Two vulnerabilities have been reported in ProFTPD, which can be exploited by malicious users to disclose certain sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 1) A format string error exists when displaying a shutdown message containing the name of the current directory. This can be exploited by a user, who creates a directory containing format specifiers and sets the directory as the current directory, when the shutdown message is being sent. Successful exploitation requires a shutdown message containing the "%C", "%R", or "%U" variables. 2) A format string error exists when displaying response messages to the client using information retrieved from a database using mod_sql. This can be exploited by a user, who inserts format string sequences into database tables that are used to generate the response messages. Successful exploitation requires that the "SQLShowInfo" directive is set and also requires the user to have control over the contents of the used tables in the database. Reproducible: Always Steps to Reproduce: 1. 2. 3. Solution: The vulnerabilities have been fixed in version 1.3.0rc2. Don't believe me? You can check: http://secunia.com/advisories/16181/
humpback, please provide an fixed ebuild, thanks.
This is CAN-2005-2390
uberlord will do the ebuild, adding him to CC. For those who are interested, patches can be found here: http://bugs.proftpd.org/show_bug.cgi?id=2645 http://bugs.proftpd.org/show_bug.cgi?id=2646
I've comitted proftpd-1.2.10-r7 with the two fixes backported. This ebuild depends on net-ftp/ftpbase-0.00 which has only been marked stable on x86 and amd64 - it should be ok to mark stable for your arch as it's just installs the ftp user, home directory for ftp user and a ftp pam.d file. If you mark proftpd-1.2.10-r7 stable for your ARCH, you'll need to mark ftpbase-0.00 stable too. Arches, please test and mark stable proftpd-1.2.10-r7 and ftpbase-0.00
marked ftpbase/proftpd ppc stable
stable on ppc64
Stable on amd64 and x84
Erm - I mean stable on x86 :)
(In reply to comment #4) > I've comitted proftpd-1.2.10-r7 with the two fixes backported. Well, you claim that proftpd-1.2.10-r7 is not vulnerable, while http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2390 claims that below 1.3.0rc2 it is vulnerable. How is it ordered? Adir.
I've applied the patches which address the vulnerabilities to the 1.2.10-r7 ebuild from their bugzilla posts http://bugs.proftpd.org/show_bug.cgi?id=2645 http://bugs.proftpd.org/show_bug.cgi?id=2646 You can see this in the 1.2.10-r7 ebuild as it applies these patches that mirror the above proftpd-ftpshut.patch proftpd-sqlshowinfo.patch
Stable on hppa
Stable on alpha
sparc stable.
There are no stable keywords for mips.
ready for glsa
GLSA 200508-02
Can you please modify the code listing in the GLSA "Resolution" section? It's broken for folks using anything earlier than proftpd-1.2.10-r6, because that version introduced a dependency on ftpbase, which blocks anything earlier. I suggest: emerge --sync emerge unmerge "<net-ftp/proftpd-1.2.10-r6" emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.2.10-r7" Or something. :-)