CVE-2011-4130 in lucid, maverick, natty

Bug #905252 reported by Mahyuddin Susanto on 2011-12-16
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
proftpd-dfsg (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

Description
Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g
allows remote authenticated users to execute arbitrary code via vectors
involving an error that occurs after an FTP data transfer.

References
 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4130
 - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4130
 - https://launchpad.net/bugs/cve/CVE-2011-4130
 - http://security-tracker.debian.net/tracker/CVE-2011-4130

Effected:
 - Lucid
 - Maverick
 - Natty

Oneiric not effected because we have 1.3.4~rc2-4 on archive

Changed in proftpd-dfsg (Ubuntu):
assignee: nobody → Mahyuddin Susanto (udienz)
status: New → In Progress
visibility: private → public
Mahyuddin Susanto (udienz) wrote :

Debdiff for Natty, according to DSA-2346-1 this is only for CVE-2011-4130 because mod_tls buffer bug has been applied in debian/patches/3624.

The attachment "proftpd-dfsg_natty.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch

Debdiff for maverick, also added patches from DebianBug #648922 to prevent regression. See also DSA 2346-2

Mahyuddin Susanto (udienz) wrote :

Debdiff for lucid, also added patches from DebianBug #648922 to prevent regression. See also DSA 2346-2

description: updated
Changed in proftpd-dfsg (Ubuntu):
status: In Progress → New
assignee: Mahyuddin Susanto (udienz) → nobody
summary: - CVE-2011-4130
+ CVE-2011-4130 in lucid, maverick, natty
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! Your changelog entry and patch name references 'CVE-2011-041'. This is an invalid CVE identifier. From what I can tell from the history in the Debian squeeze package, you meant to reference CVE-2011-0411. Can you confirm this? If so, the debdiffs should be updated to not call this issue by that CVE name, since it is for postfix. Instead, say it is 'similar to CVE-2011-0411' in the changelog and DEP-3 comments (and rename the patch).

Also, CVE-2010-4652 and CVE-2011-1137 are also open for lucid and maverick (patches are available in the Debian squeeze packaging). Can you update your debdiffs to include the fixes for these issues as well?

Thanks again!

Changed in proftpd-dfsg (Ubuntu Natty):
status: New → Confirmed
importance: Undecided → Medium
Changed in proftpd-dfsg (Ubuntu Maverick):
importance: Undecided → Medium
Changed in proftpd-dfsg (Ubuntu Lucid):
importance: Undecided → Medium
Changed in proftpd-dfsg (Ubuntu Maverick):
status: New → Incomplete
Changed in proftpd-dfsg (Ubuntu Lucid):
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

Also, it looks like Oneiric may also be affected. Can you verify?

Changed in proftpd-dfsg (Ubuntu Natty):
status: Confirmed → Incomplete
assignee: nobody → Mahyuddin Susanto (udienz)
Changed in proftpd-dfsg (Ubuntu Precise):
status: New → Fix Released
Changed in proftpd-dfsg (Ubuntu Oneiric):
status: New → Incomplete
assignee: nobody → Mahyuddin Susanto (udienz)
Changed in proftpd-dfsg (Ubuntu Maverick):
assignee: nobody → Mahyuddin Susanto (udienz)
Changed in proftpd-dfsg (Ubuntu Lucid):
assignee: nobody → Mahyuddin Susanto (udienz)
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors. Please resubscribe after submitting updated debdiffs. Thanks again.

tags: added: patch-needswork
Changed in proftpd-dfsg (Ubuntu Maverick):
status: Incomplete → In Progress
Changed in proftpd-dfsg (Ubuntu Lucid):
status: Incomplete → In Progress
Changed in proftpd-dfsg (Ubuntu Oneiric):
status: Incomplete → In Progress
Changed in proftpd-dfsg (Ubuntu Natty):
status: Incomplete → In Progress
Aaron Kelley (aaronkelley) wrote :

Has there been any progress on getting this fix out? I'm asking because it *is* a security issue, and there hasn't been any reported progress for almost 3 months. This vulnerability is showing up in a PCI compliance scan for one of my servers running Lucid.

Marc Deslauriers (mdeslaur) wrote :

proftpd-dfsg is supported by the community, so somebody needs to step up and provide debdiffs to fix the issue.

If nobody is interested in doing the work, then there is no progress and proftpd-dfsg will likely remain vulnerable.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in proftpd-dfsg (Ubuntu Maverick):
status: In Progress → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against natty is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in proftpd-dfsg (Ubuntu Natty):
status: In Progress → Won't Fix
Changed in proftpd-dfsg (Ubuntu Maverick):
assignee: Mahyuddin Susanto (udienz) → nobody
Changed in proftpd-dfsg (Ubuntu Natty):
assignee: Mahyuddin Susanto (udienz) → nobody
Changed in proftpd-dfsg (Ubuntu Oneiric):
assignee: Mahyuddin Susanto (udienz) → nobody
Changed in proftpd-dfsg (Ubuntu Lucid):
assignee: Mahyuddin Susanto (udienz) → nobody
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against oneiric is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in proftpd-dfsg (Ubuntu Oneiric):
status: In Progress → Won't Fix
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in proftpd-dfsg (Ubuntu Lucid):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers