Backport proftpd security fixes

Vulnerability in versions of proftpd between proftpd-1.3.2rc3 and proftpd-1.3.3

http://bugs.proftpd.org/show_bug.cgi?id=3521

Patches available in Debian.

http://packages.debian.org/changelogs/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.3a-5/changelog

Directory traversal bug affects ProFTPd version range 1.3.0a (2006) to 1.3.3b (latest version)

http://www.securiteam.com/unixfocus/6R0360A0AY.html

Directory traversal upstream bug

http://bugs.proftpd.org/show_bug.cgi?id=3519

Security patch for directory traversal does not apply cleanly to 1.3.2 code.

The interface of mod_site_misc has not changed to the Debian version and it seems safest and simplest to backport the entire patched module.

Library interfaces have changed which makes using the Debian patch impractical. Recoded patch for 1.3.2 interfaces.

Debdiff attached and tested with modified python script based on http://www.securiteam.com/unixfocus/6R0360A0AY.html

Built locally and on PPA.

https://launchpad.net/~brightbox/+archive/experimental/+sourcepub/1363310/+listing-archive-extra

Tested on lucid VM.

Neil, thanks. I've built lucid and maverick versions into the ubuntu-security-proposed ppa at https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages and performed light testing on them. It'd be great if you could test these as well before we pocket copy these to the update pockets.

Oh, I should point out that the CVE_2010_3867.dpatch you provided contained a reference to a dir_canonical_dst() function, which bothe generated a new compilation warning due to the arguments not matched the expected types and that I was unable to find defined in the source. I assumed it was the result of an overzealous search and replace on dir_canonical_path() and compensated accordingly.

Good spot.

On 20 November 2010 07:54, Steve Beattie <email address hidden> wrote:
> Oh, I should point out that the CVE_2010_3867.dpatch you provided
> contained a reference to a dir_canonical_dst() function, which bothe
> generated a new compilation warning due to the arguments not matched the
> expected types and that I was unable to find defined in the source. I
> assumed it was the result of an overzealous search and replace on
> dir_canonical_path() and compensated accordingly.
>
> --
> Backport proftpd security fixes
> https://bugs.launchpad.net/bugs/674798
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Neil Wilson

Package is in place on the main ftp server here and is performing as expected.

This bug was fixed in the package proftpd-dfsg - 1.3.2c-1ubuntu0.1

---------------
proftpd-dfsg (1.3.2c-1ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Telnet IAC processing stack overflow.
     This vulnerability allows remote attackers to execute arbitrary code on
     vulnerable installations of ProFTPD. Authentication is not required to
     exploit this vulnerability.
     (LP: #674646)
     - debian/patches/3521.patch: adjust src/netio.c to check buflen properly.
     - http://bugs.proftpd.org/attachment.cgi?id=3521
     - CVE-2010-4221
   * SECURITY UPDATE: Inappropriate directory traversal allowed by
     mod_site_misc. This vulnerability can be used to:
      - create a directory located outside the writable directory
      - delete a directory located outside the writable directory
      - create a symlink located outside the writable directory
      - change the time of a file located outside the writable directory.
    (LP: #674798)
     - debian/patches/CVE_2010_3867.dpatch: based on debian 3519.dpatch
       backported to v1.3.2
     - http://bugs.proftpd.org/attachment.cgi?id=3519
     - CVE-2010-3867
 -- Neil Wilson <email address hidden> Sat, 13 Nov 2010 11:51:28 +0000