| Summary: | <net-ftp/proftpd-1.3.3d-r1: mod_sftp integer overflow (CVE-2011-1137) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | bernd, phajdan.jr, proxy-maint, voyageur |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://downloads.securityfocus.com/vulnerabilities/exploits/46183.txt | ||
| Whiteboard: | C1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Stefan Behte (RETIRED)
2011-02-08 13:37:34 UTC
Thank you for your report! I can confirm that a ProFTPD server with an used mod_sftp module at least segfaults when it gets attacked by the exploit. A few days ago this security issue was reported upstream in [1]. Furthermore it seems that this issue is related to another bugreport [2] and that the proposed fix [3] does fix this security issue. In my local tests the exploit did not segfaulted the ProFTPD server with this patch anymore. [1] http://bugs.proftpd.org/show_bug.cgi?id=3587 [2] http://bugs.proftpd.org/show_bug.cgi?id=3586 [3] http://bugs.proftpd.org/attachment.cgi?id=3539 (In reply to comment #1) > > [1] http://bugs.proftpd.org/show_bug.cgi?id=3587 > [2] http://bugs.proftpd.org/show_bug.cgi?id=3586 > [3] http://bugs.proftpd.org/attachment.cgi?id=3539 > Thanks for the info. Looks like this is fixed upstream, but they have not released a new version. I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which contain the fix (In reply to comment #3) > I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which > contain the fix > Great, thank you. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3d-r1 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" amd64 except for the QA it compiled fine and appears to do it's job. i didnot get extensive in testing other than have my son try to fail it from his system tested fine unable to locate given versions, did find =net-ftp/proftpd-1.3.4-rc1 tested with same * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * mod_delay.c:995: warning: array subscript is above array bounds * mod_delay.c:955: warning: array subscript is above array bounds * Please do not file a Gentoo bug and instead report the above QA * issues directly to the upstream developers of this software. * Homepage: http://www.proftpd.org/ * http://www.castaglia.org/proftpd/ * http://www.thrallingpenguin.com/resources/mod_clamav.htm * http://gssmod.sourceforge.net/ Stable for HPPA. x86 stable. amd64 ok (In reply to comment #5) > * QA Notice: Package has poor programming practices which may compile > * fine but exhibit random runtime failures. > * mod_delay.c:995: warning: array subscript is above array bounds > * mod_delay.c:955: warning: array subscript is above array bounds Thanks for reporting this! These two warnings do only appear when building ProFTPD with controls support (USE="ctrls"). I reported them upstream and I hope to fix them in the next revision bumps of ProFTPD 1.3.3* and 1.3.4*. amd64 done. Thank you guys ppc/ppc64 stable sparc done alpha/sparc stable Thanks, everyone. Added to existing GLSA request. *** Bug 357535 has been marked as a duplicate of this bug. *** CVE-2011-1137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1137): Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message. This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). |