Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#67165 - [vsftpd] seccomp policy kills child on OpenSSL call

Attached to Project: Community Packages
Opened by Kamil Lorenc (r4pt0r) - Wednesday, 01 July 2020, 13:29 GMT
Last edited by freswa (frederik) - Wednesday, 01 July 2020, 20:51 GMT
Task Type Bug Report
Category Packages
Status Assigned
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


When opening new encrypted connection, forked vsftpd is killed and following message is sent through socket:
500 OOPS: child died

vsftpd defines list of allowed syscalls. Calling syscall outside the list causes SIGSYS signal, which kills the process that gets the signal. It seems that lately OpenSSL started to use getrandom syscall during initialization of it random number generator. Solution is to patch vsftpd with addition of this syscall to whitelist. This can be done with following patch:
--- a/seccompsandbox.c 2020-07-01 12:42:02.286972777 +0200
+++ b/seccompsandbox.c 2020-07-01 12:42:34.671677119 +0200
@@ -335,6 +335,7 @@
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
allow_nr(__NR_getpid); /* Used by logging. */
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
+ allow_nr(__NR_getrandom); /* Used by OpenSSL in SSL_accept. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
/* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
* Also, sockets are O_RDWR.

Additional info:
* vsftpd version 3.0.3-6
* vsftpd.conf:

* OpenSSL version 1.1.1.g-1

Steps to reproduce:
Generate certificate as described on Arch Wiki, start vsftpd from root command line and attempt connecting with e.g. FileZilla.
This task depends upon

Comment by Levente Polyak (anthraxx) - Wednesday, 01 July 2020, 23:03 GMT
can you please report / submit your patch upstream and post a link here?
Comment by Kamil Lorenc (r4pt0r) - Saturday, 04 July 2020, 05:25 GMT
Unfortunately, it seems the project does not have any way of sending bug reports or patches. There is a dedicated IRC channel and I dropped them a link to this page, but for few days nobody answered. In theory, I could yet try sending email to author, but he states on the project page that he is unable to read all such emails, so it is likely, he won't answer in any way. By the way, if we look into last release date, it looks like the project is not actively maintained anymore (last release was in 2015).