Two vulnerabilities have been reported in ProFTPD, which can be exploited by
malicious users to disclose certain sensitive information, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.
1) A format string error exists when displaying a shutdown message containing
the name of the current directory. This can be exploited by a user, who creates
a directory containing format specifiers and sets the directory as the current
directory, when the shutdown message is being sent.
Successful exploitation requires a shutdown message containing the "%C", "%R",
or "%U" variables.
2) A format string error exists when displaying response messages to the client
using information retrieved from a database using mod_sql. This can be exploited
by a user, who inserts format string sequences into database tables that are
used to generate the response messages.
Successful exploitation requires that the "SQLShowInfo" directive is set and
also requires the user to have control over the contents of the used tables in
Steps to Reproduce:
The vulnerabilities have been fixed in version 1.3.0rc2.
Don't believe me? You can check:
humpback, please provide an fixed ebuild, thanks.
This is CAN-2005-2390
uberlord will do the ebuild, adding him to CC.
For those who are interested, patches can be found here:
I've comitted proftpd-1.2.10-r7 with the two fixes backported.
This ebuild depends on net-ftp/ftpbase-0.00 which has only been marked stable on
x86 and amd64 - it should be ok to mark stable for your arch as it's just
installs the ftp user, home directory for ftp user and a ftp pam.d file.
If you mark proftpd-1.2.10-r7 stable for your ARCH, you'll need to mark
ftpbase-0.00 stable too.
Arches, please test and mark stable proftpd-1.2.10-r7 and ftpbase-0.00
marked ftpbase/proftpd ppc stable
stable on ppc64
Stable on amd64 and x84
Erm - I mean stable on x86 :)
(In reply to comment #4)
> I've comitted proftpd-1.2.10-r7 with the two fixes backported.
Well, you claim that proftpd-1.2.10-r7 is not vulnerable, while
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390 claims that
below 1.3.0rc2 it is vulnerable. How is it ordered?
I've applied the patches which address the vulnerabilities to the 1.2.10-r7
ebuild from their bugzilla posts
You can see this in the 1.2.10-r7 ebuild as it applies these patches that mirror
Stable on hppa
Stable on alpha
There are no stable keywords for mips.
ready for glsa
Can you please modify the code listing in the GLSA "Resolution" section? It's
broken for folks using anything earlier than proftpd-1.2.10-r6, because that
version introduced a dependency on ftpbase, which blocks anything earlier.
emerge unmerge "<net-ftp/proftpd-1.2.10-r6"
emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.2.10-r7"
Or something. :-)