Comment 1 Robert Buchholz (RETIRED) 2008-09-26 13:25:51 UTC

CVE-2008-4242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4242):
  ProFTPD 1.3.1 interprets long commands from an FTP client as multiple
  commands, which allows remote attackers to conduct cross-site request
  forgery (CSRF) attacks and execute arbitrary FTP commands via a long
  ftp:// URI that leverages an existing session from the FTP client
  implementation in a web browser.

CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247):
  ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long
  commands from an FTP client as multiple commands, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks and
  execute arbitrary FTP commands via a long ftp:// URI that leverages
  an existing session from the FTP client implementation in a web
  browser.

Comment 2 Robert Buchholz (RETIRED) 2008-09-26 13:34:52 UTC

ok, CVE-2008-4247 is for OpenBSD only. I simply added it for reference here.

Comment 3 Stefan Behte (RETIRED) 2008-10-07 07:46:26 UTC

@net-ftp/chtekk:
FYI: they have the patch in their bugtracker and:

"The patch also covers the case where the admin might configure a
PR_TUNABLE_BUFFER_SIZE which is smaller than the default command buffer size
(i.e. the buffer size which is used by default if the CommandBufferSize
configuration directive is not configured)."

Comment 4 Stefan Behte (RETIRED) 2008-10-22 10:19:03 UTC

net-ftp/chtekk:
Hi, what is your timeline for fixing this?

Comment 5 Stefan Behte (RETIRED) 2008-11-05 22:23:05 UTC

*ping* :/

Comment 6 Christian Hoffmann (RETIRED) 2008-11-06 12:58:51 UTC

As per security handling policy, I took the chance to bump the package and include the patch due to lack of maintainer response.
I compile-tested on ~amd64 and updated my hardened x86 setup without problems.


Arches, please extensively test and stabilize:
  =net-ftp/proftpd-1.3.2_rc2

Target keywords: alpha amd64 hppa ~ia64 ppc ppc64 sparc x86

ia64, somehow your keyword got lost with the bump to 1.3.1_rc2-r3, so you need to rekeyword or remove your keyword from all vulnerable versions.

Comment 7 Jeroen Roovers (RETIRED) 2008-11-07 05:00:17 UTC

Stable for HPPA.

Comment 8 Jeroen Roovers (RETIRED) 2008-11-07 05:01:23 UTC

Any reason why the ia64 keyword was dropped in the first place?

Comment 9 Christian Hoffmann (RETIRED) 2008-11-07 09:20:59 UTC

(In reply to comment #8)
> Any reason why the ia64 keyword was dropped in the first place?
No idea, I don't know any more than what's in the ChangeLog, and there is no relevant entry there, it seems.

Comment 10 Brent Baude (RETIRED) 2008-11-07 14:51:32 UTC

ppc and ppc64 done

Comment 11 Jeroen Roovers (RETIRED) 2008-11-07 17:45:17 UTC

(In reply to comment #9)
> (In reply to comment #8)
> > Any reason why the ia64 keyword was dropped in the first place?
> No idea, I don't know any more than what's in the ChangeLog, and there is no
> relevant entry there, it seems.

Um, you bumped the ebuild, right? :)

Keywords in /keeps/gentoo/cvs/gentoo-x86 for net-ftp/proftpd :

             | a a a h i m m p p s s s s x x
             | l m r p a 6 i p p 3 h p p 8 8
             | p d m p 6 8 p c c 9   a a 6 6
             | h 6   a 4 k s   6 0   r r   -
             | a 4             4     c c   f
             |                         -   b
             |                         f   s
             |                         b   d
             |                         s
             |                         d
-------------+------------------------------
1.3.1_rc2-r3 | + +   +     ~ + +     +   +
1.3.1        | ~ ~   ~ ~   ~ ~ ~     ~   ~
1.3.2_rc2    | ~ ~   +     ~ + +     ~   ~

It looks like the ~ia64 got dropped because 1.3.2_rc2 is a copy of 1.3.1_rc2. Surely the differences between the two _rc2's ebuilds are fewer than between 1.3.1 and 1.3.2_rc2.

Comment 12 Christian Hoffmann (RETIRED) 2008-11-07 18:19:37 UTC

(In reply to comment #11)
> It looks like the ~ia64 got dropped because 1.3.2_rc2 is a copy of 1.3.1_rc2.
> Surely the differences between the two _rc2's ebuilds are fewer than between
> 1.3.1 and 1.3.2_rc2.
You are totally right, thanks a lot for spotting this. I re-added ~ia64 to 1.3.2_rc2 now. Also, it was not my intention to use 1.3.1_rc2 as a base, so I just added 1.3.2_rc2-r1 (which is based on 1.3.1 final), otherwise I'd be dropping feature improvements for ~arch users.

Arches, please continue stabling -r0, do not stable -r1 unless the real maintainer approves those changes for stable...

Sorry for the noise and confusion. :/

Comment 13 Markus Meier 2008-11-08 12:51:28 UTC

amd64/x86 stable

Problem compile with USE flag shaper.
x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H  -DLINUX  -I.. -I../include -I/usr/include/mysql -march=opteron -O2 -pipe -DHAVE_OPENSSL -Wall -c mod_shaper.c
mod_shaper.c: In function ‘shaper_msg_send’:
mod_shaper.c:280: warning: format ‘%u’ expects type ‘unsigned int’, but argument 6 has type ‘msgqnum_t’
mod_shaper.c:280: warning: format ‘%u’ expects type ‘unsigned int’, but argument 7 has type ‘long unsigned int’
mod_shaper.c: In function ‘shaper_startup_ev’:
mod_shaper.c:2164: error: too few arguments to function ‘pr_timer_add’
make[1]: *** [mod_shaper.o] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-ftp/proftpd-1.3.2_rc2/work/proftpd-1.3.2rc2/modules'
make: *** [modules] Error 2

net-ftp/proftpd-1.3.2_rc2 USE="acl ifsession mysql ncurses nls opensslcrypt pam rewrite shaper sitemisc softquota ssl tcpd vroot -authfile -clamav -hardened -ipv6 -ldap -noauthunix -postgres -radius (-selinux) -xinetd"

Portage 2.1.4.5 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r9 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r9 x86_64 Dual Core AMD Opteron(tm) Processor 165
Timestamp of tree: Sat, 08 Nov 2008 14:00:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=opteron -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/genkernel/x86_64/modules_load /usr/share/logwatch/scripts/services/secure /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=opteron -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X509 accessibility acl acpi adns aim amd64 apache2 apm berkdb bzip2 bzlib calendar chroot cli cracklib crypt cscope ctype curl curlwrappers dba dbm dbx dedicated dio dri erandom exif fam fastcgi fftw flatfile foomaticdb fortran freedts ftp gd gdbm gif gps imap imlib inifile innodb ipv6 isdnlog ithreads jabber jikes jpeg justify kerberos libedit libwww maildir mailwrapper mbox mcal mcve memlimit mhash midi mime ming mmap mmx mng msession mudflap multilib mysql mysqli ncurses nis nls nocardbus nptl nptlonly odbc offensive openmp pam pcntl pcre pdflib perl php png posix pppd prelude pwdb python readline recode reflection sasl session sftplogging simplexml skey slang snmp sockets spell spl sse sse2 ssl sysfs sysvipc szip tcpd threads tidy tiff tokensizer unicode usb vhosts wmf xml xml-rpc xml2 xorg xsl zeo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

Comment 15 Tobias Klausmann (RETIRED) 2008-11-08 19:57:50 UTC

Stable on alpha.

Comment 16 Christian Birchinger (RETIRED) 2008-11-09 00:00:36 UTC

Created attachment 171138 [details, diff]
CVE-2008-4242 patch for stable net-ftp/proftpd-1.3.1

Heres a security patch for CVE-2008-4242 which applies to the latest stable
upstream proftpd 1.3.1. 

1.3.2rc2 adds some nasty bugs like "<Directory incoming/*>" ("/*" wildcard statements) being ignored. Only rules directly to the directory (like
"<Directory incoming>") are still working.

However "<Directory incoming/*>" is needed to make the content of incomming
invisible to anonymous users while still allowing uploads.

Example:
  <Directory incoming>
    <Limit STOR STOU>
      AllowAll  
    </Limit>  
    <Limit READ WRITE>
      DenyAll
    </Limit> 
  </Directory>

  <Directory incoming/*>
    <Limit DIRS>
      DenyAll   
    </Limit> 
  </Directory>

Maybe there are other bugs in the rc versions. It could be smarter to fix
the latest known stable upstream release 1.3.1.

Comment 17 Robert Buchholz (RETIRED) 2008-11-09 10:08:57 UTC

(In reply to comment #16)
[...]
> 1.3.2rc2 adds some nasty bugs like 

How do you want to resume with this? Revert the existing stable markings, and go for a revision bump?

Comment 18 Christian Hoffmann (RETIRED) 2008-11-09 11:56:15 UTC

(In reply to comment #17)
> How do you want to resume with this? Revert the existing stable markings, and
> go for a revision bump?
I'll leave the decision to you. :P

I've just added proftpd-1.3.1-r1, which includes the security patch and hopefully does not have any regressions. Thanks to Joker for tracking it down.

And I added proftpd-1.3.2_rc2-r2, which should fix the mod_shaper compile failure. This probably still breaks things for Joker...

Also fixing bug 238762, while I am at it, as I cannot test the package otherwise. :)

Comment 19 Jeroen Roovers (RETIRED) 2008-11-11 22:17:11 UTC

*** Bug 246391 has been marked as a duplicate of this bug. ***

Comment 20 Christian Hoffmann (RETIRED) 2008-11-11 22:28:44 UTC

Arches, please test and mark stable:
  =net-ftp/proftpd-1.3.2_rc2-r2

Target keywords: alpha amd64 hppa ppc ppc64 sparc x86

The previous version has regressions (compile failure). This still does not fix Joker's problem, but we decided it would be better not to drop stable again...
So Joker, please report this upstream. Anybody who is hit by this bug should use 1.3.1-r1 meanwhile.

Comment 21 Markus Rothe (RETIRED) 2008-11-12 17:59:44 UTC

ppc64 stable

Compiles clean. Runs fine for > 1 day now on my server. Let do it AMD64 :-)

[ebuild   R   ] net-ftp/proftpd-1.3.2_rc2-r2  USE="ncurses nls ssl tcpd -acl -authfile -ban -case -clamav -deflate -hardened -ifsession -ipv6 -ldap -mysql -noauthunix -opensslcrypt -pam -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd"

Portage 2.1.4.5 (default/linux/amd64/2008.0/no-multilib, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.25-gentoo-r7 x86_64 AMD Sempron(tm) Processor 2800+
Timestamp of tree: Thu, 13 Nov 2008 01:45:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-shells/bash:     3.2_p33
dev-lang/python:     2.4.4-r13, 2.5.2-r7
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="ftp://gentoo.tiscali.nl/pub/mirror/gentoo/"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS=""
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/overlay"
SYNC="rsync://rsync.nl.gentoo.org/gentoo-portage"
USE="3dnow amd64 apache2 authdaemond bzip2 calendar cli cracklib crypt dri gdbm geos gpm iconv id3 imap isdnlog jpeg jpeg2k libwww logrotate maildir midi mmx mudflap ncurses nls nptl nptlonly ogg openmp pcre perl png pppd prcre proj python readline reflection session simplexml spell spl sse sse2 ssl svg sysfs syslog tcpd unicode vda vhosts webdav-neon winbind xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 23 Jeroen Roovers (RETIRED) 2008-11-13 21:56:11 UTC

Stable again.

Comment 24 Raúl Porcel (RETIRED) 2008-11-14 10:08:42 UTC

alpha/sparc/x86 stable

Comment 25 Tobias Scherbaum (RETIRED) 2008-11-14 21:07:14 UTC

ppc stable

Comment 26 Markus Meier 2008-11-15 10:35:33 UTC

amd64/x86 stable, all arches done.

Comment 27 Stefan Behte (RETIRED) 2008-11-15 12:26:46 UTC

Ready for voting.

Comment 28 Pierre-Yves Rofes (RETIRED) 2008-11-26 22:33:37 UTC

voting NO

Comment 29 Robert Buchholz (RETIRED) 2008-11-26 23:25:46 UTC

NO too, closing.