proftpd-basic: segfault in TLS mode with certificate when strlen on NULL, string

Frédéric Magnard magnard at iap.fr
Tue Sep 23 00:29:45 UTC 2014 

Subject: proftpd-basic: segfault in TLS mode with certificate when strlen on NULL string
Package: proftpd-basic
Version: 1.3.4a-5+deb7u1
Severity: important
Tags: upstream patch



-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages proftpd-basic depends on:
ii  adduser         3.113+nmu3
ii  debconf         1.5.49
ii  debianutils     4.3.2
ii  libacl1         2.2.51-8
ii  libc6           2.13-38+deb7u4
ii  libcap2         1:2.22-1.2
ii  libncurses5     5.9-10
ii  libpam-runtime  1.1.3-7.1
ii  libpam0g        1.1.3-7.1
ii  libpcre3        1:8.30-5
ii  libssl1.0.0     1.0.1e-2+deb7u12
ii  libtinfo5       5.9-10
ii  libwrap0        7.6.q-24
ii  netbase         5.0
ii  sed             4.2.1-10
ii  ucf             3.0025+nmu3
ii  update-inetd    4.43
ii  zlib1g          1:1.2.7.dfsg-13

Versions of packages proftpd-basic recommends:
ii  proftpd-mod-vroot  0.9.2-2+b2

Versions of packages proftpd-basic suggests:
pn  openbsd-inetd | inet-superserver  <none>
ii  openssl                           1.0.1e-2+deb7u12
pn  proftpd-doc                       <none>
pn  proftpd-mod-ldap                  <none>
pn  proftpd-mod-mysql                 <none>
pn  proftpd-mod-odbc                  <none>
pn  proftpd-mod-pgsql                 <none>
pn  proftpd-mod-sqlite                <none>

-- debconf information excluded

I use proftpd with TLS configuration like:

# TLS
<IfModule mod_tls.c>
 TLSEngine on
 TLSLog /home/debian/test/proftpd/logs/proftpd_tls.log ALL
 TLSProtocol SSLv23
#  TLSProtocol TLSv1
 # reject protection of the data channel
 TLSRequired !data
 TLSOptions AllowDotLogin
 # Server's certificate
 TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem
 TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem
 # Authenticate clients that want to use FTP over TLS?
 TLSVerifyClient off
 # Change renegotiations so that they are not required, only requested
 TLSRenegotiate required off
</IfModule>

And then try to connect to it using certificates with a commande like:
curl -v --ftp-create-dirs -k --ftp-ssl-control -u debian:null -E ~/.ssl/ftps.cat.pem ftp://server//home/debian/toto

proftpd then segfaults on line 269 of modules/mod_auth.c:
passwd_len = strlen(cmd->arg);

cmd->arg is NULL in this configuration, and strlen segfaults.

To solve the bug, this line can be replaced by:
passwd_len = (cmd->arg == NULL) ? 0 : strlen(cmd->arg);

More information about the Pkg-proftpd-maintainers mailing list