proftpd-basic: segfault in TLS mode with certificate when strlen on NULL, string
Frédéric Magnard
magnard at iap.fr
Tue Sep 23 00:29:45 UTC 2014
Subject: proftpd-basic: segfault in TLS mode with certificate when strlen on NULL string
Package: proftpd-basic
Version: 1.3.4a-5+deb7u1
Severity: important
Tags: upstream patch
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages proftpd-basic depends on:
ii adduser 3.113+nmu3
ii debconf 1.5.49
ii debianutils 4.3.2
ii libacl1 2.2.51-8
ii libc6 2.13-38+deb7u4
ii libcap2 1:2.22-1.2
ii libncurses5 5.9-10
ii libpam-runtime 1.1.3-7.1
ii libpam0g 1.1.3-7.1
ii libpcre3 1:8.30-5
ii libssl1.0.0 1.0.1e-2+deb7u12
ii libtinfo5 5.9-10
ii libwrap0 7.6.q-24
ii netbase 5.0
ii sed 4.2.1-10
ii ucf 3.0025+nmu3
ii update-inetd 4.43
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages proftpd-basic recommends:
ii proftpd-mod-vroot 0.9.2-2+b2
Versions of packages proftpd-basic suggests:
pn openbsd-inetd | inet-superserver <none>
ii openssl 1.0.1e-2+deb7u12
pn proftpd-doc <none>
pn proftpd-mod-ldap <none>
pn proftpd-mod-mysql <none>
pn proftpd-mod-odbc <none>
pn proftpd-mod-pgsql <none>
pn proftpd-mod-sqlite <none>
-- debconf information excluded
I use proftpd with TLS configuration like:
# TLS
<IfModule mod_tls.c>
TLSEngine on
TLSLog /home/debian/test/proftpd/logs/proftpd_tls.log ALL
TLSProtocol SSLv23
# TLSProtocol TLSv1
# reject protection of the data channel
TLSRequired !data
TLSOptions AllowDotLogin
# Server's certificate
TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Change renegotiations so that they are not required, only requested
TLSRenegotiate required off
</IfModule>
And then try to connect to it using certificates with a commande like:
curl -v --ftp-create-dirs -k --ftp-ssl-control -u debian:null -E ~/.ssl/ftps.cat.pem ftp://server//home/debian/toto
proftpd then segfaults on line 269 of modules/mod_auth.c:
passwd_len = strlen(cmd->arg);
cmd->arg is NULL in this configuration, and strlen segfaults.
To solve the bug, this line can be replaced by:
passwd_len = (cmd->arg == NULL) ? 0 : strlen(cmd->arg);
More information about the Pkg-proftpd-maintainers
mailing list