Hi chtekk, an unspecified vulnerability in proftpd could allow the remote execution of arbitrary code. An exploit code is said to be found ( http://gleg.net/vulndisco_meta.shtml ) No update available yet
i've applied the patch taken from http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date that compiles fine. Chtekk could you please check that patch and apply it too, please
the patch is not related to the vuln described here, it seems to be another issue.
also the fix was revised, it seems like you need to add http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.293&r2=1.294&sortby=date this one, too. Besides, this looks like a pointer for the unspecified one: http://elegerov.blogspot.com/2006/10/do-you-remember-2-years-old-overflow.html
Looks like the new version has been just released which addresses this vulnerability..
indeed, http://bugs.proftpd.org/show_bug.cgi?id=2858 http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c?r1=1.79&r2=1.80&sortby=date The new version is 1.3.0a CHTEKK please bump, thanks
Created attachment 102910 [details, diff] mod_tls.patchj as used by OpenPKG Patch used by OpenPKG to fix the mod_tls vuln
*** Bug 156503 has been marked as a duplicate of this bug. ***
net-ftp/proftpd-1.3.0a is in the tree now, enjoy! Updated to 1.3.0a and added the patch for both the commandbuffer issue and the mod_tls one. Best regards, CHTEKK.
Thx Luca. Arches please test and mark stable. Target keywords are: proftpd-1.3.0a.ebuild:KEYWORDS="alpha amd64 hppa ~mips ppc ppc64 sparc x86"
emerges fine and works on amd64 Portage 2.1.2_rc2-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-ck1-r2 x86_64) ================================================================= System uname: 2.6.18-ck1-r2 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.6 Last Sync: Tue, 28 Nov 2006 19:20:01 +0000 ccache version 2.3 [enabled] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay /usr/local/portage/xfce" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dlloader dri dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick input_devices_evdev input_devices_keyboard ipod jpeg kernel_linux ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp xinerama xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
net-ftp/proftpd-1.3.0a USE="ipv6 ldap ncurses pam ssl tcpd -acl -authfile -clamav -hardened -ifsession -mysql -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd" 1. emerges on x86 2. passes collision test 3. works Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.3 i686) ================================================================= System uname: 2.6.18.3 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Tue, 28 Nov 2006 18:30:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
x86 is safe as always
pffff hard... i think secunia is wrong and this vulnerability is not CVE-2006-5815 We have 3 vulnerabilities on proftpd : - this one, code exec by Evgeny Legerov with sreplace(), SA 22803, bug 154650 (this one) - a DoS with the CommandBufferSize command, CVE-2006-5815 and SA 22821, also fixed in bug 154650 - code exec by Evgeny Legerov in mod_tls, SA 23141, unpatched, bug 56503
> - this one, code exec by Evgeny Legerov with sreplace(), SA 22803, bug 154650 > (this one) actually Secunia seems to refer to the good CVE entry, but the content of the CVE entry is b0rked... AFAICT, there is no CommandBufferSize in vd_proftpd.pm : "Buffer overflow in ProFTPD 1.3.0 and earlier, when configured to use the CommandBufferSize directive, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."" > - a DoS with the CommandBufferSize command, CVE-2006-5815 and SA 22821, also > fixed in bug 154650 > > - code exec by Evgeny Legerov in mod_tls, SA 23141, unpatched, bug 56503 and fixed by Chtekk in Gentoo's proftpd
Stable for HPPA.
sparc stable.
ppc stable
Note that CVE-2006-6171 is disputed.
ppc64 stable
y0y0, stable on Alpha
AMD64 stable (using it myself on several servers) and removed old vulnerable 1.3.0 versions. Best regards, CHTEKK.
GLSA 200611-26, thanks for the speedness