Quote from: http://www.securityfocus.com/bid/46183/discuss The 'mod_sftp' module for ProFTPD is prone to an integer-overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.
Thank you for your report! I can confirm that a ProFTPD server with an used mod_sftp module at least segfaults when it gets attacked by the exploit. A few days ago this security issue was reported upstream in [1]. Furthermore it seems that this issue is related to another bugreport [2] and that the proposed fix [3] does fix this security issue. In my local tests the exploit did not segfaulted the ProFTPD server with this patch anymore. [1] http://bugs.proftpd.org/show_bug.cgi?id=3587 [2] http://bugs.proftpd.org/show_bug.cgi?id=3586 [3] http://bugs.proftpd.org/attachment.cgi?id=3539
(In reply to comment #1) > > [1] http://bugs.proftpd.org/show_bug.cgi?id=3587 > [2] http://bugs.proftpd.org/show_bug.cgi?id=3586 > [3] http://bugs.proftpd.org/attachment.cgi?id=3539 > Thanks for the info. Looks like this is fixed upstream, but they have not released a new version.
I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which contain the fix
(In reply to comment #3) > I've added in tree 1.3.3d-r1 (stable target) and 1.3.4_rc1-r1 by Bernd, which > contain the fix > Great, thank you. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3d-r1 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
amd64 except for the QA it compiled fine and appears to do it's job. i didnot get extensive in testing other than have my son try to fail it from his system tested fine unable to locate given versions, did find =net-ftp/proftpd-1.3.4-rc1 tested with same * QA Notice: Package has poor programming practices which may compile * fine but exhibit random runtime failures. * mod_delay.c:995: warning: array subscript is above array bounds * mod_delay.c:955: warning: array subscript is above array bounds * Please do not file a Gentoo bug and instead report the above QA * issues directly to the upstream developers of this software. * Homepage: http://www.proftpd.org/ * http://www.castaglia.org/proftpd/ * http://www.thrallingpenguin.com/resources/mod_clamav.htm * http://gssmod.sourceforge.net/
Stable for HPPA.
x86 stable.
amd64 ok
(In reply to comment #5) > * QA Notice: Package has poor programming practices which may compile > * fine but exhibit random runtime failures. > * mod_delay.c:995: warning: array subscript is above array bounds > * mod_delay.c:955: warning: array subscript is above array bounds Thanks for reporting this! These two warnings do only appear when building ProFTPD with controls support (USE="ctrls"). I reported them upstream and I hope to fix them in the next revision bumps of ProFTPD 1.3.3* and 1.3.4*.
amd64 done. Thank you guys
ppc/ppc64 stable
sparc done
alpha/sparc stable
Thanks, everyone. Added to existing GLSA request.
*** Bug 357535 has been marked as a duplicate of this bug. ***
CVE-2011-1137 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1137): Integer overflow in the mod_sftp (aka SFTP) module in ProFTPD 1.3.3d and earlier allows remote attackers to cause a denial of service (memory consumption leading to OOM kill) via a malformed SSH message.
This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle).
