diff -u proftpd-dfsg-1.3.2c/debian/control proftpd-dfsg-1.3.2c/debian/control --- proftpd-dfsg-1.3.2c/debian/control +++ proftpd-dfsg-1.3.2c/debian/control @@ -1,7 +1,8 @@ Source: proftpd-dfsg Section: net Priority: optional -Maintainer: Francesco Paolo Lovergine +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Francesco Paolo Lovergine Standards-Version: 3.8.3 Build-Depends: libmysqlclient-dev, libpam-dev, debhelper (>= 7), zlib1g-dev, libpq-dev, libldap2-dev, libssl-dev, libwrap0-dev, libcap2-dev|not+linux-gnu, @@ -15,7 +16,7 @@ openbsd-inetd | inet-superserver Conflicts: ftp-server, proftpd (<< 1.3.2) Replaces: proftpd (<< 1.3.2) -Provides: ftp-server, proftpd, proftpd-abi-1.3.2a +Provides: ftp-server, proftpd, proftpd-abi-1.3.2c Suggests: proftpd-doc, openssl, proftpd-mod-mysql, proftpd-mod-pgsql, proftpd-mod-ldap, proftpd-mod-odbc, proftpd-mod-sqlite Description: Versatile, virtual-hosting FTP daemon - binaries ProFTPd is a powerful replacement for wu-ftpd. This File Transfer Protocol diff -u proftpd-dfsg-1.3.2c/debian/changelog proftpd-dfsg-1.3.2c/debian/changelog --- proftpd-dfsg-1.3.2c/debian/changelog +++ proftpd-dfsg-1.3.2c/debian/changelog @@ -1,3 +1,27 @@ +proftpd-dfsg (1.3.2c-1ubuntu0.1) lucid-security; urgency=low + + * SECURITY UPDATE: Telnet IAC processing stack overflow. + This vulnerability allows remote attackers to execute arbitrary code on + vulnerable installations of ProFTPD. Authentication is not required to + exploit this vulnerability. + (LP: #674646) + - debian/patches/3521.patch: adjust src/netio.c to check buflen properly. + - http://bugs.proftpd.org/attachment.cgi?id=3521 + - CVE-2010-4221 + * SECURITY UPDATE: Inappropriate directory traversal allowed by + mod_site_misc. This vulnerability can be used to: + - create a directory located outside the writable directory + - delete a directory located outside the writable directory + - create a symlink located outside the writable directory + - change the time of a file located outside the writable directory. + (LP: #674798) + - debian/patches/CVE_2010_3867.dpatch: based on debian 3519.dpatch + backported to v1.3.2 + - http://bugs.proftpd.org/attachment.cgi?id=3519 + - CVE-2010-3867 + + -- Neil Wilson Sat, 13 Nov 2010 11:51:28 +0000 + proftpd-dfsg (1.3.2c-1) unstable; urgency=low * New upstream release, with fix of CVE-2009-3736 due to update of the diff -u proftpd-dfsg-1.3.2c/debian/control.in proftpd-dfsg-1.3.2c/debian/control.in --- proftpd-dfsg-1.3.2c/debian/control.in +++ proftpd-dfsg-1.3.2c/debian/control.in @@ -1,7 +1,8 @@ Source: proftpd-dfsg Section: net Priority: optional -Maintainer: Francesco Paolo Lovergine +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Francesco Paolo Lovergine Standards-Version: 3.8.3 Build-Depends: libmysqlclient-dev, libpam-dev, debhelper (>= 7), zlib1g-dev, libpq-dev, libldap2-dev, libssl-dev, libwrap0-dev, libcap2-dev|not+linux-gnu, diff -u proftpd-dfsg-1.3.2c/debian/patches/00list proftpd-dfsg-1.3.2c/debian/patches/00list --- proftpd-dfsg-1.3.2c/debian/patches/00list +++ proftpd-dfsg-1.3.2c/debian/patches/00list @@ -12,0 +13,2 @@ +3521 +CVE_2010_3867.dpatch only in patch2: unchanged: --- proftpd-dfsg-1.3.2c.orig/debian/patches/CVE_2010_3867.dpatch +++ proftpd-dfsg-1.3.2c/debian/patches/CVE_2010_3867.dpatch @@ -0,0 +1,94 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## Description: 1.3.2 version of directory traversal patch +## Origin/Author: Neil Wilson +## Bug: https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/674798 +## CVE_2010_3867.dpatch by Neil Wilson +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: 1.3.2 version of directory traversal patch + +@DPATCH@ +diff -urNad proftpd-dfsg-1.3.2c~/contrib/mod_site_misc.c proftpd-dfsg-1.3.2c/contrib/mod_site_misc.c +--- proftpd-dfsg-1.3.2c~/contrib/mod_site_misc.c 2008-12-10 06:54:05.000000000 +0000 ++++ proftpd-dfsg-1.3.2c/contrib/mod_site_misc.c 2010-11-13 12:06:49.359131786 +0000 +@@ -89,7 +89,10 @@ + return 0; + + dup_path = pstrdup(p, path); +- curr_path = session.cwd; ++ /* The given path should already be canonicalized; we do not need to worry ++ * if it is relative to the current working directory or not. ++ */ ++ curr_path = "/"; + + while (dup_path && + *dup_path) { +@@ -277,7 +280,12 @@ + return PR_ERROR(cmd); + } + +- if (!dir_check(cmd->tmp_pool, "SITE_MKDIR", G_WRITE, path, NULL)) { ++ path = dir_canonical_path(cmd->tmp_pool, path); ++ if (path == NULL) { ++ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL)); ++ return PR_ERROR(cmd); ++ } ++ if (!dir_check_canon(cmd->tmp_pool, "SITE_MKDIR", G_WRITE, path, NULL)) { + pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EPERM)); + return PR_ERROR(cmd); + } +@@ -321,7 +329,12 @@ + + path = pr_fs_decode_path(cmd->tmp_pool, path); + +- if (!dir_check(cmd->tmp_pool, "SITE_RMDIR", G_WRITE, path, NULL)) { ++ path = dir_canonical_path(cmd->tmp_pool, path); ++ if (path == NULL) { ++ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL)); ++ return PR_ERROR(cmd); ++ } ++ if (!dir_check_canon(cmd->tmp_pool, "SITE_RMDIR", G_WRITE, path, NULL)) { + pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EPERM)); + return PR_ERROR(cmd); + } +@@ -361,14 +374,24 @@ + + src = pr_fs_decode_path(cmd->tmp_pool, cmd->argv[2]); + +- if (!dir_check(cmd->tmp_pool, "SITE_SYMLINK", G_WRITE, src, NULL)) { ++ src = dir_canonical_path(cmd->tmp_pool, src); ++ if (src == NULL) { ++ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL)); ++ return PR_ERROR(cmd); ++ } ++ if (!dir_check_canon(cmd->tmp_pool, "SITE_SYMLINK", G_WRITE, src, NULL)) { + pr_response_add_err(R_550, "%s: %s", cmd->argv[2], strerror(EPERM)); + return PR_ERROR(cmd); + } + + dst = pr_fs_decode_path(cmd->tmp_pool, cmd->argv[3]); + +- if (!dir_check(cmd->tmp_pool, "SITE_SYMLINK", G_WRITE, dst, NULL)) { ++ dst = dir_canonical_dst(cmd->tmp_pool, dst); ++ if (dst == NULL) { ++ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL)); ++ return PR_ERROR(cmd); ++ } ++ if (!dir_check_canon(cmd->tmp_pool, "SITE_SYMLINK", G_WRITE, dst, NULL)) { + pr_response_add_err(R_550, "%s: %s", cmd->argv[3], strerror(EPERM)); + return PR_ERROR(cmd); + } +@@ -435,7 +458,12 @@ + + path = pr_fs_decode_path(cmd->tmp_pool, path); + +- if (!dir_check(cmd->tmp_pool, "SITE_UTIME", G_WRITE, path, NULL)) { ++ path = dir_canonical_path(cmd->tmp_pool, path); ++ if (path == NULL) { ++ pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EINVAL)); ++ return PR_ERROR(cmd); ++ } ++ if (!dir_check_canon(cmd->tmp_pool, "SITE_UTIME", G_WRITE, path, NULL)) { + pr_response_add_err(R_550, "%s: %s", cmd->arg, strerror(EPERM)); + return PR_ERROR(cmd); + } only in patch2: unchanged: --- proftpd-dfsg-1.3.2c.orig/debian/patches/3521.dpatch +++ proftpd-dfsg-1.3.2c/debian/patches/3521.dpatch @@ -0,0 +1,27 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 3521.dpatch by Francesco Paolo Lovergine +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' proftpd-dfsg~/src/netio.c proftpd-dfsg/src/netio.c +--- proftpd-dfsg~/src/netio.c 2010-09-13 15:38:16.000000000 +0200 ++++ proftpd-dfsg/src/netio.c 2010-11-03 10:50:38.000000000 +0100 +@@ -1100,6 +1100,16 @@ + } + } + ++ /* In the situation where the previous byte was an IAC, we wrote IAC ++ * into the output buffer, and decremented buflen (size of the output ++ * buffer remaining). Thus we need to check here if buflen is zero, ++ * before trying to decrement buflen again (and possibly underflowing ++ * the buflen size_t data type). ++ */ ++ if (buflen == 0) { ++ break; ++ } ++ + *bp++ = cp; + buflen--; + }