
a0814837ca753a3347c3203fb5cfe38b 88616 net optional
proftpd-dfsg_1.3.8+dfsg-4+deb12u4.debian.tar.xz
b9bfd7160219c66b4a9121bf89034b10 6086 net optional
proftpd-dfsg_1.3.8+dfsg-4+deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEaXGmC/nkbIhxf16kxiZYRqvgLIsFAmdUJTFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDY5
NzFBNjBCRjlFNDZDODg3MTdGNUVBNEM2MjY1ODQ2QUJFMDJDOEIACgkQxiZYRqvg
LIuSBw/+Nwpr4mOuDKB+Hb6s7jVh4jiKWjD3G4NAEZ54S8LPh2R3k5HEKRHDPw/i
GCgg5p3aESg2bpxlDQ4OUsHZtp+KN0FdOAG1UtzzHiY5D+7NtbgxyGXatwuIlPV3
Pdkqwxe+BkFOOFp2X/ouMLG5Koq9x11jPtXTKfDcWl6Y5spv/acjU3fAnXJvYeHl
Qie61FCu/c9CM4JgbMJSLALg7Boz1IIYdkA8zsdeKB20NUJ3gKH3qAayTWG6C6nf
/3Bq3sU29yyueys0tPtiF0EyN92+/Dk5o6bOoIvXj9xfnRuaOlqLro9RiA4EXvgX
DAtviPuAbOsHZz8yZM4yACNtwZVQo04wLNfp7psJAQWo6TL3I2s+vniJT/zI98DY
txATP1GJyoHVyGZVICcX7UZqXmRW8mz4QDOEZhuAyON9s24yQ8PJf2rvAqXnABWz
GPma8qpbdKqP+7hDyt1b1+HKeKVwqji5gOvpHTKFH4pn9MqWtviSuPwXBPLZr7ln
80W7H52AFpFMijt74QYH+qQVt8vUuWfXduqzLPbcwaud7N0NTzkD9TtjGbvRhr/T
PoqLY1BGaJlCSDdU+SX2Dxz58AYjH7wgBo7ZSFHi+/Ggt+zuCmcPUECYjK74JY7R
gDYlgWnWXEK6QVzvatiscpQlEc18VyCe10DpWrC1UOnonX8XS38=
=fm6J
-----END PGP SIGNATURE-----
pgpYonmgvraXB.pgp
Description: PGP signature
--- End Message ---
