567252 – <net-ftp/proftpd-1.3.5a-r2: unbounded SFTP extended attribute key/values

Bug 567252 - <net-ftp/proftpd-1.3.5a-r2: unbounded SFTP extended attribute key/values

Summary: <net-ftp/proftpd-1.3.5a-r2: unbounded SFTP extended attribute key/values

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-12-01 13:37 UTC by Agostino Sarubbo
Modified:	2016-02-25 07:08 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-12-01 13:37:41 UTC

From ${URL} :

Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. 
In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes.

The mod_sftp module currently places no bounds/length limitations when reading these SFTP extension 
key/value data from the network. A malicious attacker might attempt to encode large values, and 
allocate more memory than is necessary.

To avoid undue resource exhaustion by a remote client, mod_sftp should place a limit on the maximum 
length of acceptable extension keys/values.

Upstream bug:

http://bugs.proftpd.org/show_bug.cgi?id=4210

Upstream patch:

https://github.com/proftpd/proftpd/pull/171


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev

2015-12-01 22:25:23 UTC

Pushed proftpd-1.3.5a-r2 as:

    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0701a27f2fb7e5d820b9da4317ee99b655cfd468

"""
commit 0701a27f2fb7e5d820b9da4317ee99b655cfd468
Author: Sergei Trofimovich <slyfox@gentoo.org>
Date:   Tue Dec 1 22:22:50 2015 +0000

    net-ftp/proftpd: fix size limit of SFTP handshake, bug #567252
    
    Reported-by: Agostino Sarubbo
    Bug: https://bugs.gentoo.org/567252
    Bug: http://bugs.proftpd.org/4210
    
    Package-Manager: portage-2.2.25

 .../files/proftpd-1.3.5a-unbound-sftp-p1.patch     |  70 ++++++
 .../files/proftpd-1.3.5a-unbound-sftp-p2.patch     |  61 ++++++
 net-ftp/proftpd/proftpd-1.3.5a-r2.ebuild           | 240 +++++++++++++++++++++
 3 files changed, 371 insertions(+)

"""

Comment 2 Yury German Gentoo Infrastructure

2015-12-01 23:47:24 UTC

Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2015-12-02 21:11:47 UTC

Arches, please stabilize

    =net-ftp/proftpd/proftpd-1.3.5a-r2

on the following targets:

    alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Thanks!

Comment 4 Agostino Sarubbo gentoo-dev

2015-12-03 10:07:57 UTC

amd64 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2015-12-04 06:41:11 UTC

Stable for HPPA PPC64.

Comment 6 Agostino Sarubbo gentoo-dev

2015-12-07 11:41:22 UTC

ppc stable

Comment 7 Markus Meier gentoo-dev

2015-12-09 05:46:59 UTC

arm stable

Comment 8 Agostino Sarubbo gentoo-dev

2015-12-25 18:21:37 UTC

x86 stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-01-09 07:11:42 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2016-01-10 10:42:16 UTC

alpha stable

Comment 11 Agostino Sarubbo gentoo-dev

2016-01-11 09:08:19 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev

2016-01-16 22:14:12 UTC

Dropped old vulnerable versions as:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74586a24b5ed75931733b07d3b9d3aecedb6efb6

Comment 13 Yury German Gentoo Infrastructure

2016-02-25 07:08:29 UTC

GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].