From 80a7ff1beae2008dea0aea0bf42b1f8e712b20fd Mon Sep 17 00:00:00 2001
From: Paul Howarth <paul@city-fan.org>
Date: Jan 12 2016 12:06:52 +0000
Subject: Fix SUID/SGID directory permission setting regression (#1297264)


Regression was introduced with fix for CVE-2012-6095.
See comments 26-30 at http://bugs.proftpd.org/show_bug.cgi?id=3841

---

diff --git a/proftpd-1.3.3g-bug3841.patch b/proftpd-1.3.3g-bug3841.patch
index fa95e25..c54620e 100644
--- a/proftpd-1.3.3g-bug3841.patch
+++ b/proftpd-1.3.3g-bug3841.patch
@@ -229,7 +229,7 @@
  /* We provide our own equivalent of access(2) here, rather than using
   * access(2) directly, because access(2) uses the real IDs, rather than
   * the effective IDs, of the process.
-@@ -2477,6 +2489,213 @@ int pr_fsio_mkdir(const char *path, mode
+@@ -2477,6 +2489,232 @@ int pr_fsio_mkdir(const char *path, mode
    return res;
  }
  
@@ -252,7 +252,8 @@
 + */
 +int pr_fsio_smkdir(pool *p, const char *path, mode_t mode, uid_t uid,
 +    gid_t gid) {
-+  int res, use_root_privs = TRUE, xerrno = 0;
++  int res, parent_suid = FALSE, parent_sgid = FALSE, use_root_privs = TRUE,
++    xerrno = 0;
 +  char *tmpl_path;
 +  char *dst_dir, *tmpl;
 +  size_t dst_dirlen, tmpl_len;
@@ -293,6 +294,14 @@
 +      return -1;
 +    }
 +
++    if (st.st_mode & S_ISUID) {
++      parent_suid = TRUE;
++    }
++
++    if (st.st_mode & S_ISGID) {
++      parent_sgid = TRUE;
++    }
++
 +    /* Allocate enough space for the temporary name: the length of the
 +     * destination directory, a slash, 9 X's, 3 for the prefix, and 1 for the
 +     * trailing NUL.
@@ -384,7 +393,7 @@
 +  }
 +
 +  if (use_mkdtemp == TRUE) {
-+    mode_t mask, *dir_umask;
++    mode_t mask, *dir_umask, perms;
 +
 +    /* Use chmod(2) to set the permission that we want.
 +     *
@@ -399,11 +408,21 @@
 +      mask = (mode_t) 0022;
 +    }
 +
++    perms = (mode & ~mask);
++
++    if (parent_suid) {
++      perms |= S_ISUID;
++    }
++
++    if (parent_sgid) {
++      perms |= S_ISGID;
++    }
++
 +    if (use_root_privs) {
 +      PRIVS_ROOT
 +    }
 +
-+    res = chmod(tmpl_path, mode & ~mask);
++    res = chmod(tmpl_path, perms);
 +    xerrno = errno;
 +
 +    if (use_root_privs) {
@@ -443,7 +462,7 @@
  int pr_fsio_rmdir(const char *path) {
    int res;
    pr_fs_t *fs;
-@@ -3336,6 +3555,33 @@ int pr_fsio_fchown(pr_fh_t *fh, uid_t ui
+@@ -3336,6 +3574,33 @@ int pr_fsio_fchown(pr_fh_t *fh, uid_t ui
    return res;
  }
  
@@ -477,7 +496,7 @@
  int pr_fsio_access(const char *path, int mode, uid_t uid, gid_t gid,
      array_header *suppl_gids) {
    pr_fs_t *fs;
-@@ -3955,6 +4201,7 @@ int init_fs(void) {
+@@ -3955,6 +4220,7 @@ int init_fs(void) {
    root_fs->fchmod = sys_fchmod;
    root_fs->chown = sys_chown;
    root_fs->fchown = sys_fchown;
@@ -485,7 +504,7 @@
    root_fs->access = sys_access;
    root_fs->faccess = sys_faccess;
    root_fs->utimes = sys_utimes;
-@@ -4036,6 +4283,12 @@ static const char *get_fs_hooks_str(pool
+@@ -4036,6 +4302,12 @@ static const char *get_fs_hooks_str(pool
    if (fs->chown)
      hooks = pstrcat(p, hooks, *hooks ? ", " : "", "chown(2)", NULL);
  
diff --git a/proftpd.spec b/proftpd.spec
index 3892c4b..0b346b8 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -12,7 +12,7 @@
 %endif
 
 #global prever rc4
-%global rpmrel 7
+%global rpmrel 8
 
 Summary:		Flexible, stable and highly-configurable FTP server
 Name:			proftpd
@@ -355,6 +355,10 @@ fi
 %{_mandir}/man1/ftpwho.1*
 
 %changelog
+* Tue Jan 12 2016 Paul Howarth <paul@city-fan.org> - 1.3.3g-8
+- Fix SUID/SGID directory permission setting regression introduced with fix
+  for CVE-2012-6095 (#1297264)
+
 * Fri Nov 13 2015 Paul Howarth <paul@city-fan.org> - 1.3.3g-7
 - Add support for specifying TLSv1.1 and TLSv1.2 (#1281493)