[Git][debian-proftpd-team/proftpd][buster] add bug_846_CVE-2019-18217.patch :-(...

Hilmar Preuße gitlab at salsa.debian.org
Wed Nov 6 08:16:33 GMT 2019 


Hilmar Preuße pushed to branch buster at Debian ProFTPD Team / proftpd


Commits:
0c9e046e by Hilmar Preuße at 2019-11-06T08:16:14Z
add bug_846_CVE-2019-18217.patch :-(...

- - - - -


1 changed file:

- + debian/patches/bug_846_CVE-2019-18217.patch


Changes:

=====================================
debian/patches/bug_846_CVE-2019-18217.patch
=====================================
@@ -0,0 +1,60 @@
+From 13fe9462787b9a551152162f46f1641d65fe4df4 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sat, 19 Oct 2019 12:37:56 -0700
+Subject: [PATCH] Issue #846: Handle the case where a client tries to send
+ too-large commands in an effort to DoS the server.
+
+---
+ src/main.c  | 10 +++++++++-
+ src/netio.c |  3 ++-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+Index: proftpd-dfsg-1.3.6/src/main.c
+===================================================================
+--- proftpd-dfsg-1.3.6.orig/src/main.c
++++ proftpd-dfsg-1.3.6/src/main.c
+@@ -462,6 +462,7 @@ int pr_cmd_read(cmd_rec **res) {
+   static long cmd_bufsz = -1;
+   static char *cmd_buf = NULL;
+   int cmd_buflen;
++  unsigned int too_large_count = 0;
+   char *ptr;
+ 
+   if (res == NULL) {
+@@ -487,8 +488,15 @@ int pr_cmd_read(cmd_rec **res) {
+     if (cmd_buflen < 0) {
+       if (errno == E2BIG) {
+         /* The client sent a too-long command which was ignored; give
+-         * them another chance?
++         * them a few more chances, with minor delays?
+          */
++        too_large_count++;
++        pr_timer_usleep(250 * 1000);
++
++        if (too_large_count > 3) {
++          return -1;
++        }
++
+         continue;
+       }
+ 
+Index: proftpd-dfsg-1.3.6/src/netio.c
+===================================================================
+--- proftpd-dfsg-1.3.6.orig/src/netio.c
++++ proftpd-dfsg-1.3.6/src/netio.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - FTP server daemon
+- * Copyright (c) 2001-2016 The ProFTPD Project team
++ * Copyright (c) 2001-2019 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -1446,6 +1446,7 @@ int pr_netio_read(pr_netio_stream_t *nst
+       }
+ 
+       nstrm->strm_errno = 0;
++      errno = EOF;
+       break;
+     }
+ 



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/0c9e046e1d5994b30abe83770ef47099f08cc418

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/0c9e046e1d5994b30abe83770ef47099f08cc418
You're receiving this email because of your account on salsa.debian.org.

More information about the Pkg-proftpd-maintainers mailing list