proftpd DoS / CVE-2019-18217

Hilmar Preuße hille42 at web.de
Thu Oct 24 17:30:07 BST 2019 

Am 21.10.2019 um 15:27 teilte Moritz Muehlenhoff mit:

Hi Moritz,

> https://github.com/proftpd/proftpd/issues/846 got assigned CVE-2019-18217 and sounds like
> something we should release a DSA for.
>
> The upstream fix is https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4,
> could you prepare updated packages for stretch-security and buster-security?
>
Attached is a debdiff für stretch and buster. I built new packages based
on these diff's and gave them a few tests (install, run, connect, up-
and downloading files). Unfortunately I can't really test if that patch
really solves the issue. However as it not really differs from the
upstream patch I guess it does.

Do you want me to provide the source packages?

Regards,
  Hilmar
--
sigfault
#206401 http://counter.li.org
-------------- next part --------------
diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog	2019-08-01 11:34:23.000000000 +0200
+++ proftpd-dfsg-1.3.5b/debian/changelog	2019-10-23 23:34:50.000000000 +0200
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4+deb9u2) stretch-security; urgency=high
+
+  * Add patch from upstream to address CVE-2019-18217.
+    (Closes: #942831)
+
+ -- Hilmar Preusse <hille42 at web.de>  Wed, 23 Oct 2019 23:34:50 +0200
+
 proftpd-dfsg (1.3.5b-4+deb9u1) stretch-security; urgency=high
 
   * proftpd-1.3.5e-CVE-2019-12815.patch by Paul Howarth <paul at city-fan.org>
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/bug_846_CVE-2019-18217.patch proftpd-dfsg-1.3.5b/debian/patches/bug_846_CVE-2019-18217.patch
--- proftpd-dfsg-1.3.5b/debian/patches/bug_846_CVE-2019-18217.patch	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/bug_846_CVE-2019-18217.patch	2019-10-23 23:29:33.000000000 +0200
@@ -0,0 +1,49 @@
+Index: proftpd-dfsg-1.3.5b/src/main.c
+===================================================================
+--- proftpd-dfsg-1.3.5b.orig/src/main.c	2019-10-23 17:00:44.341753483 +0200
++++ proftpd-dfsg-1.3.5b/src/main.c	2019-10-23 23:29:21.246835997 +0200
+@@ -481,6 +481,7 @@
+   static char *cmd_buf = NULL;
+   char *cp;
+   size_t cmd_buflen;
++  unsigned int too_large_count = 0;
+ 
+   if (res == NULL) {
+     errno = EINVAL;
+@@ -505,8 +506,15 @@
+ 
+       if (errno == E2BIG) {
+         /* The client sent a too-long command which was ignored; give
+-         * them another chance?
++         * them a few more chances, with minor delays?
+          */
++        too_large_count++;
++        pr_timer_usleep(250 * 1000);
++
++        if (too_large_count > 3) {
++          return -1;
++        }
++
+         continue;
+       }
+ 
+Index: proftpd-dfsg-1.3.5b/src/netio.c
+===================================================================
+--- proftpd-dfsg-1.3.5b.orig/src/netio.c	2019-10-23 17:00:44.341753483 +0200
++++ proftpd-dfsg-1.3.5b/src/netio.c	2019-10-23 23:29:21.250836013 +0200
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - FTP server daemon
+- * Copyright (c) 2001-2014 The ProFTPD Project team
++ * Copyright (c) 2001-2019 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -1037,6 +1037,7 @@
+       }
+ 
+       nstrm->strm_errno = 0;
++      errno = EOF;
+       break;
+     }
+ 
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series	2019-08-01 11:34:23.000000000 +0200
+++ proftpd-dfsg-1.3.5b/debian/patches/series	2019-10-23 23:24:27.000000000 +0200
@@ -16,3 +16,4 @@
 not_read_whole_passwd_db
 CVE-2017-7418
 proftpd-1.3.5e-CVE-2019-12815.patch
+bug_846_CVE-2019-18217.patch
-------------- next part --------------
diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog
--- proftpd-dfsg-1.3.6/debian/changelog	2019-07-23 20:20:14.000000000 +0200
+++ proftpd-dfsg-1.3.6/debian/changelog	2019-10-23 16:22:38.000000000 +0200
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.6-4+deb10u2) buster-security; urgency=medium
+
+  * Add patch from upstream to address CVE-2019-18217.
+    (Closes: #942831)
+
+ -- Hilmar Preusse <hille42 at web.de>  Wed, 23 Oct 2019 16:22:38 +0200
+
 proftpd-dfsg (1.3.6-4+deb10u1) buster-security; urgency=medium
 
   * Add patch from upstream to address Bug#932453: CVE-2019-12815.
diff -Nru proftpd-dfsg-1.3.6/debian/patches/bug_846_CVE-2019-18217.patch proftpd-dfsg-1.3.6/debian/patches/bug_846_CVE-2019-18217.patch
--- proftpd-dfsg-1.3.6/debian/patches/bug_846_CVE-2019-18217.patch	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/bug_846_CVE-2019-18217.patch	2019-10-22 20:08:47.000000000 +0200
@@ -0,0 +1,60 @@
+From 13fe9462787b9a551152162f46f1641d65fe4df4 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sat, 19 Oct 2019 12:37:56 -0700
+Subject: [PATCH] Issue #846: Handle the case where a client tries to send
+ too-large commands in an effort to DoS the server.
+
+---
+ src/main.c  | 10 +++++++++-
+ src/netio.c |  3 ++-
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+Index: proftpd-dfsg-1.3.6/src/main.c
+===================================================================
+--- proftpd-dfsg-1.3.6.orig/src/main.c
++++ proftpd-dfsg-1.3.6/src/main.c
+@@ -462,6 +462,7 @@ int pr_cmd_read(cmd_rec **res) {
+   static long cmd_bufsz = -1;
+   static char *cmd_buf = NULL;
+   int cmd_buflen;
++  unsigned int too_large_count = 0;
+   char *ptr;
+ 
+   if (res == NULL) {
+@@ -487,8 +488,15 @@ int pr_cmd_read(cmd_rec **res) {
+     if (cmd_buflen < 0) {
+       if (errno == E2BIG) {
+         /* The client sent a too-long command which was ignored; give
+-         * them another chance?
++         * them a few more chances, with minor delays?
+          */
++        too_large_count++;
++        pr_timer_usleep(250 * 1000);
++
++        if (too_large_count > 3) {
++          return -1;
++        }
++
+         continue;
+       }
+ 
+Index: proftpd-dfsg-1.3.6/src/netio.c
+===================================================================
+--- proftpd-dfsg-1.3.6.orig/src/netio.c
++++ proftpd-dfsg-1.3.6/src/netio.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - FTP server daemon
+- * Copyright (c) 2001-2016 The ProFTPD Project team
++ * Copyright (c) 2001-2019 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -1446,6 +1446,7 @@ int pr_netio_read(pr_netio_stream_t *nst
+       }
+ 
+       nstrm->strm_errno = 0;
++      errno = EOF;
+       break;
+     }
+ 
diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series
--- proftpd-dfsg-1.3.6/debian/patches/series	2019-07-23 20:20:14.000000000 +0200
+++ proftpd-dfsg-1.3.6/debian/patches/series	2019-10-22 20:07:39.000000000 +0200
@@ -18,3 +18,4 @@
 wrong-path-for-interpreter_perl.diff
 github_pr_594
 CVE-2019-12815.patch
+bug_846_CVE-2019-18217.patch

More information about the Pkg-proftpd-maintainers mailing list