|Summary:||<net-ftp/proftpd-1.3.3d-r1: mod_sftp integer overflow (CVE-2011-1137)|
|Product:||Gentoo Security||Reporter:||Stefan Behte (RETIRED) <craig>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||bernd, phajdan.jr, proxy-maint, voyageur|
|Package list:||Runtime testing required:||---|
Description Stefan Behte (RETIRED) 2011-02-08 13:37:34 UTC
Quote from: http://www.securityfocus.com/bid/46183/discuss The 'mod_sftp' module for ProFTPD is prone to an integer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
Comment 1 Bernd Lommerzheim 2011-02-11 16:47:17 UTC
Thank you for your report! I can confirm that a ProFTPD server with an used mod_sftp module at least segfaults when it gets attacked by the exploit. A few days ago this security issue was reported upstream in . Furthermore it seems that this issue is related to another bugreport  and that the proposed fix  does fix this security issue. In my local tests the exploit did not segfaulted the ProFTPD server with this patch anymore.  http://bugs.proftpd.org/show_bug.cgi?id=3587  http://bugs.proftpd.org/show_bug.cgi?id=3586  http://bugs.proftpd.org/attachment.cgi?id=3539
Comment 2 Tim Sammut (RETIRED) 2011-02-12 19:03:38 UTC
(In reply to comment #1) > >  http://bugs.proftpd.org/show_bug.cgi?id=3587 >  http://bugs.proftpd.org/show_bug.cgi?id=3586 >  http://bugs.proftpd.org/attachment.cgi?id=3539 > Thanks for the info. Looks like this is fixed upstream, but they have not released a new version.
Comment 3 Bernard Cafarelli 2011-02-14 15:02:37 UTC
I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which contain the fix
Comment 4 Tim Sammut (RETIRED) 2011-02-14 17:55:37 UTC
(In reply to comment #3) > I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which > contain the fix > Great, thank you. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3d-r1 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 5 blain 'Doc' Anderson 2011-02-14 20:35:03 UTC
amd64 except for the QA it compiled fine and appears to do it's job. i didnot get extensive in testing other than have my son try to fail it from his system tested fine unable to locate given versions, did find =net-ftp/proftpd-1.3.4-rc1 tested with same * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * mod_delay.c:995: warning: array subscript is above array bounds * mod_delay.c:955: warning: array subscript is above array bounds * Please do not file a Gentoo bug and instead report the above QA * issues directly to the upstream developers of this software. * Homepage: http://www.proftpd.org/ * http://www.castaglia.org/proftpd/ * http://www.thrallingpenguin.com/resources/mod_clamav.htm * http://gssmod.sourceforge.net/
Comment 6 Jeroen Roovers (RETIRED) 2011-02-14 20:43:23 UTC
Stable for HPPA.
Comment 7 Thomas Kahle (RETIRED) 2011-02-15 12:16:22 UTC
Comment 8 Agostino Sarubbo 2011-02-15 13:46:25 UTC
Comment 9 Bernd Lommerzheim 2011-02-15 19:16:40 UTC
(In reply to comment #5) > * QA Notice: Package has poor programming practices which may compile > * fine but exhibit random runtime failures. > * mod_delay.c:995: warning: array subscript is above array bounds > * mod_delay.c:955: warning: array subscript is above array bounds Thanks for reporting this! These two warnings do only appear when building ProFTPD with controls support (USE="ctrls"). I reported them upstream and I hope to fix them in the next revision bumps of ProFTPD 1.3.3* and 1.3.4*.
Comment 10 Markos Chandras (RETIRED) 2011-02-16 09:37:58 UTC
amd64 done. Thank you guys
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) 2011-02-16 10:14:24 UTC
Comment 12 Michael Weber (RETIRED) 2011-02-26 13:34:16 UTC
Comment 13 Raúl Porcel (RETIRED) 2011-02-26 17:46:51 UTC
Comment 14 Tim Sammut (RETIRED) 2011-02-26 19:48:35 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 Tim Sammut (RETIRED) 2011-03-05 21:30:33 UTC
*** Bug 357535 has been marked as a duplicate of this bug. ***
Comment 16 GLSAMaker/CVETool Bot 2011-06-24 00:27:10 UTC
CVE-2011-1137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1137): Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message.
Comment 17 GLSAMaker/CVETool Bot 2013-09-24 23:39:25 UTC
This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle).