Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 258450 (CVE-2009-0542) - net-ftp/proftpd <1.3.2 Encoding-dependent SQL injection vulnerability (CVE-2009-{0542,0543})
Summary: net-ftp/proftpd <1.3.2 Encoding-dependent SQL injection vulnerability (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2009-0542
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.proftpd.org/docs/NEWS-1.3.2
Whiteboard: B3 [glsa]
Keywords:
Depends on: 258838 259610
Blocks:
  Show dependency tree
 
Reported: 2009-02-10 14:37 UTC by Alessandro Calorì
Modified: 2009-03-12 22:32 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alessandro Calorì 2009-02-10 14:37:13 UTC
Please update the ebuild to the last stable release. It solves many issues along with some security vulnerabilities.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-02-11 16:25:37 UTC
1.3.2 fixes an encoding-dependent SQL injection vulnerability:
http://bugs.proftpd.org/show_bug.cgi?id=3173

However, a more severe issue has been discovered and we should bump to a release with both issues fixed:
http://bugs.proftpd.org/show_bug.cgi?id=3180
Comment 2 Joël Bohnes 2009-02-11 19:15:13 UTC
The second issue has already been fixed in 1.3.2rc3.
With working exploits on milw0rm&co, please update asap.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 20:31:10 UTC
CVE-2009-0542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0542):
  SQL injection vulnerability in ProFTPD Server 1.3.1 through 1.3.2rc2
  allows remote attackers to execute arbitrary SQL commands via a "%"
  (percent) character in the username, which introduces a "'" (single
  quote) character during variable substitution by mod_sql.

CVE-2009-0543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0543):
  ProFTPD Server 1.3.1, with NLS support enabled, allows remote
  attackers to bypass SQL injection protection mechanisms via invalid,
  encoded multibyte characters, which are not properly handled in (1)
  mod_sql_mysql and (2) mod_sql_postgres.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-02-14 04:42:16 UTC
Maintainers, take note of the ebuilds posted in the blocking bug.
Comment 5 Bernard Cafarelli gentoo-dev 2009-02-17 13:16:56 UTC
OK, let's try to get this package back on tracks...

I've just added =net-ftp/proftpd-1.3.2 to the tree, with minimal modification to the previous ebuild, candidate for security stabling

1.3.2-r1 will include the other fixes kindly provided by Bernd Lommerzheim and other people in currently open bugs
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-02-17 19:46:24 UTC
Arches, please test and mark stable:
=net-ftp/proftpd-1.3.2
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-02-18 18:24:49 UTC
ppc64 done
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-02-18 18:25:38 UTC
i went after -r1; hope that is OK
Comment 9 Tobias Klausmann gentoo-dev 2009-02-18 18:45:57 UTC
With ranger's comment and the whole slew of comments on the blocker bug - what do you want use to make stable? -r0+deps or -r1+deps?
Comment 10 Bernard Cafarelli gentoo-dev 2009-02-18 23:49:14 UTC
-r0 is a minimal version bump that only targets the security issue, while -r1 has a few other bugfixes included.

So for this specific security stabling, it's safer to stable -r0, but -r1 is fine if you find so
Comment 11 Jeroen Roovers gentoo-dev 2009-02-20 12:27:07 UTC
Stable for HPPA.
Comment 12 Tobias Klausmann gentoo-dev 2009-02-20 17:15:05 UTC
Stable on alpha.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-02-20 18:21:34 UTC
sparc/x86 stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-25 16:20:37 UTC
ppc stable
Comment 15 Markus Meier gentoo-dev 2009-02-25 20:45:19 UTC
amd64 stable, all arches done.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:15:20 UTC
Ready for vote, I vote YES.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-07 18:36:51 UTC
YES, too. Request filed.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-12 22:32:56 UTC
GLSA 200903-27