Bug 154650

Summary:

net-ftp/proftpd: Remote exec of arbitrary code (CommandBufferSize DoS CVE-2006-5815, sreplace() off-by-one error CVE-2006-6171, and mod_tls stack overflow CVE-2006-6170)

Product:

Gentoo Security

Reporter:

Raphael Marichez (Falco) (RETIRED) <falco>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

major

CC:

aetius, boss.gentoo, chtekk

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://secunia.com/advisories/22803/

Whiteboard:

A2 [glsa] Falco

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
mod_tls.patchj as used by OpenPKG	none

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-10 02:10:21 UTC

Hi chtekk, an unspecified vulnerability in proftpd could allow the remote execution of arbitrary code. An exploit code is said to be found ( http://gleg.net/vulndisco_meta.shtml )

No update available yet

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-10 02:55:19 UTC

i've applied the patch taken from http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date

that compiles fine.

Chtekk could you please check that patch and apply it too, please

Comment 2 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-21 09:18:34 UTC

the patch is not related to the vuln described here, it seems to be another issue.

Comment 3 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-21 09:36:34 UTC

also the fix was revised, it seems like you need to add http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.293&r2=1.294&sortby=date this one, too.

Besides, this looks like a pointer for the unspecified one:
http://elegerov.blogspot.com/2006/10/do-you-remember-2-years-old-overflow.html

Comment 4 Marcin Deranek 2006-11-27 08:26:04 UTC

Looks like the new version has been just released which addresses this vulnerability..

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-27 14:24:57 UTC

indeed, http://bugs.proftpd.org/show_bug.cgi?id=2858
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c?r1=1.79&r2=1.80&sortby=date

The new version is 1.3.0a

CHTEKK please bump, thanks

Comment 6 Stefan Cornelius (RETIRED) gentoo-dev

2006-11-28 05:42:54 UTC

Created attachment 102910 [details, diff]
mod_tls.patchj as used by OpenPKG

Patch used by OpenPKG to fix the mod_tls vuln

Comment 7 Matt Drew (RETIRED) gentoo-dev

2006-11-28 08:19:28 UTC

*** Bug 156503 has been marked as a duplicate of this bug. ***

Comment 8 Luca Longinotti (RETIRED) gentoo-dev

2006-11-28 09:14:07 UTC

net-ftp/proftpd-1.3.0a is in the tree now, enjoy!
Updated to 1.3.0a and added the patch for both the commandbuffer issue and the mod_tls one.
Best regards, CHTEKK.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-28 11:36:51 UTC

Thx Luca.

Arches please test and mark stable. Target keywords are:

proftpd-1.3.0a.ebuild:KEYWORDS="alpha amd64 hppa ~mips ppc ppc64 sparc x86"

Comment 10 Christoph Mende (RETIRED) gentoo-dev

2006-11-28 11:45:38 UTC

emerges fine and works on amd64

Portage 2.1.2_rc2-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-ck1-r2 x86_64)
=================================================================
System uname: 2.6.18-ck1-r2 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.6
Last Sync: Tue, 28 Nov 2006 19:20:01 +0000
ccache version 2.3 [enabled]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay /usr/local/portage/xfce"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dlloader dri dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick input_devices_evdev input_devices_keyboard ipod jpeg kernel_linux ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp xinerama xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS

Comment 11 Markus Meier gentoo-dev

2006-11-28 11:54:19 UTC

net-ftp/proftpd-1.3.0a  USE="ipv6 ldap ncurses pam ssl tcpd -acl -authfile -clamav -hardened -ifsession -mysql -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd"
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.3 i686)
=================================================================
System uname: 2.6.18.3 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Tue, 28 Nov 2006 18:30:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2006-11-28 12:32:46 UTC

x86 is safe as always

Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-28 13:19:45 UTC

*** Bug 156503 has been marked as a duplicate of this bug. ***

Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-28 13:38:27 UTC

pffff hard... i think secunia is wrong and this vulnerability is not CVE-2006-5815

We have 3 vulnerabilities on proftpd :

- this one, code exec by Evgeny Legerov with sreplace(), SA 22803, bug 154650 (this one)

- a DoS with the CommandBufferSize command, CVE-2006-5815 and SA 22821, also fixed in bug 154650

- code exec by Evgeny Legerov in mod_tls, SA 23141, unpatched, bug 56503

Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-11-28 14:24:28 UTC

> - this one, code exec by Evgeny Legerov with sreplace(), SA 22803, bug 154650
> (this one)


actually Secunia seems to refer to the good CVE entry, but the content of the CVE entry is b0rked... AFAICT, there is no CommandBufferSize in vd_proftpd.pm :

"Buffer overflow in ProFTPD 1.3.0 and earlier, when configured to use the CommandBufferSize directive, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit.""

> - a DoS with the CommandBufferSize command, CVE-2006-5815 and SA 22821, also
> fixed in bug 154650
> 
> - code exec by Evgeny Legerov in mod_tls, SA 23141, unpatched, bug 56503

and fixed by Chtekk in Gentoo's proftpd

Comment 16 Jeroen Roovers (RETIRED) gentoo-dev

2006-11-28 21:50:24 UTC

Stable for HPPA.

Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev

2006-11-29 05:06:50 UTC

sparc stable.

Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev

2006-11-29 07:58:14 UTC

ppc stable

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-11-30 09:23:52 UTC

Note that CVE-2006-6171 is disputed.

Comment 20 Markus Rothe (RETIRED) gentoo-dev

2006-11-30 12:45:44 UTC

ppc64 stable

Comment 21 Alexander Færøy 2006-11-30 12:50:36 UTC

y0y0, stable on Alpha

Comment 22 Luca Longinotti (RETIRED) gentoo-dev

2006-11-30 13:03:09 UTC

AMD64 stable (using it myself on several servers) and removed old vulnerable 1.3.0 versions.
Best regards, CHTEKK.

Comment 23 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-12-01 00:04:18 UTC

GLSA 200611-26, thanks for the speedness