199206 – (CVE-2007-5769) net-ftp/netkit-ftpd < 0.17-r7 fclose() on uninitialized streams (CVE-2007-{5769,6263})

Bug 199206 (CVE-2007-5769) - net-ftp/netkit-ftpd < 0.17-r7 fclose() on uninitialized streams (CVE-2007-{5769,6263})

Summary: net-ftp/netkit-ftpd < 0.17-r7 fclose() on uninitialized streams (CVE-2007-{57...

Status:	RESOLVED FIXED

Alias:	CVE-2007-5769

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:	201675
	Show dependency tree

Reported:	2007-11-15 08:19 UTC by airsupply
Modified:	2008-03-24 19:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description airsupply 2007-11-15 08:19:54 UTC

netkit-ftpd/ftp uninitialized vulnerability

[Security Advisory]



Advisory: [AD_LAB-07009] netkit-ftpd/ftp uninitialized vulnerability

Class: Design Error

DATE:11/1/2007

CVEID:CVE-2007-5769 

Vulnerable:

	netkit-ftpd-0.17/netkit-ftp-0.17
Vendor:



I.Synopsis

A vulnerability has been discovered in netkit-ftpd/ftp.

II.DETAILS:

----------

Background

netkit-ftpd is the Linux Netkit FTP server with optional SSL support.
netkit-ftp is the client for the ftp protocol.

Description

	There is a uninitialized  vulnerability in function dataconn() in ftpd.c.
 	static FILE * dataconn(const char *name, off_t size, const char *mode)
 	{
 		char sizebuf[32];
 		FILE *file;  <-uninit variable.

		...
			 if (SSL_accept(ssl_data_con)<=0) {
1459 				static char errbuf[1024];
1460 	
1461 				snprintf(errbuf, sizeof(errbuf), "ftpd: SSL_accept DATA error %s\n",
1462 					    ERR_error_string(ERR_get_error(),NULL));
1463 				perror_reply(425, errbuf);
1464 				/* abort time methinks ... */
1465 				fclose(file); <-- close an uninit value.
1466 				return NULL;


Program received signal SIGSEGV, Segmentation fault.
0x6fca33fd in fclose () from /lib/libc.so.6
(gdb) bt
#0  0x6fca33fd in fclose () from /lib/libc.so.6
#1  0x0804c601 in dataconn (name=0x77add110 "/bin/ls", size=<value optimized out>, mode=0x8053f4f "w") at ftpd.c:1465
#2  0x0804d3f8 in retrieve (cmd=0x80550c7 "/bin/ls -lgA", name=0x77add110 "/bin/ls") at ftpd.c:1197
#3  0x0805193a in yyparse () at ftpcmd.y:378
) at ftpd.c:685

in order to trigger this bug, the client should use the passive mode to transfer data.
and  the SSL_accept should  failed at line ftpd.c:1458. the client broke the connection 
will cause the SSL_accept failed. 

same problem occur in netkit-ftp's getreply() too.
467     int
468     getreply(int expecteof)
469     {
........
520                                             (void) signal(SIGINT,oldintr);
521                                             code = 221;
522                                             return (0);
523                                     }
524                                     lostpeer(0);
525                                     fclose(cout);

Program received signal SIGSEGV, Segmentation fault.
0x6fcb73fd in fclose () from /lib/libc.so.6
(gdb) bt
#0  0x6fcb73fd in fclose () from /lib/libc.so.6
#1  0x0804fb9c in getreply (expecteof=0) at ftp.c:525
#2  0x0804fe49 in abort_remote (din=0x8099a20) at ftp.c:2117
#3  0x08052400 in recvrequest (cmd=0x80567f1 "LIST", local=0x8059400 "-", remote=0x0, lmode=0x8056b44 "w", printnames=0) at ftp.c:1288
#4  0x0804bcb5 in ls (argc=1, argv=0x80650e0) at cmds.c:1429
#5  0x08055382 in main (argc=-817625725, argv=0xc3010805) at main.c:484

Impact
Reading uninitialized variables can result in unpredictable behavior, crashes, or security holes.

III.CREDIT: 

----------

    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.



V.DISCLAIMS:

-----------



The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 



Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.



VENUSTECH Security Lab 

VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)



Security

Trusted {Solution} Provider

Service

Reproducible: Always

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-16 22:39:36 UTC

Is there a fix available somewhere?

Comment 2 Tomas Hoger 2007-11-30 13:09:50 UTC

As for ftp (client):

Fedora / RHEL packages include one patch (netkit-ftp-0.17-segv.patch) which seems to address this issue.  Patch was written by Alan Cox and is included in our ftp packages as of June 2004.

Patch:
http://cvs.fedora.redhat.com/viewcvs/rpms/ftp/F-8/netkit-ftp-0.17-segv.patch?view=auto

VenusTech, can you please provide more information of how to reproduce ftp client crash so we can verify whether this problem is properly addressed by this patch?  Thanks!

Comment 3 Tomas Hoger 2007-11-30 14:15:49 UTC

(In reply to comment #2)
> Fedora / RHEL packages include one patch (netkit-ftp-0.17-segv.patch) which
> seems to address this issue.  Patch was written by Alan Cox and is included in
> our ftp packages as of June 2004.

Oh well, that patch is included in ftp ebuilds and it actually seems to introduce the problem.

Following patch was added few months ago:

http://cvs.fedora.redhat.com/viewcvs/rpms/ftp/F-8/netkit-ftp-0.17-sigseg.patch?view=auto

Comment 4 airsupply 2007-12-03 03:44:20 UTC

yep,this ftp client crash addressed by this patch.

Comment 5 airsupply 2007-12-08 00:25:59 UTC

we public the adv in fd.
http://seclists.org/fulldisclosure/2007/Dec/0174.html.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2007-12-10 00:42:21 UTC

The ftpd issue was assigned CVE-2007-6263 and it is still unfixed.
The ftp issue is CVE-2007-5769 and a patch can be found in comment 3.

Rerating B3 as this is only confirmed as DoS.

base-system, can you apply the one patch and prepare a similar one for ftpd? Initializing and checking for NULL should do the trick. Thanks.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-01-06 00:19:30 UTC

(In reply to comment #6)
> The ftpd issue was assigned CVE-2007-6263 and it is still unfixed.

Patch is here:
http://people.debian.org/~nion/nmu-diff/linux-ftpd-ssl-0.17.18+0.3-9_0.17.18+0.3-9.1.patch

Base-system, please bump.

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-01-09 10:44:02 UTC

base-system, are there plans on fixing these two issues?

If not, we'll have a look.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2008-01-10 23:52:18 UTC

*netkit-ftpd-0.17-r7 (10 Jan 2008)

  10 Jan 2008; Robert Buchholz <rbu@gentoo.org>
  +files/netkit-ftpd-0.17-fclose-CVE-2007-6263.patch,
  -netkit-ftpd-0.17-r6.ebuild, +netkit-ftpd-0.17-r7.ebuild:
  Security: Fix a double-fclose vulnerability in the dataconn function
  (CVE-2007-6263, #199206)

*ftp-0.17-r7 (10 Jan 2008)

  10 Jan 2008; Robert Buchholz <rbu@gentoo.org>
  +files/netkit-ftp-0.17-sigseg.patch, +ftp-0.17-r7.ebuild:
  Security: Fix a double-fclose() vulnerability in the getreply function
  (CVE-2007-5769, #199206)

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2008-01-10 23:56:41 UTC

Arches, please test and mark stable net-ftp/netkit-ftpd-0.17-r7.
Target keywords : "alpha amd64 arm ia64 ppc s390 sh sparc x86"


The issue in ftp (not ftpd) is not considered to be a security vulnerability, as it only allows to crash a client program. It is fixed in net-ftp/ftp-0.17-r7, arches are free to stable that version as they prefer.

Comment 11 Brent Baude (RETIRED) gentoo-dev

2008-01-11 00:59:20 UTC

ppc and ~ppc64

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2008-01-11 07:55:13 UTC

* Applying netkit-ftpd-0.17-fclose-CVE-2007-6263.patch ...

 * Failed Patch: netkit-ftpd-0.17-fclose-CVE-2007-6263.patch !
 *  ( /usr/portage/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-fclose-CVE-2007-6263.patch )

If USE=ssl is NOT set.

Comment 13 Robert Buchholz (RETIRED) gentoo-dev

2008-01-11 11:26:46 UTC

Sorry, my fault.

I fixed that in-place and dropped ppc. Brent, please keyword again.

Comment 14 Christian Faulhammer (RETIRED) gentoo-dev

2008-01-11 12:42:14 UTC

x86 stable

Comment 15 Jeroen Roovers (RETIRED) gentoo-dev

2008-01-11 13:57:44 UTC

Nothing to do here!?

Comment 16 Brent Baude (RETIRED) gentoo-dev

2008-01-11 14:38:26 UTC

re-ppc'd

Comment 17 Peter Weller (RETIRED) gentoo-dev

2008-01-11 17:42:17 UTC

amd64 done.

Comment 18 Jakub Moc (RETIRED) gentoo-dev

2008-01-13 09:37:53 UTC

arm/s390/sh done...

http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r7.ebuild?r1=1.7&r2=1.8

Comment 19 Raúl Porcel (RETIRED) gentoo-dev

2008-01-14 19:41:31 UTC

alpha/ia64/sparc stable

mips doesn't have it keyworded

Comment 20 Robert Buchholz (RETIRED) gentoo-dev

2008-01-15 15:19:14 UTC

GLSA vote. I'm in for a YES.

Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-15 20:10:39 UTC

I tend to vote YES.

Comment 22 Robert Buchholz (RETIRED) gentoo-dev

2008-01-27 19:17:53 UTC

Since no one voted NO, this is a yes then :-)

Comment 23 Robert Buchholz (RETIRED) gentoo-dev

2008-03-24 19:51:57 UTC

GLSA 200801-17