Bug#672257: proftpd-basic: Causes 100% CPU usage, reading file stats very slowly and using a lot of RAM, possible DoS

Michael Moritz systems at gn.apc.org
Wed May 9 14:06:34 UTC 2012 

Package: proftpd-basic
Version: 1.3.1-17lenny9
Severity: normal
Tags: squeeze

I think this is the same problem as reported here http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630091

But happens even without HideFiles pattern set in teh current stable version of proftpd-basic when accessing a folder with a a lot of files in it (1000+).

The log gives this pattern:

FS: using system stat()
AllowOverride allows all .ftpaccess files
FS: using system stat()
FS: using system access()
FS: using system stat()
FS: using system lstat()

Endlessly repeating. Until a resource limit is hit (if one is set).

It looks like this has been fixed upstream (Fixed in 1.3.3d, released 17-Dec-2010) so wondering why this is not in Debian squeeze.

Sorry for marking this as critical but it renders FTP unusable and needs to be fixed urgently.

Workaround: downgrade to lenny version.


Regards and keep up the good work,


Michael

-- System Information:
Debian Release: 6.0.4
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages proftpd-basic depends on:
ii  adduser               3.112+nmu2         add and remove users and groups
ii  debconf               1.5.36.1           Debian configuration management sy
ii  debianutils           3.4                Miscellaneous utilities specific t
ii  libacl1               2.2.49-4           Access control list shared library
ii  libattr1              1:2.4.44-2         Extended attribute shared library
ii  libc6                 2.11.3-2           Embedded GNU C Library: Shared lib
ii  libcap1               1:1.10-14          support for getting/setting POSIX.
ii  libncurses5           5.7+20100313-5     shared libraries for terminal hand
ii  libpam-runtime        1.1.1-6.1+squeeze1 Runtime support for the PAM librar
ii  libpam0g              1.1.1-6.1+squeeze1 Pluggable Authentication Modules l
ii  libssl0.9.8           0.9.8o-4squeeze12  SSL shared libraries
ii  libwrap0              7.6.q-19           Wietse Venema's TCP wrappers libra
ii  netbase               4.45               Basic TCP/IP networking system
ii  sed                   4.2.1-7            The GNU sed stream editor
ii  ucf                   3.0025+nmu1        Update Configuration File: preserv
ii  update-inetd          4.38+nmu1+squeeze1 inetd configuration file updater

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openssl                0.9.8o-4squeeze12 Secure Socket Layer (SSL) binary a
pn  proftpd-doc            <none>            (no description available)
pn  proftpd-mod-ldap       <none>            (no description available)
pn  proftpd-mod-mysql      <none>            (no description available)
pn  proftpd-mod-pgsql      <none>            (no description available)

-- Configuration Files:
/etc/cron.monthly/proftpd [Errno 2] No such file or directory: u'/etc/cron.monthly/proftpd'

-- debconf information:
* shared/proftpd/inetd_or_standalone: standalone

More information about the Pkg-proftpd-maintainers mailing list