Summary: | <net-ftp/proftpd-1.3.4d: mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication (CVE-2013-4359) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | bernd, proxy-maint, slyfox, voyageur |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/ | ||
See Also: | http://bugs.proftpd.org/show_bug.cgi?id=3973 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-09-11 20:58:27 UTC
Pushed to the tree as:
> *proftpd-1.3.4d (12 Sep 2013)
>
> 12 Sep 2013; Sergei Trofimovich <slyfox@gentoo.org>
> +files/proftpd-1.3.4d-sftp-kbdint-max-responses-bug3973.patch,
> +proftpd-1.3.4d.ebuild:
> Version bump. Added fix for sftp kbdint security issue. Bug #484614 by
> Agostino Sarubbo.
Thanks!
Good. Ready for stabilization? If yes - please CC arches Arches, please stabilize. STABLREQ KEYWORDS: alpha amd64 arm hppa ppc ppc64 sparc x86 Thanks! Stable for HPPA. amd64 stable x86 stable alpha stable arm stable ppc64 stable sparc stable ppc stable Thanks for your work Added to existing GLSA draft This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). CVE-2013-4359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4359): Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authentication request, which triggers a large memory allocation. |