Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154650 - net-ftp/proftpd: Remote exec of arbitrary code (CommandBufferSize DoS CVE-2006-5815, sreplace() off-by-one error CVE-2006-6171, and mod_tls stack overflow CVE-2006-6170)
Summary: net-ftp/proftpd: Remote exec of arbitrary code (CommandBufferSize DoS CVE-200...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/22803/
Whiteboard: A2 [glsa] Falco
Keywords:
: 156503 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-11-10 02:10 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-12-01 00:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
mod_tls.patchj as used by OpenPKG (proftd_mod_tls.patch,382 bytes, patch)
2006-11-28 05:42 UTC, Stefan Cornelius (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-10 02:10:21 UTC
Hi chtekk, an unspecified vulnerability in proftpd could allow the remote execution of arbitrary code. An exploit code is said to be found ( http://gleg.net/vulndisco_meta.shtml )

No update available yet
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-10 02:55:19 UTC
i've applied the patch taken from http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date

that compiles fine.

Chtekk could you please check that patch and apply it too, please
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-21 09:18:34 UTC
the patch is not related to the vuln described here, it seems to be another issue.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-21 09:36:34 UTC
also the fix was revised, it seems like you need to add http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.293&r2=1.294&sortby=date this one, too.

Besides, this looks like a pointer for the unspecified one:
http://elegerov.blogspot.com/2006/10/do-you-remember-2-years-old-overflow.html
Comment 4 Marcin Deranek 2006-11-27 08:26:04 UTC
Looks like the new version has been just released which addresses this vulnerability..
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-27 14:24:57 UTC
indeed, http://bugs.proftpd.org/show_bug.cgi?id=2858
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/support.c?r1=1.79&r2=1.80&sortby=date

The new version is 1.3.0a

CHTEKK please bump, thanks
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-28 05:42:54 UTC
Created attachment 102910 [details, diff]
mod_tls.patchj as used by OpenPKG

Patch used by OpenPKG to fix the mod_tls vuln
Comment 7 Matt Drew (RETIRED) gentoo-dev 2006-11-28 08:19:28 UTC
*** Bug 156503 has been marked as a duplicate of this bug. ***
Comment 8 Luca Longinotti (RETIRED) gentoo-dev 2006-11-28 09:14:07 UTC
net-ftp/proftpd-1.3.0a is in the tree now, enjoy!
Updated to 1.3.0a and added the patch for both the commandbuffer issue and the mod_tls one.
Best regards, CHTEKK.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-28 11:36:51 UTC
Thx Luca.

Arches please test and mark stable. Target keywords are:

proftpd-1.3.0a.ebuild:KEYWORDS="alpha amd64 hppa ~mips ppc ppc64 sparc x86"
Comment 10 Christoph Mende (RETIRED) gentoo-dev 2006-11-28 11:45:38 UTC
emerges fine and works on amd64

Portage 2.1.2_rc2-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-ck1-r2 x86_64)
=================================================================
System uname: 2.6.18-ck1-r2 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.6
Last Sync: Tue, 28 Nov 2006 19:20:01 +0000
ccache version 2.3 [enabled]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay /usr/local/portage/xfce"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dlloader dri dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick input_devices_evdev input_devices_keyboard ipod jpeg kernel_linux ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp xinerama xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 11 Markus Meier gentoo-dev 2006-11-28 11:54:19 UTC
net-ftp/proftpd-1.3.0a  USE="ipv6 ldap ncurses pam ssl tcpd -acl -authfile -clamav -hardened -ifsession -mysql -noauthunix -opensslcrypt -postgres -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd"
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.3 i686)
=================================================================
System uname: 2.6.18.3 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Tue, 28 Nov 2006 18:30:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-28 12:32:46 UTC
x86 is safe as always
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-28 13:19:45 UTC
*** Bug 156503 has been marked as a duplicate of this bug. ***
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-28 13:38:27 UTC
pffff hard... i think secunia is wrong and this vulnerability is not CVE-2006-5815

We have 3 vulnerabilities on proftpd :

- this one, code exec by Evgeny Legerov with sreplace(), SA 22803, bug 154650 (this one)

- a DoS with the CommandBufferSize command, CVE-2006-5815 and SA 22821, also fixed in bug 154650

- code exec by Evgeny Legerov in mod_tls, SA 23141, unpatched, bug 56503
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-28 14:24:28 UTC
> - this one, code exec by Evgeny Legerov with sreplace(), SA 22803, bug 154650
> (this one)


actually Secunia seems to refer to the good CVE entry, but the content of the CVE entry is b0rked... AFAICT, there is no CommandBufferSize in vd_proftpd.pm :

"Buffer overflow in ProFTPD 1.3.0 and earlier, when configured to use the CommandBufferSize directive, allows remote attackers to cause a denial of service, as demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit.""

> - a DoS with the CommandBufferSize command, CVE-2006-5815 and SA 22821, also
> fixed in bug 154650
> 
> - code exec by Evgeny Legerov in mod_tls, SA 23141, unpatched, bug 56503

and fixed by Chtekk in Gentoo's proftpd
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2006-11-28 21:50:24 UTC
Stable for HPPA.
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-29 05:06:50 UTC
sparc stable.
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-29 07:58:14 UTC
ppc stable
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-30 09:23:52 UTC
Note that CVE-2006-6171 is disputed.
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2006-11-30 12:45:44 UTC
ppc64 stable
Comment 21 Alexander Færøy 2006-11-30 12:50:36 UTC
y0y0, stable on Alpha
Comment 22 Luca Longinotti (RETIRED) gentoo-dev 2006-11-30 13:03:09 UTC
AMD64 stable (using it myself on several servers) and removed old vulnerable 1.3.0 versions.
Best regards, CHTEKK.
Comment 23 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-01 00:04:18 UTC
GLSA 200611-26, thanks for the speedness