Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 343389 (CVE-2010-3867)

Summary: <net-ftp/proftpd-1.3.3c: stack overflow and write access vulnerabilities (CVE-2010-{3867,4221})
Product: Gentoo Security Reporter: Bernd Lommerzheim <bernd>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexanderyt, dennis, gentoo, net-ftp, proxy-maint
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.proftpd.org
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
proftpd initd patch (against proftpd.initd) none

Description Bernd Lommerzheim 2010-10-30 15:22:07 UTC
Hello,
on 29/Oct/2010 ProFTPD 1.3.3c [1,2] with two important security fixes [3,4] and some bugfixes has been released. I think a copy of the proftpd-1.3.3b ebuild should work for ProFTPD 1.3.3c without problems.

Furthermore I will attach a patch for the proftpd.initd file (against proftpd.initd) to fix the following issues:
* Fix wrong whitespaces introduced in the last commit.
* Another fix for Gentoo Bug #314055.

I think we should really quickly add ProFTPD 1.3.3c to the portage tree and as this release fixes two important security bugs start a stabilization request for it.

Best regards.
Bernd Lommerzheim

[1] http://proftpd.org/docs/RELEASE_NOTES-1.3.3c
[2] http://proftpd.org/docs/NEWS-1.3.3c
[3] http://bugs.proftpd.org/show_bug.cgi?id=3521
[4] http://bugs.proftpd.org/show_bug.cgi?id=3519
Comment 1 Bernd Lommerzheim 2010-10-30 15:22:47 UTC
Created attachment 252583 [details, diff]
proftpd initd patch (against proftpd.initd)
Comment 2 Bernard Cafarelli gentoo-dev 2010-11-03 09:26:10 UTC
Thanks a lot for the report!

For init script, Bernd, can you upload the diff in unified format (-u option) to bug #314055 ? We'll fix that there

@security, I've added 1.3.3c in tree, with the same ebuild as current stable 1.3.3a. We have a stack overflow, and write access outside the writable directory in some cases
Target keywords: alpha, amd64, hppa, ppc, ppc64, sparc, x86
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-03 12:27:46 UTC
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of ProFTPD. Authentication is not required to
exploit this vulnerability. 

Arches, please test and mark stable:
=net-ftp/proftpd-1.3.3c
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-11-03 18:28:39 UTC
x86 stable
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2010-11-03 19:43:46 UTC
amd64 done
Comment 6 Mark Loeser (RETIRED) gentoo-dev 2010-11-05 01:40:52 UTC
ppc64 done
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-05 07:10:26 UTC
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-11-05 15:06:38 UTC
Stable for PPC.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2010-11-14 17:27:24 UTC
alpha/sparc stable
Comment 10 Bernard Cafarelli gentoo-dev 2010-11-16 12:54:11 UTC
All arches done, all versions except new stable 1.3.3c removed from tree (first vulnerability has been present since proftpd-1.2.0pre10)
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-18 18:40:46 UTC
Thanks, folks.

GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 23:39:21 UTC
This issue was resolved and addressed in
 GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).