From ff990ef2fa558e3d20757013a0776d074464ed8c Mon Sep 17 00:00:00 2001
From: gordon <gordon@FreeBSD.org>
Date: Tue, 15 Sep 2020 21:47:44 +0000
Subject: [PATCH] Fix ftpd privilege escalation via ftpchroot.

Approved by:	so
Approved by:	re (implicit for releng/12.2)
Security:	FreeBSD-SA-20:30.ftpd
Security:	CVE-2020-7468
---
 libexec/ftpd/ftpd.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index badabacb348..c057fdc7b50 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -1593,13 +1593,20 @@ pass(char *passwd)
 	 *    (uid 0 has no root power over NFS if not mapped explicitly.)
 	 */
 	if (seteuid(pw->pw_uid) < 0) {
-		reply(550, "Can't set uid.");
-		goto bad;
+		if (guest || dochroot) {
+			fatalerror("Can't set uid.");
+		} else {
+			reply(550, "Can't set uid.");
+			goto bad;
+		}
 	}
+	/*
+	 * Do not allow the session to live if we're chroot()'ed and chdir()
+	 * fails. Otherwise the chroot jail can be escaped.
+	 */
 	if (chdir(homedir) < 0) {
 		if (guest || dochroot) {
-			reply(550, "Can't change to base directory.");
-			goto bad;
+			fatalerror("Can't change to base directory.");
 		} else {
 			if (chdir("/") < 0) {
 				reply(550, "Root is inaccessible.");
-- 
2.45.0