CVE-2019-19269 (https://nvd.nist.gov/vuln/detail/CVE-2019-19269): An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A dereference of a NULL pointer may occur. This pointer is returned by the OpenSSL sk_X509_REVOKED_value() function when encountering an empty CRL installed by a system administrator. The dereference occurs when validating the certificate of a client connecting to the server in a TLS client/server mutual-authentication setup.
Upstream fix: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2c36f1aded32d1feee68284b3823a77a027ff04 commit e2c36f1aded32d1feee68284b3823a77a027ff04 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2019-12-02 22:52:15 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2019-12-02 22:52:42 +0000 net-ftp/proftpd: CVE-2019-19269 fix, bug #701814 Pick upstream commit be8e1687819cb6 ("Issue #859, #861: Fix handling of CRL lookups by properly using issuer for lookups, and guarding against null pointers.") Bug: https://bugs.gentoo.org/701814 Package-Manager: Portage-2.3.80, Repoman-2.3.19 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> .../files/proftpd-1.3.6b-tls-crl-crash.patch | 40 +++ net-ftp/proftpd/proftpd-1.3.6b-r1.ebuild | 275 +++++++++++++++++++++ 2 files changed, 315 insertions(+)
Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 202003-35 at https://security.gentoo.org/glsa/202003-35 by GLSA coordinator Thomas Deutschmann (whissi).
