[Git][debian-proftpd-team/proftpd][stretch] Update for 1.3.5b-4+deb9u5.

Hilmar Preuße gitlab at salsa.debian.org
Thu Mar 12 14:23:49 GMT 2020 


Hilmar Preuße pushed to branch stretch at Debian ProFTPD Team / proftpd


Commits:
816a1961 by Hilmar Preusse at 2020-03-12T15:22:17+01:00
Update for 1.3.5b-4+deb9u5.

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/Issue-903-Ensure-that-we-do-not-reuse-already-destro.patch
- + debian/patches/Issue-903-We-want-to-remove-the-data-transfer-comman.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,4 +1,4 @@
-proftpd-dfsg (1.3.5b-4+deb9u4) UNRELEASED; urgency=medium
+proftpd-dfsg (1.3.5b-4+deb9u5) UNRELEASED; urgency=medium
 
   * Add patch from upstream to solve bug4385. (Closes: #949622).
   * Disable call to /usr/share/debconf/confmodule. Causes hangs during
@@ -7,6 +7,16 @@ proftpd-dfsg (1.3.5b-4+deb9u4) UNRELEASED; urgency=medium
 
  -- Hilmar Preusse <hille42 at web.de>  Thu, 13 Feb 2020 15:39:08 +0100
 
+proftpd-dfsg (1.3.5b-4+deb9u4) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Ensure that we do not reuse already-destroyed memory pools during data
+    transfers (CVE-2020-9273) (Closes: #951800)
+  * Clear the data-transfer instigating command pool but keep a memory pool.
+    Fixes regression in the %{transfer-status} LogFormat functionality.
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 25 Feb 2020 22:43:05 +0100
+
 proftpd-dfsg (1.3.5b-4+deb9u3) stretch; urgency=medium
 
   *  Cherry pick patch from upstream:


=====================================
debian/patches/Issue-903-Ensure-that-we-do-not-reuse-already-destro.patch
=====================================
@@ -0,0 +1,183 @@
+From: TJ Saunders <tj at castaglia.org>
+Date: Tue, 18 Feb 2020 09:48:18 -0800
+Subject: Issue #903: Ensure that we do not reuse already-destroyed memory
+ pools during data transfers.
+Origin: https://github.com/proftpd/proftpd/commit/e845abc1bd86eebec7a0342fded908a1b0f1996b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-9273
+Bug-Debian: https://bugs.debian.org/951800
+Bug: https://github.com/proftpd/proftpd/issues/903
+
+[Salvatore Bonaccorso: Drop copyright header year update changes hunks, refresh
+for context changes for backport to 1.3.5b]
+---
+ src/data.c           | 27 ++++++++++++++++++++-------
+ src/main.c           |  6 ++++--
+ src/response.c       | 12 ++++++++++++
+ tests/api/data.c     |  2 +-
+ tests/api/response.c | 10 ++++++++++
+ 5 files changed, 47 insertions(+), 10 deletions(-)
+
+--- a/src/data.c
++++ b/src/data.c
+@@ -747,7 +747,7 @@ void pr_data_close(int quiet) {
+  */
+ void pr_data_cleanup(void) {
+   /* sanity check */
+-  if (session.d) {
++  if (session.d != NULL) {
+     pr_inet_lingering_close(session.pool, session.d, timeout_linger);
+     session.d = NULL;
+   }
+@@ -769,7 +769,7 @@ void pr_data_abort(int err, int quiet) {
+   int true_abort = XFER_ABORTED;
+   nstrm = NULL;
+ 
+-  if (session.d) {
++  if (session.d != NULL) {
+     if (true_abort == FALSE) {
+       pr_inet_lingering_close(session.pool, session.d, timeout_linger);
+ 
+@@ -951,6 +951,11 @@ void pr_data_abort(int err, int quiet) {
+     if (true_abort == FALSE) {
+       pr_response_add_err(respcode, _("Transfer aborted. %s"), msg ? msg : "");
+     }
++
++    /* Forcibly clear the data-transfer instigating command pool from the
++     * Response API.
++     */
++    pr_response_set_pool(NULL);
+   }
+ 
+   if (true_abort) {
+@@ -991,6 +996,7 @@ int pr_data_xfer(char *cl_buf, size_t cl
+     res = pr_cmd_read(&cmd);
+     if (res < 0) {
+       int xerrno;
++
+ #if defined(ECONNABORTED)
+       xerrno = ECONNABORTED;
+ #elif defined(ENOTCONN)
+@@ -1058,8 +1064,8 @@ int pr_data_xfer(char *cl_buf, size_t cl
+ 
+         pr_response_flush(&resp_err_list);
+ 
+-        destroy_pool(cmd->pool);
+         pr_response_set_pool(resp_pool);
++        destroy_pool(cmd->pool);
+ 
+       /* We don't want to actually dispatch the NOOP command, since that
+        * would overwrite the scoreboard with the NOOP state; admins probably
+@@ -1084,13 +1090,14 @@ int pr_data_xfer(char *cl_buf, size_t cl
+ 
+         pr_response_flush(&resp_list);
+ 
+-        destroy_pool(cmd->pool);
+         pr_response_set_pool(resp_pool);
++        destroy_pool(cmd->pool);
+ 
+       } else {
+         char *title_buf = NULL;
+-        int title_len = -1;
+-        const char *sce_cmd = NULL, *sce_cmd_arg = NULL;
++        int curr_cmd_id = 0, title_len = -1;
++        const char *curr_cmd = NULL, *sce_cmd = NULL, *sce_cmd_arg = NULL;
++        cmd_rec *curr_cmd_rec = NULL;
+ 
+         pr_trace_msg(trace_channel, 5,
+           "client sent '%s' command during data transfer, dispatching",
+@@ -1102,6 +1109,9 @@ int pr_data_xfer(char *cl_buf, size_t cl
+           pr_proctitle_get(title_buf, title_len + 1); 
+         }
+ 
++        curr_cmd = session.curr_cmd;
++        curr_cmd_id = session.curr_cmd_id;
++        curr_cmd_rec = session.curr_cmd_rec;
+         sce_cmd = pr_scoreboard_entry_get(PR_SCORE_CMD);
+         sce_cmd_arg = pr_scoreboard_entry_get(PR_SCORE_CMD_ARG);
+ 
+@@ -1117,6 +1127,9 @@ int pr_data_xfer(char *cl_buf, size_t cl
+         }
+ 
+         destroy_pool(cmd->pool);
++        session.curr_cmd = curr_cmd;
++        session.curr_cmd_id = curr_cmd_id;
++        session.curr_cmd_rec = curr_cmd_rec;
+       }
+ 
+     } else {
+--- a/src/main.c
++++ b/src/main.c
+@@ -846,8 +846,7 @@ static void cmd_loop(server_rec *server,
+       pr_timer_reset(PR_TIMER_IDLE, ANY_MODULE);
+     }
+ 
+-    if (cmd) {
+-
++    if (cmd != NULL) {
+       /* Detect known commands for other protocols; if found, drop the
+        * connection, lest we be used as part of an attack on a different
+        * protocol server (Bug#4143).
+@@ -863,6 +862,9 @@ static void cmd_loop(server_rec *server,
+  
+       pr_cmd_dispatch(cmd);
+       destroy_pool(cmd->pool);
++      session.curr_cmd = NULL;
++      session.curr_cmd_id = 0;
++      session.curr_cmd_rec = NULL;
+ 
+     } else {
+       pr_event_generate("core.invalid-command", NULL);
+--- a/src/response.c
++++ b/src/response.c
+@@ -200,6 +200,12 @@ void pr_response_add_err(const char *num
+   pr_response_t *resp = NULL, **head = NULL;
+   va_list msg;
+ 
++  if (resp_pool == NULL) {
++    pr_trace_msg(trace_channel, 1,
++      "no response pool set, ignoring added %s error response", numeric);
++    return;
++  }
++
+   va_start(msg, fmt);
+   vsnprintf(resp_buf, sizeof(resp_buf), fmt, msg);
+   va_end(msg);
+@@ -245,6 +251,12 @@ void pr_response_add(const char *numeric
+   pr_response_t *resp = NULL, **head = NULL;
+   va_list msg;
+ 
++  if (resp_pool == NULL) {
++    pr_trace_msg(trace_channel, 1,
++      "no response pool set, ignoring added %s response", numeric);
++    return;
++  }
++
+   va_start(msg, fmt);
+   vsnprintf(resp_buf, sizeof(resp_buf), fmt, msg);
+   va_end(msg);
+--- a/tests/api/response.c
++++ b/tests/api/response.c
+@@ -65,6 +65,11 @@ START_TEST (response_add_test) {
+   char *last_resp_code = NULL, *last_resp_msg = NULL;
+   char *resp_code = R_200, *resp_msg = "OK";
+ 
++  pr_response_set_pool(NULL);
++
++  mark_point();
++  pr_response_add(resp_code, "%s", resp_msg);
++
+   pr_response_set_pool(p);
+   pr_response_add(resp_code, "%s", resp_msg);
+ 
+@@ -87,6 +92,11 @@ START_TEST (response_add_err_test) {
+   char *last_resp_code = NULL, *last_resp_msg = NULL;
+   char *resp_code = R_450, *resp_msg = "Busy";
+ 
++  pr_response_set_pool(NULL);
++
++  mark_point();
++  pr_response_add(resp_code, "%s", resp_msg);
++
+   pr_response_set_pool(p);
+   pr_response_add_err(resp_code, "%s", resp_msg);
+ 


=====================================
debian/patches/Issue-903-We-want-to-remove-the-data-transfer-comman.patch
=====================================
@@ -0,0 +1,26 @@
+From: TJ Saunders <tj at castaglia.org>
+Date: Sat, 22 Feb 2020 09:40:32 -0800
+Subject: Issue #903: We want to remove the data transfer command pool, but we
+ _do_ want some memory pool, lest we regress the %{transfer-status} LogFormat
+ functionality.
+Origin: https://github.com/proftpd/proftpd/commit/cd9036f4ef7a05c107f0ffcb19a018b20267c531
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-9273
+Bug: https://github.com/proftpd/proftpd/issues/903
+
+---
+ src/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: proftpd/src/data.c
+===================================================================
+--- proftpd.orig/src/data.c	2020-03-12 15:11:56.344000000 +0100
++++ proftpd/src/data.c	2020-03-12 15:11:56.340000000 +0100
+@@ -955,7 +955,7 @@
+     /* Forcibly clear the data-transfer instigating command pool from the
+      * Response API.
+      */
+-    pr_response_set_pool(NULL);
++    pr_response_set_pool(session.pool);
+   }
+ 
+   if (true_abort) {


=====================================
debian/patches/series
=====================================
@@ -19,3 +19,5 @@ proftpd-1.3.5e-CVE-2019-12815.patch
 bug_846_CVE-2019-18217.patch
 upstream_861_CVE-2019-19269
 kbdint-packets-bug4385.patch
+Issue-903-Ensure-that-we-do-not-reuse-already-destro.patch
+Issue-903-We-want-to-remove-the-data-transfer-comman.patch



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/816a1961529c7e9b92da33510a58b77a53821dde

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/816a1961529c7e9b92da33510a58b77a53821dde
You're receiving this email because of your account on salsa.debian.org.

More information about the Pkg-proftpd-maintainers mailing list