mailing list archives
CVE Request -- proFTPD (X < 1.3.5.rc1): Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 7 Jan 2013 11:55:54 -0500 (EST)
Hello Kurt, Steve, vendors,
proFTPD upstream has recently released v1.3.5.rc1 release:
correcting one security issue:
A time-of-check time-of-use (TOCTOU) race condition
flaw was found in the way ProFTPD, flexible, stable
and highly-configurable FTP server, handled MKD/XMKD
FTP commands when the UserOwner directive was involved.
A local attacker could use this flaw to possibly escalate
their privileges via symbolic-link attacks on directories,
created by ProFTPD prior the UserOwner ownership was applied.
Upstream bug report:
Relevant upstream patch:
Could you allocate a CVE id for this?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- proFTPD (X < 1.3.5.rc1): Symlink race condition when applying UserOwner to a newly (ProFTPD) created directory Jan Lieskovsky (Jan 07)