Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 354080 (CVE-2011-1137)

Summary: <net-ftp/proftpd-1.3.3d-r1: mod_sftp integer overflow (CVE-2011-1137)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: bernd, phajdan.jr, proxy-maint, voyageur
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://downloads.securityfocus.com/vulnerabilities/exploits/46183.txt
Whiteboard: C1 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2011-02-08 13:37:34 UTC
Quote from: http://www.securityfocus.com/bid/46183/discuss

The 'mod_sftp' module for ProFTPD is prone to an integer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.

Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
Comment 1 Bernd Lommerzheim 2011-02-11 16:47:17 UTC
Thank you for your report! I can confirm that a ProFTPD server with an used mod_sftp module at least segfaults when it gets attacked by the exploit.

A few days ago this security issue was reported upstream in [1]. Furthermore it seems that this issue is related to another bugreport [2] and that the proposed fix [3] does fix this security issue. In my local tests the exploit did not segfaulted the ProFTPD server with this patch anymore.

[1] http://bugs.proftpd.org/show_bug.cgi?id=3587
[2] http://bugs.proftpd.org/show_bug.cgi?id=3586
[3] http://bugs.proftpd.org/attachment.cgi?id=3539
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-02-12 19:03:38 UTC
(In reply to comment #1)
> 
> [1] http://bugs.proftpd.org/show_bug.cgi?id=3587
> [2] http://bugs.proftpd.org/show_bug.cgi?id=3586
> [3] http://bugs.proftpd.org/attachment.cgi?id=3539
> 

Thanks for the info. Looks like this is fixed upstream, but they have not released a new version.
Comment 3 Bernard Cafarelli gentoo-dev 2011-02-14 15:02:37 UTC
I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which contain the fix
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-02-14 17:55:37 UTC
(In reply to comment #3)
> I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which
> contain the fix
> 

Great, thank you.

Arches, please test and mark stable:
=net-ftp/proftpd-1.3.3d-r1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 5 blain 'Doc' Anderson 2011-02-14 20:35:03 UTC
amd64 except for the QA it compiled fine and appears to do it's job. i didnot get extensive in testing other than have my son try to fail it from his system
tested fine 


unable to locate given versions, did find =net-ftp/proftpd-1.3.4-rc1
tested with same


* QA Notice: Package has poor programming practices which may compile
 *            fine but exhibit random runtime failures.
 * mod_delay.c:995: warning: array subscript is above array bounds
 * mod_delay.c:955: warning: array subscript is above array bounds

 * Please do not file a Gentoo bug and instead report the above QA
 * issues directly to the upstream developers of this software.
 * Homepage: http://www.proftpd.org/
 *      http://www.castaglia.org/proftpd/
 *      http://www.thrallingpenguin.com/resources/mod_clamav.htm
 *      http://gssmod.sourceforge.net/
Comment 6 Jeroen Roovers gentoo-dev 2011-02-14 20:43:23 UTC
Stable for HPPA.
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-02-15 12:16:22 UTC
x86 stable.
Comment 8 Agostino Sarubbo gentoo-dev 2011-02-15 13:46:25 UTC
amd64 ok
Comment 9 Bernd Lommerzheim 2011-02-15 19:16:40 UTC
(In reply to comment #5)
> * QA Notice: Package has poor programming practices which may compile
>  *            fine but exhibit random runtime failures.
>  * mod_delay.c:995: warning: array subscript is above array bounds
>  * mod_delay.c:955: warning: array subscript is above array bounds

Thanks for reporting this! These two warnings do only appear when building ProFTPD with controls support (USE="ctrls"). I reported them upstream and I hope to fix them in the next revision bumps of ProFTPD 1.3.3* and 1.3.4*.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-02-16 09:37:58 UTC
amd64 done. Thank you guys
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-16 10:14:24 UTC
ppc/ppc64 stable
Comment 12 Michael Weber (RETIRED) gentoo-dev 2011-02-26 13:34:16 UTC
sparc done
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2011-02-26 17:46:51 UTC
alpha/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 19:48:35 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2011-03-05 21:30:33 UTC
*** Bug 357535 has been marked as a duplicate of this bug. ***
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:27:10 UTC
CVE-2011-1137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1137):
  Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and
  earlier allows remote attackers to cause a denial of service (memory
  consumption leading to OOM kill) via a malformed SSH message.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 23:39:25 UTC
This issue was resolved and addressed in
 GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).