Bug#923926: proftpd-basic: proftpd 1.3.5b has memory leaks, allows Denial-Of-Service attack

Subharo Bhikkhu esbeeb at tuta.io
Thu Mar 7 10:26:05 GMT 2019 

Package: proftpd-basic
Version: 1.3.5b-4
Severity: grave
Tags: security
Justification: renders package unusable

Dear Maintainer,

Debian Security has been notified.

The proftpd in Debian stable has memory leaks in it.  A malicious user, who has a valid username and password into the SSL-enabled proftpd server (even if just an anonymous user, if allowed), merely needs to upload a "Calibre Library" folder, containing a bunch of small ebooks, large to cause the server to a freeze.  In my case, with 512MB RAM, my Calibre Library folder needed to be only 13GB in size to cause the server to have a total hardware freeze.
The package proftpd-mod-vroot 0.9.4-1 might also have memory leaks in it, which I also have installed.

These memory leaks have been known about for a long time, but it seems I'm the first one to point out that it constitutes a DOS attack.

I believe these memory leaks got fixed in proftpd 1.3.5d:
https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
...however the version of proftpd in Debian stable is currently 1.3.5b-4.

Please also see here for more details, which is where this DOS attack was first discovered and announced publicly by me:
https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment&comment=73069

Note: downstream of proftpd is the OpenMediaVault project.  I'm an OpenMediaVault user, that's how I ran into this being a DOS.

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf

Kernel: Linux 4.19.20-sunxi64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages proftpd-basic depends on:
ii  adduser            3.115
ii  debianutils        4.8.1.1
ii  libacl1            2.2.52-3+b1
ii  libc6              2.24-11+deb9u4
ii  libcap2            1:2.25-1
ii  libmemcached11     1.0.18-4.1
ii  libmemcachedutil2  1.0.18-4.1
ii  libncurses5        6.0+20161126-1+deb9u2
ii  libpam-runtime     1.1.8-3.6
ii  libpam0g           1.1.8-3.6
ii  libpcre3           2:8.39-3
ii  libssl1.0.2        1.0.2q-1~deb9u1
ii  libtinfo5          6.0+20161126-1+deb9u2
ii  libwrap0           7.6.q-26
ii  lsb-base           9.20161125
ii  netbase            5.4
ii  sed                4.4-1
ii  ucf                3.0036
ii  zlib1g             1:1.2.8.dfsg-5

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
pn  openbsd-inetd | inet-superserver  <none>
ii  openssl                           1.1.0j-1~deb9u1
pn  proftpd-doc                       <none>
pn  proftpd-mod-geoip                 <none>
pn  proftpd-mod-ldap                  <none>
pn  proftpd-mod-mysql                 <none>
pn  proftpd-mod-odbc                  <none>
pn  proftpd-mod-pgsql                 <none>
pn  proftpd-mod-sqlite                <none>

-- no debconf information

More information about the Pkg-proftpd-maintainers mailing list