FS#67165 - [vsftpd] seccomp policy kills child on OpenSSL call
Attached to Project:
Community Packages
Opened by Kamil Lorenc (r4pt0r) - Wednesday, 01 July 2020, 13:29 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:01 GMT
Opened by Kamil Lorenc (r4pt0r) - Wednesday, 01 July 2020, 13:29 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:01 GMT
|
Details
Description:
When opening new encrypted connection, forked vsftpd is killed and following message is sent through socket: 500 OOPS: child died vsftpd defines list of allowed syscalls. Calling syscall outside the list causes SIGSYS signal, which kills the process that gets the signal. It seems that lately OpenSSL started to use getrandom syscall during initialization of it random number generator. Solution is to patch vsftpd with addition of this syscall to whitelist. This can be done with following patch: ``` --- a/seccompsandbox.c 2020-07-01 12:42:02.286972777 +0200 +++ b/seccompsandbox.c 2020-07-01 12:42:34.671677119 +0200 @@ -335,6 +335,7 @@ allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */ allow_nr(__NR_getpid); /* Used by logging. */ allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */ + allow_nr(__NR_getrandom); /* Used by OpenSSL in SSL_accept. */ allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL); /* It's safe to allow O_RDWR in fcntl because these flags cannot be changed. * Also, sockets are O_RDWR. ``` Additional info: * vsftpd version 3.0.3-6 * vsftpd.conf: ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES local_enable=YES * OpenSSL version 1.1.1.g-1 Steps to reproduce: Generate certificate as described on Arch Wiki, start vsftpd from root command line and attempt connecting with e.g. FileZilla. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:01 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/vsftpd/issues/4
Saturday, 25 November 2023, 20:01 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/vsftpd/issues/4
Comment by
Levente Polyak (anthraxx) -
Wednesday, 01 July 2020, 23:03 GMT
Comment by Kamil Lorenc (r4pt0r) -
Saturday, 04 July 2020, 05:25 GMT
Comment by
Buggy McBugFace (bugbot) - Tuesday,
08 August 2023, 19:11 GMT
can you please report / submit your patch upstream and post a link
here?
Unfortunately, it seems the project does not have any way of
sending bug reports or patches. There is a dedicated IRC channel
and I dropped them a link to this page, but for few days nobody
answered. In theory, I could yet try sending email to author, but
he states on the project page that he is unable to read all such
emails, so it is likely, he won't answer in any way. By the way,
if we look into last release date, it looks like the project is
not actively maintained anymore (last release was in 2015).
This is an automated comment as this bug is open for more then 2
years. Please reply if you still experience this bug otherwise
this issue will be closed after 1 month.