Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 100364 - net-ftp/proftpd: Two Format String Vulnerabilities (CAN-2005-2390)
Summary: net-ftp/proftpd: Two Format String Vulnerabilities (CAN-2005-2390)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] DerCorny
Depends on:
Reported: 2005-07-26 07:42 UTC by Jimi A.
Modified: 2005-08-02 22:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jimi A. 2005-07-26 07:42:29 UTC
Two vulnerabilities have been reported in ProFTPD, which can be exploited by
malicious users to disclose certain sensitive information, cause a DoS (Denial
of Service), or potentially compromise a vulnerable system.

1) A format string error exists when displaying a shutdown message containing
the name of the current directory. This can be exploited by a user, who creates
a directory containing format specifiers and sets the directory as the current
directory, when the shutdown message is being sent.

Successful exploitation requires a shutdown message containing the "%C", "%R",
or "%U" variables.

2) A format string error exists when displaying response messages to the client
using information retrieved from a database using mod_sql. This can be exploited
by a user, who inserts format string sequences into database tables that are
used to generate the response messages.

Successful exploitation requires that the "SQLShowInfo" directive is set and
also requires the user to have control over the contents of the used tables in
the database.

Reproducible: Always
Steps to Reproduce:

The vulnerabilities have been fixed in version 1.3.0rc2.

Don't believe me? You can check:
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-26 07:51:41 UTC
humpback, please provide an fixed ebuild, thanks.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-27 12:44:26 UTC
This is CAN-2005-2390
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-29 08:19:01 UTC
uberlord will do the ebuild, adding him to CC.

For those who are interested, patches can be found here:
Comment 4 Roy Marples (RETIRED) gentoo-dev 2005-07-29 08:56:32 UTC
I've comitted proftpd-1.2.10-r7 with the two fixes backported.

This ebuild depends on net-ftp/ftpbase-0.00 which has only been marked stable on
x86 and amd64 - it should be ok to mark stable for your arch as it's just
installs the ftp user, home directory for ftp user and a ftp pam.d file.

If you mark proftpd-1.2.10-r7 stable for your ARCH, you'll need to mark
ftpbase-0.00 stable too.

Arches, please test and mark stable proftpd-1.2.10-r7 and ftpbase-0.00
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2005-07-29 10:18:33 UTC
marked ftpbase/proftpd ppc stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-07-29 11:41:33 UTC
stable on ppc64
Comment 7 Roy Marples (RETIRED) gentoo-dev 2005-07-29 13:05:51 UTC
Stable on amd64 and x84
Comment 8 Roy Marples (RETIRED) gentoo-dev 2005-07-29 13:06:19 UTC
Erm - I mean stable on x86 :)
Comment 9 Adir Abraham 2005-07-29 16:51:44 UTC
(In reply to comment #4)
> I've comitted proftpd-1.2.10-r7 with the two fixes backported.

Well, you claim that proftpd-1.2.10-r7 is not vulnerable, while claims that
below 1.3.0rc2 it is vulnerable. How is it ordered?

Comment 10 Roy Marples (RETIRED) gentoo-dev 2005-07-29 19:20:27 UTC
I've applied the patches which address the vulnerabilities to the 1.2.10-r7
ebuild from their bugzilla posts

You can see this in the 1.2.10-r7 ebuild as it applies these patches that mirror
the above
Comment 11 René Nussbaumer (RETIRED) gentoo-dev 2005-07-30 02:47:40 UTC
Stable on hppa
Comment 12 Fernando J. Pereda (RETIRED) gentoo-dev 2005-07-31 05:08:17 UTC
Stable on alpha
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-31 06:45:25 UTC
sparc stable.
Comment 14 Aaron Walker (RETIRED) gentoo-dev 2005-07-31 06:49:04 UTC
There are no stable keywords for mips.
Comment 15 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-31 07:18:43 UTC
ready for glsa
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-01 14:08:44 UTC
GLSA 200508-02 
Comment 17 Sheldon Hearn 2005-08-02 22:20:59 UTC
Can you please modify the code listing in the GLSA "Resolution" section?  It's 
broken for folks using anything earlier than proftpd-1.2.10-r6, because that 
version introduced a dependency on ftpbase, which blocks anything earlier. 
I suggest: 
emerge --sync 
emerge unmerge "<net-ftp/proftpd-1.2.10-r6" 
emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.2.10-r7" 
Or something. :-)