Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390075 (CVE-2011-4130) - <net-ftp/proftpd-1.3.3g Response Pool Use-After-Free Vulnerability (CVE-2011-4130)
Summary: <net-ftp/proftpd-1.3.3g Response Pool Use-After-Free Vulnerability (CVE-2011-...
Status: RESOLVED FIXED
Alias: CVE-2011-4130
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46811/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-10 11:03 UTC by Agostino Sarubbo
Modified: 2013-09-24 23:39 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-10 11:03:03 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to a use-after-free error when handling response pool allocation lists and can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 1.3.3g.


Solution:
Update to version 1.3.3g or 1.3.4.

Upstream bug: http://bugs.proftpd.org/show_bug.cgi?id=3711
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-11-10 19:47:19 UTC
According to http://www.gentoo.org/security/en/vulnerability-policy.xml, B1 is correct.

@Maintainers: please provide an updated ebuild soonish.
Comment 2 Agostino Sarubbo gentoo-dev 2011-11-10 20:09:52 UTC
(In reply to comment #1)
> According to http://www.gentoo.org/security/en/vulnerability-policy.xml, B1 is
> correct.
Sorry for the misunderstanding.
Comment 3 Bernard Cafarelli gentoo-dev 2011-11-14 10:25:27 UTC
1.3.3g and 1.3.4 are in tree now, and vulnerable 1.3.4_rc3 removed.

1.3.3g is the target version for stabling, target keywords "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-11-14 10:28:44 UTC
well, thank you.

Arches, please test and mark stable:
=net-ftp/proftpd-1.3.3g
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 5 Jeroen Roovers gentoo-dev 2011-11-14 11:50:23 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2011-11-14 14:30:20 UTC
amd64 ok
Comment 7 Andreas Schürch gentoo-dev 2011-11-14 19:18:50 UTC
x86 stable.
Comment 8 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-15 03:51:34 UTC
amd64: pass
Comment 9 Tony Vroon gentoo-dev 2011-11-16 10:43:01 UTC
+  16 Nov 2011; Tony Vroon <chainsaw@gentoo.org> proftpd-1.3.3g.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #390075.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-12-03 17:11:48 UTC
alpha/sparc stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:22:32 UTC
CVE-2011-4130 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4130):
  Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g
  allows remote authenticated users to execute arbitrary code via vectors
  involving an error that occurs after an FTP data transfer.
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2011-12-22 22:46:46 UTC
ppc/ppc64 done
Comment 13 Agostino Sarubbo gentoo-dev 2011-12-22 23:31:19 UTC
thanks everyone, add to existing glsa request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 23:39:30 UTC
This issue was resolved and addressed in
 GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml
by GLSA coordinator Sean Amoss (ackle).