Bug#923926: proftpd-basic: proftpd 1.3.5b has memory leaks, allows Denial-Of-Service attack
Subharo Bhikkhu
esbeeb at tuta.io
Thu Mar 7 10:26:05 GMT 2019
Package: proftpd-basic
Version: 1.3.5b-4
Severity: grave
Tags: security
Justification: renders package unusable
Dear Maintainer,
Debian Security has been notified.
The proftpd in Debian stable has memory leaks in it. A malicious user, who has a valid username and password into the SSL-enabled proftpd server (even if just an anonymous user, if allowed), merely needs to upload a "Calibre Library" folder, containing a bunch of small ebooks, large to cause the server to a freeze. In my case, with 512MB RAM, my Calibre Library folder needed to be only 13GB in size to cause the server to have a total hardware freeze.
The package proftpd-mod-vroot 0.9.4-1 might also have memory leaks in it, which I also have installed.
These memory leaks have been known about for a long time, but it seems I'm the first one to point out that it constitutes a DOS attack.
I believe these memory leaks got fixed in proftpd 1.3.5d:
https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
...however the version of proftpd in Debian stable is currently 1.3.5b-4.
Please also see here for more details, which is where this DOS attack was first discovered and announced publicly by me:
https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment&comment=73069
Note: downstream of proftpd is the OpenMediaVault project. I'm an OpenMediaVault user, that's how I ran into this being a DOS.
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf
Kernel: Linux 4.19.20-sunxi64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages proftpd-basic depends on:
ii adduser 3.115
ii debianutils 4.8.1.1
ii libacl1 2.2.52-3+b1
ii libc6 2.24-11+deb9u4
ii libcap2 1:2.25-1
ii libmemcached11 1.0.18-4.1
ii libmemcachedutil2 1.0.18-4.1
ii libncurses5 6.0+20161126-1+deb9u2
ii libpam-runtime 1.1.8-3.6
ii libpam0g 1.1.8-3.6
ii libpcre3 2:8.39-3
ii libssl1.0.2 1.0.2q-1~deb9u1
ii libtinfo5 6.0+20161126-1+deb9u2
ii libwrap0 7.6.q-26
ii lsb-base 9.20161125
ii netbase 5.4
ii sed 4.4-1
ii ucf 3.0036
ii zlib1g 1:1.2.8.dfsg-5
proftpd-basic recommends no packages.
Versions of packages proftpd-basic suggests:
pn openbsd-inetd | inet-superserver <none>
ii openssl 1.1.0j-1~deb9u1
pn proftpd-doc <none>
pn proftpd-mod-geoip <none>
pn proftpd-mod-ldap <none>
pn proftpd-mod-mysql <none>
pn proftpd-mod-odbc <none>
pn proftpd-mod-pgsql <none>
pn proftpd-mod-sqlite <none>
-- no debconf information
More information about the Pkg-proftpd-maintainers
mailing list