From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Nov 14 07:00:06 2006 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 040D616A40F for ; Tue, 14 Nov 2006 07:00:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 809E643D45 for ; Tue, 14 Nov 2006 07:00:05 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kAE705Rc011359 for ; Tue, 14 Nov 2006 07:00:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kAE705jV011358; Tue, 14 Nov 2006 07:00:05 GMT (envelope-from gnats) Resent-Date: Tue, 14 Nov 2006 07:00:05 GMT Resent-Message-Id: <200611140700.kAE705jV011358@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Alex Samorukov" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D16A716A407 for ; Tue, 14 Nov 2006 06:52:24 +0000 (UTC) (envelope-from samm@os2.kiev.ua) Received: from em.volia.net (em.volia.net [82.144.192.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4321043D60 for ; Tue, 14 Nov 2006 06:52:23 +0000 (GMT) (envelope-from samm@os2.kiev.ua) Received: from ip.85.202.152.154.dyn.sub-4.broadband.voliacable.com ([85.202.152.154] helo=samm.local) by em.volia.net with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1Gjs9e-0009L6-Im for FreeBSD-gnats-submit@freebsd.org; Tue, 14 Nov 2006 08:52:23 +0200 Message-Id: <1163487142.15422@samm.local> Date: Tue, 14 Nov 2006 08:52:22 +0200 From: "Alex Samorukov" To: "FreeBSD gnats submit" X-Send-Pr-Version: gtk-send-pr 0.4.7 Cc: Subject: ports/105510: security: ftp/proftpd "CommandBufferSize" Directive Remote Code Execution Vulnerability X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 07:00:06 -0000 >Number: 105510 >Category: ports >Synopsis: security: ftp/proftpd "CommandBufferSize" Directive Remote Code Execution Vulnerability >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 14 07:00:04 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Alex Samorukov >Release: FreeBSD 6.1-RELEASE i386 >Organization: Shevchenko Didkovskiy and Partners >Environment: System: FreeBSD 6.1-RELEASE #2: Wed May 17 22:22:18 EEST 2006 root@samm.local:/usr/obj/usr/src/sys/SAMMKRNL >Description: A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to compromise a vulnerable server via a specially crafted FTP command. I backported fix from http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date >How-To-Repeat: see http://www.frsirt.com/english/advisories/2006/4451 >Fix: --- /usr/ports/ftp/proftpd/Makefile Tue Nov 14 08:33:35 2006 +++ /usr/home/samm/tmp/proftpd/Makefile Tue Nov 14 08:44:21 2006 @@ -7,7 +7,7 @@ PORTNAME= proftpd DISTVERSION= 1.3.0 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= ftp MASTER_SITES= ftp://ftp.proftpd.org/distrib/source/ \ ftp://ftp.fastorama.com/mirrors/ftp.proftpd.org/distrib/source/ \ diff -ruN --exclude=CVS /usr/ports/ftp/proftpd/files/patch-main.c /usr/home/samm/tmp/proftpd/files/patch-main.c --- /usr/ports/ftp/proftpd/files/patch-main.c Thu Jan 1 03:00:00 1970 +++ /usr/home/samm/tmp/proftpd/files/patch-main.c Tue Nov 14 08:47:53 2006 @@ -0,0 +1,46 @@ +--- src/main.c.orig Wed Mar 15 21:41:01 2006 ++++ src/main.c Tue Nov 14 08:47:12 2006 +@@ -116,6 +116,8 @@ + + static char sbuf[PR_TUNABLE_BUFFER_SIZE] = {'\0'}; + ++#define PR_DEFAULT_CMD_BUFSZ 512 ++ + static char **Argv = NULL; + static char *LastArgv = NULL; + static const char *PidPath = PR_PID_FILE_PATH; +@@ -820,16 +822,25 @@ + pr_timer_reset(TIMER_IDLE, NULL); + + if (cmd_buf_size == -1) { +- long *buf_size = get_param_ptr(main_server->conf, +- "CommandBufferSize", FALSE); +- +- if (buf_size == NULL || *buf_size <= 0) +- cmd_buf_size = 512; ++ int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", ++ FALSE); + +- else if (*buf_size + 1 > sizeof(buf)) { +- pr_log_pri(PR_LOG_WARNING, "Invalid CommandBufferSize size given. " +- "Resetting to 512."); +- cmd_buf_size = 512; ++ if (bufsz == NULL || ++ *bufsz <= 0) { ++ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " ++ "given, resetting to default buffer size (%u)", ++ *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ); ++ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ ++ } else if (*bufsz + 1 > sizeof(buf)) { ++ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " ++ "given, resetting to default buffer size (%u)", ++ *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ); ++ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ ++ } else { ++ pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz); ++ cmd_buf_size = (long) *bufsz; + } + } + >Release-Note: >Audit-Trail: >Unformatted: