Summary: | <net-ftp/proftpd-1.3.3d: SQL Injection Vulnerability when used with mod_sql (CVE-2010-4652) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Bernd Lommerzheim <bernd> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | enhancement | CC: | hanno, net-ftp, proxy-maint | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.proftpd.org/ | ||||||
Whiteboard: | C1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Bernd Lommerzheim
2010-12-18 09:33:29 UTC
Created attachment 257480 [details, diff]
proftpd-1.3.4_rc1.ebuild patch (against proftpd-1.3.3d.ebuild)
I'm pretty sure this is security relevant, from release-notes: + Fixed sql_prepare_where() buffer overflow (Bug#3536) @net-ftp, is mod_sql enabled by default (or only with USE='mysql')? (In reply to comment #3) > @net-ftp, is mod_sql enabled by default (or only with USE='mysql')? No, the module "mod_sql" gets only built into ProFTPD when using USE="mysql" or USE="postgres". Sorry for the delay here. No CVE on this but reading the bugreport and: http://www.securityfocus.com/bid/44933 http://phrack.org/issues.html?issue=67&id=7#article it's indeed better to stable 1.3.3d, I have added it to the tree, stable target keywords are: alpha amd64 hppa ppc ppc64 sparc x86 (In reply to comment #5) > Sorry for the delay here. > No problem; thank you for the new ebuild. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3d Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" ppc/ppc64 stable amd64 works! amd64 done. Thanks Agostino x86 stable Stable for HPPA. Stable on alpha. sparc stable xiexie folks. Added to existing GLSA request. CVE-2010-4652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4652): Heap-based buffer overflow in the sql_prepare_where function (contrib/mod_sql.c) in ProFTPD before 1.3.3d, when mod_sql is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted username containing substitution tags, which are not properly handled during construction of an SQL query. This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). |