ok it looks like all versions of the 1.2.x and 1.3.x series are affected, and the patch for this vuln can be found in the proftpd cvs.

Comment 2 Daniel Black (RETIRED) 2007-04-20 09:12:39 UTC

maintainers - please provide a fix.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-02 14:29:12 UTC

maintainers please advise.

Comment 4 Luca Longinotti (RETIRED) 2007-05-11 22:04:13 UTC

Fixed in net-ftp/proftpd-1.3.1_rc2-r1.
Best regards, CHTEKK.

arches - please test
target keywords are alpha, amd64, hppa, ppc, ppc64, sparc, x86

target ebuild is net-ftp/proftpd-1.3.1_rc2-r1

Comment 7 Markus Rothe (RETIRED) 2007-05-13 10:01:32 UTC

ppc64 stable

Comment 8 Markus Meier 2007-05-13 13:30:11 UTC

net-ftp/proftpd-1.3.1_rc2-r1  USE="acl ipv6 ldap ncurses nls pam ssl tcpd -authfile -clamav -hardened -ifsession -mysql -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd"
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.2.2 (default-linux/x86/2007.0/desktop, gcc-4.1.1, glibc-2.5-r2, 2.6.20.10 i686)
=================================================================
System uname: 2.6.20.10 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 13 May 2007 12:00:01 +0000
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.3.5-r3, 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 9 Raúl Porcel (RETIRED) 2007-05-13 15:10:39 UTC

x86 stable, thanks Markus.

Comment 10 Jeroen Roovers (RETIRED) 2007-05-14 06:02:18 UTC

Stable for HPPA.

Comment 11 Jose Luis Rivero (yoswink) (RETIRED) 2007-05-14 08:59:51 UTC

Stable on alpha

net-ftp/proftpd-1.3.1_rc2-r1  USE="mysql ncurses nls pam ssl tcpd -acl -authfile -clamav -hardened -ifsession -ipv6 -ldap -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd"

Emerges and works fine on AMD64. Upgraded on my server and transferred some files without problems. As this is a security issue trust it can be marked stable without being in portage for 30 days on AMD64. 

Portage 2.1.2.2 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.5-r0, 2.6.19-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.19-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3700+
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 14 May 2007 18:30:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31-r5
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://gentoo.mirror.web4u.cz/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ http://gentoo.mirror.web4u.cz/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 apache2 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv imap isdnlog jpeg libg++ midi mysql ncurses nls nptl nptlonly pam pcre perl png ppds pppd python readline reflection session spl ssl tcpd test truetype-fonts type1-fonts unicode xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark ati chips cirrus cyrix dummy fbdev glint i128 i810 mga neomagic nv rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 13 Gustavo Zacarias (RETIRED) 2007-05-14 21:11:53 UTC

sparc stable.

Comment 14 Daniel Gryniewicz (RETIRED) 2007-05-16 00:25:21 UTC

amd64 done.

Comment 15 Tobias Scherbaum (RETIRED) 2007-05-16 20:21:43 UTC

ppc stable, ready for GLSA vote

thanks a lot for providing/testing

Comment 17 Jakub Moc (RETIRED) 2007-05-17 12:24:52 UTC

Houston, we have a problem. The patch broken pam logins. :/ You might want to hold off the GLSA business a bit, plus this will require another revbump.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-18 06:08:11 UTC

Back to ebuild to get the regression fixed if possible. Luca?

Comment 19 Pierre-Yves Rofes (RETIRED) 2007-05-31 09:41:21 UTC

Luca, any news here?

Comment 20 Luca Longinotti (RETIRED) 2007-06-10 19:42:27 UTC

Ok bug fixed, the security patch needed an update, so we need the arch teams to re-stable proftpd-1.3.1_rc2-r2, thanks!
Best regards, CHETKK.

Comment 21 Jeroen Roovers (RETIRED) 2007-06-10 20:54:40 UTC

"A black cat went past us and then I saw another that looked just like it."

Stable for HPPA.

Comment 22 Christian Faulhammer (RETIRED) 2007-06-11 06:17:34 UTC

x86/alpha stable

Comment 23 Markus Rothe (RETIRED) 2007-06-11 09:26:49 UTC

ppc64 stable

Comment 24 Gustavo Zacarias (RETIRED) 2007-06-11 13:22:44 UTC

sparc stable.

new target ebuild:
net-ftp/proftpd-1.3.1_rc2-r2 KEYWORDS: alpha,amd64,arm,hppa,ia64,~mips,ppc,ppc64	,ppc,s390,sparc,x86

FYI, upgrading from 1.3.1_rc2-r1 to -r2 breaks authentication with mod_ldap.c if the "pam" use flag is enabled.  See bug #181712.

Comment 27 Jakub Moc (RETIRED) 2007-06-12 04:02:30 UTC

(In reply to comment #18)
> Back to ebuild to get the regression fixed if possible. Luca?

And again... upstream-- 

Comment 28 Luca Longinotti (RETIRED) 2007-06-26 23:27:19 UTC

The problem with SQL/LDAP auth in -r2 was fixed in -r3 finally, now all auth systems should work. It was only a typo in the PAM check that was introduced in -r2, so I don't believe it's necessary to ask all arch-teams to test again -r3, as such I've kept the -r2 keywords.
PPC and AMD64 still needed to keyword -r2, and now -r3, please do so, thanks!
Best regards, CHTEKK.

Comment 29 Tobias Scherbaum (RETIRED) 2007-06-28 18:50:42 UTC

ppc stable

Arches please test and mark stable. Target keywords are:
target ebuild is net-ftp/proftpd-1.3.1_rc2-r1:KEYWORDS=alpha, amd64, hppa, ppc, ppc64, sparc, x86

Comment 31 Gustavo Zacarias (RETIRED) 2007-07-02 18:40:52 UTC

1.3.1-rc2_r1? that's already stable...

Sorry, got something messed up here - the corrected target ebuild is:
net-ftp/proftpd-1.3.1_rc2-r3:KEYWORDS=alpha, amd64, hppa, ppc, ppc64, sparc, x86

Comment 33 Gustavo Zacarias (RETIRED) 2007-07-02 18:55:58 UTC

That's stable too since chtekk did a stablebump... sigh...

Comment 34 Christian Faulhammer (RETIRED) 2007-07-02 22:24:36 UTC

Then leave it stable for x86. Tested and approved.

Comment 35 Raúl Porcel (RETIRED) 2007-07-03 09:39:04 UTC

looks good on alpha

Comment 36 Gustavo Zacarias (RETIRED) 2007-07-03 17:31:02 UTC

Nothing to do...

Comment 37 Markus Rothe (RETIRED) 2007-07-03 20:03:50 UTC

looks good on ppc64

Comment 38 Jeroen Roovers (RETIRED) 2007-07-04 03:36:55 UTC

Still stable for HPPA.

Comment 39 Tobias Scherbaum (RETIRED) 2007-07-10 18:34:46 UTC

already stable for ppc ...

amd64 - please test and mark stable

Comment 41 Daniel Black (RETIRED) 2007-07-12 12:07:17 UTC

(In reply to comment #40)
> amd64 - please test and mark stable
> 
or avert thy eye to bug 184601

Comment 42 Steve Dibb (RETIRED) 2007-07-13 00:35:17 UTC

amd64 stable

Comment 43 Pierre-Yves Rofes (RETIRED) 2007-07-14 22:09:22 UTC

this one is ready for glsa decision. I tend to vote NO.

Comment 44 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 07:20:19 UTC

I tend to vote NO as well.

Comment 45 Matt Drew (RETIRED) 2007-07-16 13:01:41 UTC

I also vote no.

Comment 46 Pierre-Yves Rofes (RETIRED) 2007-07-16 13:20:58 UTC

that makes 2 full no votes => closing without glsa. Feel free to reopen if you disagree.