[Git][debian-proftpd-team/proftpd][master] Apply post-release patches / CVE-2024-57392.

Hilmar Preuße (@hilmar) hille42 at debian.org
Tue Mar 4 23:09:15 GMT 2025 


Hilmar Preuße pushed to branch master at Debian ProFTPD Team / proftpd


Commits:
7c34cdf9 by Hilmar Preuße at 2025-03-04T22:53:36+01:00
Apply post-release patches / CVE-2024-57392.

- - - - -


5 changed files:

- debian/changelog
- + debian/patches/14c006b62c09d1efe302c57b2d183a489bcb22dc.diff
- + debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
- + debian/patches/e7539bd772ca6e12d3e05fb56da274cf78ee1edf.diff
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.8.c+dfsg-2) unstable; urgency=medium
+
+  * Apply post-release patches (issue #1866)
+    CVE-2024-57392.
+
+ -- Hilmar Preuße <hille42 at debian.org>  Tue, 04 Mar 2025 22:52:50 +0100
+
 proftpd-dfsg (1.3.8.c+dfsg-1) unstable; urgency=medium
 
   * New upstream patch release: refresh / disable patches.


=====================================
debian/patches/14c006b62c09d1efe302c57b2d183a489bcb22dc.diff
=====================================
@@ -0,0 +1,32 @@
+From 14c006b62c09d1efe302c57b2d183a489bcb22dc Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Thu, 12 Dec 2024 10:39:40 -0800
+Subject: [PATCH] The 1.3.8 branch doesn't have `session.user_homedir`.
+
+---
+ contrib/mod_sftp/auth.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/contrib/mod_sftp/auth.c b/contrib/mod_sftp/auth.c
+index c840bdc59..4015e9885 100644
+--- a/contrib/mod_sftp/auth.c
++++ b/contrib/mod_sftp/auth.c
+@@ -370,7 +370,6 @@ static int setup_env(pool *p, const char *user) {
+   }
+ 
+   session.user = pstrdup(p, pw->pw_name);
+-  session.user_homedir = pstrdup(p, pw->pw_dir);
+   session.group = pstrdup(p, pr_auth_gid2name(p, pw->pw_gid));
+ 
+   session.login_uid = pw->pw_uid;
+@@ -687,10 +686,6 @@ static int setup_env(pool *p, const char *user) {
+ 
+   session.user = pstrdup(session.pool, session.user);
+ 
+-  if (session.user_homedir != NULL) {
+-    session.user_homedir = pstrdup(session.pool, session.user_homedir);
+-  }
+-
+   if (session.group != NULL) {
+     session.group = pstrdup(session.pool, session.group);
+   }


=====================================
debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
=====================================
@@ -0,0 +1,44 @@
+From 9b2b4a3e32d251798bf8fa841b124ab15ba58f11 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Sun, 9 Feb 2025 12:13:48 -0800
+Subject: [PATCH] Manually backporting some of the null pointer guards from
+ Issue #1866 to the 1.3.8 branch.
+
+---
+ modules/mod_ls.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/mod_ls.c b/modules/mod_ls.c
+index 5458ccc74d..980691b9d6 100644
+--- a/modules/mod_ls.c
++++ b/modules/mod_ls.c
+@@ -2,7 +2,7 @@
+  * ProFTPD - FTP server daemon
+  * Copyright (c) 1997, 1998 Public Flood Software
+  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver at tos.net>
+- * Copyright (c) 2001-2022 The ProFTPD Project
++ * Copyright (c) 2001-2024 The ProFTPD Project
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt, ...) {
+           errno != 0) {
+         int xerrno = errno;
+ 
+-        if (session.d != NULL) {
++        if (session.d != NULL &&
++            session.d->outstrm != NULL) {
+           xerrno = PR_NETIO_ERRNO(session.d->outstrm);
+         }
+ 
+@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) {
+     return res;
+   }
+ 
+-  tail->down = NULL;
++  if (tail != NULL) {
++    tail->down = NULL;
++  }
+   tail = NULL;
+   colwidth = (colwidth | 7) + 1;
+   if (opt_l || !opt_C) {


=====================================
debian/patches/e7539bd772ca6e12d3e05fb56da274cf78ee1edf.diff
=====================================
@@ -0,0 +1,43 @@
+From e7539bd772ca6e12d3e05fb56da274cf78ee1edf Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj at castaglia.org>
+Date: Wed, 11 Dec 2024 15:55:16 -0800
+Subject: [PATCH] While investigating Issue #1855, I discovered a long-hidden
+ bug in mod_sftp, where the list of GIDs for the logged-in user was not being
+ appropriately copied out of the session pool.
+
+This was manifesting as a segfault in my local tests, when the `HideNoAccess` directive is in effect for an SFTP session.
+---
+ contrib/mod_sftp/auth.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/contrib/mod_sftp/auth.c b/contrib/mod_sftp/auth.c
+index 6196fec4a..c840bdc59 100644
+--- a/contrib/mod_sftp/auth.c
++++ b/contrib/mod_sftp/auth.c
+@@ -370,6 +370,7 @@ static int setup_env(pool *p, const char *user) {
+   }
+ 
+   session.user = pstrdup(p, pw->pw_name);
++  session.user_homedir = pstrdup(p, pw->pw_dir);
+   session.group = pstrdup(p, pr_auth_gid2name(p, pw->pw_gid));
+ 
+   session.login_uid = pw->pw_uid;
+@@ -686,10 +687,18 @@ static int setup_env(pool *p, const char *user) {
+ 
+   session.user = pstrdup(session.pool, session.user);
+ 
++  if (session.user_homedir != NULL) {
++    session.user_homedir = pstrdup(session.pool, session.user_homedir);
++  }
++
+   if (session.group != NULL) {
+     session.group = pstrdup(session.pool, session.group);
+   }
+ 
++  if (session.gids != NULL) {
++    session.gids = copy_array(session.pool, session.gids);
++  }
++
+   session.groups = copy_array_str(session.pool, session.groups);
+ 
+   pr_resolve_fs_map();


=====================================
debian/patches/series
=====================================
@@ -17,3 +17,6 @@ odbc
 #784a8e28332059cd6f41e7bcfbdc9b0142fe2c13.diff
 #5031d498a71c493b9659e2b5ccafde58b0897e30.diff
 04_disable_base_netaddr_get_addr_test.diff
+e7539bd772ca6e12d3e05fb56da274cf78ee1edf.diff
+14c006b62c09d1efe302c57b2d183a489bcb22dc.diff
+9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff



View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/7c34cdf9b7283060b393ca44811dfaa672fc4a24

-- 
View it on GitLab: https://salsa.debian.org/debian-proftpd-team/proftpd/-/commit/7c34cdf9b7283060b393ca44811dfaa672fc4a24
You're receiving this email because of your account on salsa.debian.org.

More information about the Pkg-proftpd-maintainers mailing list