[Git][debian-proftpd-team/proftpd][master] Add patch for Bug 4405.
Hilmar Preuße
gitlab at salsa.debian.org
Tue Aug 11 23:34:23 BST 2020
Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd
Commits:
da88958d by Hilmar Preusse at 2020-08-12T00:33:58+02:00
Add patch for Bug 4405.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/3c73f39f0db6724db597646eb6e476278f76edf5.diff
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -8,6 +8,9 @@ proftpd-dfsg (1.3.7a-2) UNRELEASED; urgency=medium
- upstream_1061: While investigating some reported issues with
Ed25519 keys and mod_sftp, I reproduced one segfault when verifying
such keys during publickey authentication.
+ - 3c73f39f0db6724db597646eb6e476278f76edf5.diff
+ Bug 4405 - Memory use-after-free in mod_sftp causes unexpected
+ login/authentication issues.
* Add patch from Andreas Trottmann <andreas.trottmann at werft22.com> to
reintroduce "SQLAUthTypes Backend" with MySQL database
=====================================
debian/patches/3c73f39f0db6724db597646eb6e476278f76edf5.diff
=====================================
@@ -0,0 +1,163 @@
+From 3c73f39f0db6724db597646eb6e476278f76edf5 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sat, 8 Aug 2020 09:18:58 -0700
+Subject: [PATCH] Bug #4405: Allocate the algorithm name strings for ciphers,
+ MACs out of pools other than the KEX pool, as the strings have different
+ lifetimes.
+
+---
+ contrib/mod_sftp/cipher.c | 35 +++++++++++++++++++++++++++++------
+ contrib/mod_sftp/mac.c | 37 ++++++++++++++++++++++++++++++-------
+ 2 files changed, 59 insertions(+), 13 deletions(-)
+
+diff --git a/contrib/mod_sftp/cipher.c b/contrib/mod_sftp/cipher.c
+index c3b51efe2..77c79e067 100644
+--- a/contrib/mod_sftp/cipher.c
++++ b/contrib/mod_sftp/cipher.c
+@@ -32,6 +32,7 @@
+ #include "interop.h"
+
+ struct sftp_cipher {
++ pool *pool;
+ const char *algo;
+ const EVP_CIPHER *cipher;
+
+@@ -51,14 +52,14 @@ struct sftp_cipher {
+ */
+
+ static struct sftp_cipher read_ciphers[2] = {
+- { NULL, NULL, NULL, 0, NULL, 0, 0 },
+- { NULL, NULL, NULL, 0, NULL, 0, 0 }
++ { NULL, NULL, NULL, NULL, 0, NULL, 0, 0 },
++ { NULL, NULL, NULL, NULL, 0, NULL, 0, 0 }
+ };
+ static EVP_CIPHER_CTX *read_ctxs[2];
+
+ static struct sftp_cipher write_ciphers[2] = {
+- { NULL, NULL, NULL, 0, NULL, 0, 0 },
+- { NULL, NULL, NULL, 0, NULL, 0, 0 }
++ { NULL, NULL, NULL, NULL, 0, NULL, 0, 0 },
++ { NULL, NULL, NULL, NULL, 0, NULL, 0, 0 }
+ };
+ static EVP_CIPHER_CTX *write_ctxs[2];
+
+@@ -387,7 +388,18 @@ int sftp_cipher_set_read_algo(const char *algo) {
+ (unsigned long) discard_len);
+ }
+
+- read_ciphers[idx].algo = algo;
++ /* Note that we use a new pool, each time the algorithm is set (which
++ * happens during key exchange) to prevent undue memory growth for
++ * long-lived sessions with many rekeys.
++ */
++ if (read_ciphers[idx].pool != NULL) {
++ destroy_pool(read_ciphers[idx].pool);
++ }
++
++ read_ciphers[idx].pool = make_sub_pool(sftp_pool);
++ pr_pool_tag(read_ciphers[idx].pool, "SFTP cipher read pool");
++ read_ciphers[idx].algo = pstrdup(read_ciphers[idx].pool, algo);
++
+ read_ciphers[idx].key_len = (uint32_t) key_len;
+ read_ciphers[idx].discard_len = discard_len;
+ return 0;
+@@ -586,7 +598,18 @@ int sftp_cipher_set_write_algo(const char *algo) {
+ (unsigned long) discard_len);
+ }
+
+- write_ciphers[idx].algo = algo;
++ /* Note that we use a new pool, each time the algorithm is set (which
++ * happens during key exchange) to prevent undue memory growth for
++ * long-lived sessions with many rekeys.
++ */
++ if (write_ciphers[idx].pool != NULL) {
++ destroy_pool(write_ciphers[idx].pool);
++ }
++
++ write_ciphers[idx].pool = make_sub_pool(sftp_pool);
++ pr_pool_tag(write_ciphers[idx].pool, "SFTP cipher write pool");
++ write_ciphers[idx].algo = pstrdup(write_ciphers[idx].pool, algo);
++
+ write_ciphers[idx].key_len = (uint32_t) key_len;
+ write_ciphers[idx].discard_len = discard_len;
+ return 0;
+diff --git a/contrib/mod_sftp/mac.c b/contrib/mod_sftp/mac.c
+index d78e1e775..d5e1ef505 100644
+--- a/contrib/mod_sftp/mac.c
++++ b/contrib/mod_sftp/mac.c
+@@ -1,6 +1,6 @@
+ /*
+ * ProFTPD - mod_sftp MACs
+- * Copyright (c) 2008-2017 TJ Saunders
++ * Copyright (c) 2008-2020 TJ Saunders
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -34,6 +34,7 @@
+ #include "umac.h"
+
+ struct sftp_mac {
++ pool *pool;
+ const char *algo;
+ int algo_type;
+
+@@ -64,15 +65,15 @@ struct sftp_mac {
+ */
+
+ static struct sftp_mac read_macs[] = {
+- { NULL, 0, NULL, NULL, 0 },
+- { NULL, 0, NULL, NULL, 0 }
++ { NULL, NULL, 0, NULL, NULL, 0, 0, 0 },
++ { NULL, NULL, 0, NULL, NULL, 0, 0, 0 }
+ };
+ static HMAC_CTX *hmac_read_ctxs[2];
+ static struct umac_ctx *umac_read_ctxs[2];
+
+ static struct sftp_mac write_macs[] = {
+- { NULL, 0, NULL, NULL, 0 },
+- { NULL, 0, NULL, NULL, 0 }
++ { NULL, NULL, 0, NULL, NULL, 0, 0, 0 },
++ { NULL, NULL, 0, NULL, NULL, 0, 0, 0 }
+ };
+ static HMAC_CTX *hmac_write_ctxs[2];
+ static struct umac_ctx *umac_write_ctxs[2];
+@@ -687,7 +688,18 @@ int sftp_mac_set_read_algo(const char *algo) {
+ return -1;
+ }
+
+- read_macs[idx].algo = algo;
++ /* Note that we use a new pool, each time the algorithm is set (which
++ * happens during key exchange) to prevent undue memory growth for
++ * long-lived sessions with many rekeys.
++ */
++ if (read_macs[idx].pool != NULL) {
++ destroy_pool(read_macs[idx].pool);
++ }
++
++ read_macs[idx].pool = make_sub_pool(sftp_pool);
++ pr_pool_tag(read_macs[idx].pool, "SFTP MAC read pool");
++ read_macs[idx].algo = pstrdup(read_macs[idx].pool, algo);
++
+ if (strncmp(read_macs[idx].algo, "umac-64 at openssh.com", 12) == 0) {
+ read_macs[idx].algo_type = SFTP_MAC_ALGO_TYPE_UMAC64;
+ umac_read_ctxs[idx] = umac_alloc();
+@@ -820,7 +832,18 @@ int sftp_mac_set_write_algo(const char *algo) {
+ return -1;
+ }
+
+- write_macs[idx].algo = algo;
++ /* Note that we use a new pool, each time the algorithm is set (which
++ * happens during key exchange) to prevent undue memory growth for
++ * long-lived sessions with many rekeys.
++ */
++ if (write_macs[idx].pool != NULL) {
++ destroy_pool(write_macs[idx].pool);
++ }
++
++ write_macs[idx].pool = make_sub_pool(sftp_pool);
++ pr_pool_tag(write_macs[idx].pool, "SFTP MAC write pool");
++ write_macs[idx].algo = pstrdup(write_macs[idx].pool, algo);
++
+ if (strncmp(write_macs[idx].algo, "umac-64 at openssh.com", 12) == 0) {
+ write_macs[idx].algo_type = SFTP_MAC_ALGO_TYPE_UMAC64;
+ umac_write_ctxs[idx] = umac_alloc();
=====================================
debian/patches/series
=====================================
@@ -14,3 +14,4 @@ proftpd-mysql-password-backend.diff
upstream_1063
upstream_1070
upstream_1061
+3c73f39f0db6724db597646eb6e476278f76edf5.diff
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/da88958dafe304e49f1a7cd5b7e72f4db0fa1c12
--
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/da88958dafe304e49f1a7cd5b7e72f4db0fa1c12
You're receiving this email because of your account on salsa.debian.org.
More information about the Pkg-proftpd-maintainers
mailing list