Bug 1439693 (CVE-2017-7418) - CVE-2017-7418 proftpd: AllowChrootSymlinks control bypass
Summary: CVE-2017-7418 proftpd: AllowChrootSymlinks control bypass
Alias: CVE-2017-7418
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1439695 1439696
TreeView+ depends on / blocked
Reported: 2017-04-06 12:09 UTC by Andrej Nemec
Modified: 2019-09-29 14:09 UTC (History)
6 users (show)

Fixed In Version: proftpd 1.3.5e, proftpd 1.3.6rc5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-04-11 07:52:56 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2017-04-06 12:09:57 UTC
ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the home directory of a user could contain a symbolic link through the AllowChrootSymlinks configuration option, but checks only the last path component when enforcing AllowChrootSymlinks. Attackers with local access could bypass the AllowChrootSymlinks control by replacing a path component (other than the last one) with a symbolic link. The threat model includes an attacker who is not granted full filesystem access by a hosting provider, but can reconfigure the home directory of an FTP user.

Upstream patch (1.3.5 branch):


Upstream bug:


Comment 1 Andrej Nemec 2017-04-06 12:10:31 UTC
Created proftpd tracking bugs for this issue:

Affects: epel-all [bug 1439696]
Affects: fedora-all [bug 1439695]

Comment 2 customercare 2017-04-19 13:12:54 UTC
The patch is buggy: See Bugreport #1443507

Comment 3 customercare 2017-12-14 13:38:18 UTC
FIXED and released on 2017-05-12 15:23:46 EDT 

Please close this BR.

Comment 4 Alasdair Kergon 2019-04-08 14:42:03 UTC
See bug 1697508, asking if this can be closed.

Note You need to log in before you can comment on or make changes to this bug.