[Git][debian-proftpd-team/proftpd][1.3.5b] CVE-2019-18217 for stretch

Hilmar Preuße gitlab at salsa.debian.org
Wed Oct 30 07:34:59 GMT 2019 


Hilmar Preuße pushed to branch 1.3.5b at Debian ProFTPD Team / proftpd


Commits:
6db7763c by Hilmar Preusse at 2019-10-30T07:33:15Z
CVE-2019-18217 for stretch

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/bug_846_CVE-2019-18217.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.5b-4+deb9u2) stretch-security; urgency=high
+
+  * Add patch from upstream to address CVE-2019-18217.
+    (Closes: #942831)
+
+ -- Hilmar Preusse <hille42 at web.de>  Wed, 23 Oct 2019 23:34:50 +0200
+
 proftpd-dfsg (1.3.5b-4+deb9u1) stretch-security; urgency=high
 
   * proftpd-1.3.5e-CVE-2019-12815.patch by Paul Howarth <paul at city-fan.org>


=====================================
debian/patches/bug_846_CVE-2019-18217.patch
=====================================
@@ -0,0 +1,49 @@
+Index: proftpd-dfsg-1.3.5b/src/main.c
+===================================================================
+--- proftpd-dfsg-1.3.5b.orig/src/main.c	2019-10-23 17:00:44.341753483 +0200
++++ proftpd-dfsg-1.3.5b/src/main.c	2019-10-23 23:29:21.246835997 +0200
+@@ -481,6 +481,7 @@
+   static char *cmd_buf = NULL;
+   char *cp;
+   size_t cmd_buflen;
++  unsigned int too_large_count = 0;
+ 
+   if (res == NULL) {
+     errno = EINVAL;
+@@ -505,8 +506,15 @@
+ 
+       if (errno == E2BIG) {
+         /* The client sent a too-long command which was ignored; give
+-         * them another chance?
++         * them a few more chances, with minor delays?
+          */
++        too_large_count++;
++        pr_timer_usleep(250 * 1000);
++
++        if (too_large_count > 3) {
++          return -1;
++        }
++
+         continue;
+       }
+ 
+Index: proftpd-dfsg-1.3.5b/src/netio.c
+===================================================================
+--- proftpd-dfsg-1.3.5b.orig/src/netio.c	2019-10-23 17:00:44.341753483 +0200
++++ proftpd-dfsg-1.3.5b/src/netio.c	2019-10-23 23:29:21.250836013 +0200
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - FTP server daemon
+- * Copyright (c) 2001-2014 The ProFTPD Project team
++ * Copyright (c) 2001-2019 The ProFTPD Project team
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -1037,6 +1037,7 @@
+       }
+ 
+       nstrm->strm_errno = 0;
++      errno = EOF;
+       break;
+     }
+ 


=====================================
debian/patches/series
=====================================
@@ -16,3 +16,4 @@ reproducible_build
 not_read_whole_passwd_db
 CVE-2017-7418
 proftpd-1.3.5e-CVE-2019-12815.patch
+bug_846_CVE-2019-18217.patch



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/6db7763c02f91a2e14ffc2c39a9b5c8c5c4f8afa

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/commit/6db7763c02f91a2e14ffc2c39a9b5c8c5c4f8afa
You're receiving this email because of your account on salsa.debian.org.

More information about the Pkg-proftpd-maintainers mailing list