Backport proftpd security fixes

Bug #674798 reported by Neil Wilson on 2010-11-13
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
proftpd-dfsg (Ubuntu)
Undecided
Unassigned

Bug Description

Backport security fixes from Debian to correct outstanding CVEs.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: proftpd-dev (not installed)
ProcVersionSignature: Ubuntu 2.6.32-25.45-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
Architecture: amd64
Date: Sat Nov 13 06:21:45 2010
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027)
ProcEnviron:
 PATH=(custom, user)
 LANG=en_GB.utf8
 SHELL=/bin/bash
SourcePackage: proftpd-dfsg

Neil Wilson (neil-aldur) wrote :

Vulnerability in versions of proftpd between proftpd-1.3.2rc3 and proftpd-1.3.3

http://bugs.proftpd.org/show_bug.cgi?id=3521

Patches available in Debian.

http://packages.debian.org/changelogs/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.3a-5/changelog

visibility: private → public
Changed in proftpd-dfsg (Ubuntu):
assignee: nobody → Brightbox (brightbox)
status: New → In Progress
Neil Wilson (neil-aldur) wrote :

Directory traversal bug affects ProFTPd version range 1.3.0a (2006) to 1.3.3b (latest version)

Neil Wilson (neil-aldur) wrote :

Directory traversal upstream bug

http://bugs.proftpd.org/show_bug.cgi?id=3519

Neil Wilson (neil-aldur) wrote :

Security patch for directory traversal does not apply cleanly to 1.3.2 code.

The interface of mod_site_misc has not changed to the Debian version and it seems safest and simplest to backport the entire patched module.

Neil Wilson (neil-aldur) wrote :
Neil Wilson (neil-aldur) wrote :

Library interfaces have changed which makes using the Debian patch impractical. Recoded patch for 1.3.2 interfaces.

Debdiff attached and tested with modified python script based on http://www.securiteam.com/unixfocus/6R0360A0AY.html

Neil Wilson (neil-aldur) wrote :
Changed in proftpd-dfsg (Ubuntu):
status: In Progress → Confirmed
assignee: Brightbox (brightbox) → nobody
Steve Beattie (sbeattie) wrote :

Neil, thanks. I've built lucid and maverick versions into the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages and performed light testing on them. It'd be great if you could test these as well before we pocket copy these to the update pockets.

Steve Beattie (sbeattie) wrote :

Oh, I should point out that the CVE_2010_3867.dpatch you provided contained a reference to a dir_canonical_dst() function, which bothe generated a new compilation warning due to the arguments not matched the expected types and that I was unable to find defined in the source. I assumed it was the result of an overzealous search and replace on dir_canonical_path() and compensated accordingly.

Good spot.

On 20 November 2010 07:54, Steve Beattie <email address hidden> wrote:
> Oh, I should point out that the CVE_2010_3867.dpatch you provided
> contained a reference to a dir_canonical_dst() function, which bothe
> generated a new compilation warning due to the arguments not matched the
> expected types and that I was unable to find defined in the source. I
> assumed it was the result of an overzealous search and replace on
> dir_canonical_path() and compensated accordingly.
>
> --
> Backport proftpd security fixes
> https://bugs.launchpad.net/bugs/674798
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Neil Wilson

Neil Wilson (neil-aldur) wrote :

Package is in place on the main ftp server here and is performing as expected.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package proftpd-dfsg - 1.3.2c-1ubuntu0.1

---------------
proftpd-dfsg (1.3.2c-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Telnet IAC processing stack overflow.
     This vulnerability allows remote attackers to execute arbitrary code on
     vulnerable installations of ProFTPD. Authentication is not required to
     exploit this vulnerability.
     (LP: #674646)
     - debian/patches/3521.patch: adjust src/netio.c to check buflen properly.
     - http://bugs.proftpd.org/attachment.cgi?id=3521
     - CVE-2010-4221
   * SECURITY UPDATE: Inappropriate directory traversal allowed by
     mod_site_misc. This vulnerability can be used to:
      - create a directory located outside the writable directory
      - delete a directory located outside the writable directory
      - create a symlink located outside the writable directory
      - change the time of a file located outside the writable directory.
    (LP: #674798)
     - debian/patches/CVE_2010_3867.dpatch: based on debian 3519.dpatch
       backported to v1.3.2
     - http://bugs.proftpd.org/attachment.cgi?id=3519
     - CVE-2010-3867
 -- Neil Wilson <email address hidden> Sat, 13 Nov 2010 11:51:28 +0000

Changed in proftpd-dfsg (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.