Well, see: http://securitytracker.com/alerts/2008/Sep/1020945.html It's not extremely critical, but should be fixed.
CVE-2008-4242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4242): ProFTPD 1.3.1 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser. CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247): ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.
ok, CVE-2008-4247 is for OpenBSD only. I simply added it for reference here.
@net-ftp/chtekk: FYI: they have the patch in their bugtracker and: "The patch also covers the case where the admin might configure a PR_TUNABLE_BUFFER_SIZE which is smaller than the default command buffer size (i.e. the buffer size which is used by default if the CommandBufferSize configuration directive is not configured)."
net-ftp/chtekk: Hi, what is your timeline for fixing this?
*ping* :/
As per security handling policy, I took the chance to bump the package and include the patch due to lack of maintainer response. I compile-tested on ~amd64 and updated my hardened x86 setup without problems. Arches, please extensively test and stabilize: =net-ftp/proftpd-1.3.2_rc2 Target keywords: alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ia64, somehow your keyword got lost with the bump to 1.3.1_rc2-r3, so you need to rekeyword or remove your keyword from all vulnerable versions.
Stable for HPPA.
Any reason why the ia64 keyword was dropped in the first place?
(In reply to comment #8) > Any reason why the ia64 keyword was dropped in the first place? No idea, I don't know any more than what's in the ChangeLog, and there is no relevant entry there, it seems.
ppc and ppc64 done
(In reply to comment #9) > (In reply to comment #8) > > Any reason why the ia64 keyword was dropped in the first place? > No idea, I don't know any more than what's in the ChangeLog, and there is no > relevant entry there, it seems. Um, you bumped the ebuild, right? :) Keywords in /keeps/gentoo/cvs/gentoo-x86 for net-ftp/proftpd : | a a a h i m m p p s s s s x x | l m r p a 6 i p p 3 h p p 8 8 | p d m p 6 8 p c c 9 a a 6 6 | h 6 a 4 k s 6 0 r r - | a 4 4 c c f | - b | f s | b d | s | d -------------+------------------------------ 1.3.1_rc2-r3 | + + + ~ + + + + 1.3.1 | ~ ~ ~ ~ ~ ~ ~ ~ ~ 1.3.2_rc2 | ~ ~ + ~ + + ~ ~ It looks like the ~ia64 got dropped because 1.3.2_rc2 is a copy of 1.3.1_rc2. Surely the differences between the two _rc2's ebuilds are fewer than between 1.3.1 and 1.3.2_rc2.
(In reply to comment #11) > It looks like the ~ia64 got dropped because 1.3.2_rc2 is a copy of 1.3.1_rc2. > Surely the differences between the two _rc2's ebuilds are fewer than between > 1.3.1 and 1.3.2_rc2. You are totally right, thanks a lot for spotting this. I re-added ~ia64 to 1.3.2_rc2 now. Also, it was not my intention to use 1.3.1_rc2 as a base, so I just added 1.3.2_rc2-r1 (which is based on 1.3.1 final), otherwise I'd be dropping feature improvements for ~arch users. Arches, please continue stabling -r0, do not stable -r1 unless the real maintainer approves those changes for stable... Sorry for the noise and confusion. :/
amd64/x86 stable
Problem compile with USE flag shaper. x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -DLINUX -I.. -I../include -I/usr/include/mysql -march=opteron -O2 -pipe -DHAVE_OPENSSL -Wall -c mod_shaper.c mod_shaper.c: In function ‘shaper_msg_send’: mod_shaper.c:280: warning: format ‘%u’ expects type ‘unsigned int’, but argument 6 has type ‘msgqnum_t’ mod_shaper.c:280: warning: format ‘%u’ expects type ‘unsigned int’, but argument 7 has type ‘long unsigned int’ mod_shaper.c: In function ‘shaper_startup_ev’: mod_shaper.c:2164: error: too few arguments to function ‘pr_timer_add’ make[1]: *** [mod_shaper.o] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-ftp/proftpd-1.3.2_rc2/work/proftpd-1.3.2rc2/modules' make: *** [modules] Error 2 net-ftp/proftpd-1.3.2_rc2 USE="acl ifsession mysql ncurses nls opensslcrypt pam rewrite shaper sitemisc softquota ssl tcpd vroot -authfile -clamav -hardened -ipv6 -ldap -noauthunix -postgres -radius (-selinux) -xinetd" Portage 2.1.4.5 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r9 x86_64) ================================================================= System uname: 2.6.23-gentoo-r9 x86_64 Dual Core AMD Opteron(tm) Processor 165 Timestamp of tree: Sat, 08 Nov 2008 14:00:01 +0000 app-shells/bash: 3.2_p33 dev-lang/python: 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/genkernel/x86_64/modules_load /usr/share/logwatch/scripts/services/secure /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X509 accessibility acl acpi adns aim amd64 apache2 apm berkdb bzip2 bzlib calendar chroot cli cracklib crypt cscope ctype curl curlwrappers dba dbm dbx dedicated dio dri erandom exif fam fastcgi fftw flatfile foomaticdb fortran freedts ftp gd gdbm gif gps imap imlib inifile innodb ipv6 isdnlog ithreads jabber jikes jpeg justify kerberos libedit libwww maildir mailwrapper mbox mcal mcve memlimit mhash midi mime ming mmap mmx mng msession mudflap multilib mysql mysqli ncurses nis nls nocardbus nptl nptlonly odbc offensive openmp pam pcntl pcre pdflib perl php png posix pppd prelude pwdb python readline recode reflection sasl session sftplogging simplexml skey slang snmp sockets spell spl sse sse2 ssl sysfs sysvipc szip tcpd threads tidy tiff tokensizer unicode usb vhosts wmf xml xml-rpc xml2 xorg xsl zeo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Stable on alpha.
Created attachment 171138 [details, diff] CVE-2008-4242 patch for stable net-ftp/proftpd-1.3.1 Heres a security patch for CVE-2008-4242 which applies to the latest stable upstream proftpd 1.3.1. 1.3.2rc2 adds some nasty bugs like "<Directory incoming/*>" ("/*" wildcard statements) being ignored. Only rules directly to the directory (like "<Directory incoming>") are still working. However "<Directory incoming/*>" is needed to make the content of incomming invisible to anonymous users while still allowing uploads. Example: <Directory incoming> <Limit STOR STOU> AllowAll </Limit> <Limit READ WRITE> DenyAll </Limit> </Directory> <Directory incoming/*> <Limit DIRS> DenyAll </Limit> </Directory> Maybe there are other bugs in the rc versions. It could be smarter to fix the latest known stable upstream release 1.3.1.
(In reply to comment #16) [...] > 1.3.2rc2 adds some nasty bugs like How do you want to resume with this? Revert the existing stable markings, and go for a revision bump?
(In reply to comment #17) > How do you want to resume with this? Revert the existing stable markings, and > go for a revision bump? I'll leave the decision to you. :P I've just added proftpd-1.3.1-r1, which includes the security patch and hopefully does not have any regressions. Thanks to Joker for tracking it down. And I added proftpd-1.3.2_rc2-r2, which should fix the mod_shaper compile failure. This probably still breaks things for Joker... Also fixing bug 238762, while I am at it, as I cannot test the package otherwise. :)
*** Bug 246391 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =net-ftp/proftpd-1.3.2_rc2-r2 Target keywords: alpha amd64 hppa ppc ppc64 sparc x86 The previous version has regressions (compile failure). This still does not fix Joker's problem, but we decided it would be better not to drop stable again... So Joker, please report this upstream. Anybody who is hit by this bug should use 1.3.1-r1 meanwhile.
ppc64 stable
Compiles clean. Runs fine for > 1 day now on my server. Let do it AMD64 :-) [ebuild R ] net-ftp/proftpd-1.3.2_rc2-r2 USE="ncurses nls ssl tcpd -acl -authfile -ban -case -clamav -deflate -hardened -ifsession -ipv6 -ldap -mysql -noauthunix -opensslcrypt -pam -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd" Portage 2.1.4.5 (default/linux/amd64/2008.0/no-multilib, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7 x86_64) ================================================================= System uname: 2.6.25-gentoo-r7 x86_64 AMD Sempron(tm) Processor 2800+ Timestamp of tree: Thu, 13 Nov 2008 01:45:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r13, 2.5.2-r7 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="ftp://gentoo.tiscali.nl/pub/mirror/gentoo/" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/overlay" SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage" USE="3dnow amd64 apache2 authdaemond bzip2 calendar cli cracklib crypt dri gdbm geos gpm iconv id3 imap isdnlog jpeg jpeg2k libwww logrotate maildir midi mmx mudflap ncurses nls nptl nptlonly ogg openmp pcre perl png pppd prcre proj python readline reflection session simplexml spell spl sse sse2 ssl svg sysfs syslog tcpd unicode vda vhosts webdav-neon winbind xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Stable again.
alpha/sparc/x86 stable
ppc stable
amd64/x86 stable, all arches done.
Ready for voting.
voting NO
NO too, closing.