From 07dd9478b97bd071069e299008b7bb85ecfbd1fc Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Sep 14 2013 19:11:49 +0000 Subject: Fix possible DoS with mod_sftp/mod_sftp_pam Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication (#1007678, upstream bug #3973) --- diff --git a/proftpd-1.3.4d-bug3973.patch b/proftpd-1.3.4d-bug3973.patch new file mode 100644 index 0000000..6013fd6 --- /dev/null +++ b/proftpd-1.3.4d-bug3973.patch @@ -0,0 +1,152 @@ +--- contrib/mod_sftp_pam.c 2013/02/26 23:14:19 1.10.2.3 ++++ contrib/mod_sftp_pam.c 2013/09/14 06:57:00 1.10.2.4 +@@ -26,7 +26,7 @@ + * This is mod_sftp_pam, contrib software for proftpd 1.3.x and above. + * For more information contact TJ Saunders . + * +- * $Id: mod_sftp_pam.c,v 1.10.2.3 2013/02/26 23:14:19 castaglia Exp $ ++ * $Id: mod_sftp_pam.c,v 1.10.2.4 2013/09/14 06:57:00 castaglia Exp $ + * $Libraries: -lpam $ + */ + +@@ -197,22 +197,13 @@ + return PAM_CONV_ERR; + } + +- if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count, +- &recvd_responses) < 0) { ++ if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts, ++ &recvd_count, &recvd_responses) < 0) { + pr_trace_msg(trace_channel, 3, + "error receiving keyboard-interactive responses: %s", strerror(errno)); + return PAM_CONV_ERR; + } + +- /* Make sure that the count of responses matches the challenge count. */ +- if (recvd_count != list->nelts) { +- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION, +- "sent %d %s, but received %u %s", nmsgs, +- list->nelts != 1 ? "challenges" : "challenge", recvd_count, +- recvd_count != 1 ? "responses" : "response"); +- return PAM_CONV_ERR; +- } +- + res = calloc(nmsgs, sizeof(struct pam_response)); + if (res == NULL) { + pr_log_pri(PR_LOG_CRIT, "Out of memory!"); +--- contrib/mod_sftp/kbdint.c 2011/05/23 21:03:12 1.4 ++++ contrib/mod_sftp/kbdint.c 2013/09/14 06:57:00 1.4.2.1 +@@ -1,6 +1,6 @@ + /* + * ProFTPD - mod_sftp keyboard-interactive driver mgmt +- * Copyright (c) 2008-2009 TJ Saunders ++ * Copyright (c) 2008-2013 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -21,7 +21,7 @@ + * resulting executable, without including the source code for OpenSSL in the + * source distribution. + * +- * $Id: kbdint.c,v 1.4 2011/05/23 21:03:12 castaglia Exp $ ++ * $Id: kbdint.c,v 1.4.2.1 2013/09/14 06:57:00 castaglia Exp $ + */ + + #include "mod_sftp.h" +@@ -31,6 +31,8 @@ + #include "utf8.h" + #include "kbdint.h" + ++#define SFTP_KBDINT_MAX_RESPONSES 500 ++ + struct kbdint_driver { + struct kbdint_driver *next, *prev; + +@@ -252,8 +254,8 @@ + return res; + } + +-int sftp_kbdint_recv_response(pool *p, unsigned int *count, +- const char ***responses) { ++int sftp_kbdint_recv_response(pool *p, unsigned int expected_count, ++ unsigned int *rcvd_count, const char ***responses) { + register unsigned int i; + char *buf; + cmd_rec *cmd; +@@ -264,7 +266,7 @@ + int res; + + if (p == NULL || +- count == NULL || ++ rcvd_count == NULL || + responses == NULL) { + errno = EINVAL; + return -1; +@@ -299,6 +301,29 @@ + + resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen); + ++ /* Ensure that the number of responses sent by the client is the same ++ * as the number of challenges sent, lest a malicious client attempt to ++ * trick us into allocating too much memory (Bug#3973). ++ */ ++ if (resp_count != expected_count) { ++ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, ++ "sent %lu %s, but received %lu %s", (unsigned long) expected_count, ++ expected_count != 1 ? "challenges" : "challenge", ++ (unsigned long) resp_count, resp_count != 1 ? "responses" : "response"); ++ destroy_pool(pkt->pool); ++ errno = EPERM; ++ return -1; ++ } ++ ++ if (resp_count > SFTP_KBDINT_MAX_RESPONSES) { ++ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, ++ "received too many responses (%lu > max %lu), rejecting", ++ (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES); ++ destroy_pool(pkt->pool); ++ errno = EPERM; ++ return -1; ++ } ++ + list = make_array(p, resp_count, sizeof(char *)); + for (i = 0; i < resp_count; i++) { + char *resp; +@@ -307,7 +332,7 @@ + *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp)); + } + +- *count = (unsigned int) resp_count; ++ *rcvd_count = (unsigned int) resp_count; + *responses = ((const char **) list->elts); + return 0; + } +--- contrib/mod_sftp/mod_sftp.h.in 2011/10/12 17:15:56 1.22 ++++ contrib/mod_sftp/mod_sftp.h.in 2013/09/14 06:57:00 1.22.2.1 +@@ -1,6 +1,6 @@ + /* + * ProFTPD - mod_sftp +- * Copyright (c) 2008-2011 TJ Saunders ++ * Copyright (c) 2008-2013 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -21,7 +21,7 @@ + * resulting executable, without including the source code for OpenSSL in the + * source distribution. + * +- * $Id: mod_sftp.h.in,v 1.22 2011/10/12 17:15:56 castaglia Exp $ ++ * $Id: mod_sftp.h.in,v 1.22.2.1 2013/09/14 06:57:00 castaglia Exp $ + */ + + #ifndef MOD_SFTP_H +@@ -174,7 +174,8 @@ + int sftp_kbdint_unregister_driver(const char *name); + int sftp_kbdint_send_challenge(const char *, const char *, unsigned int, + sftp_kbdint_challenge_t *); +-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***); ++int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *, ++ const char ***); + + /* API for modules that which to register keystores, for the + * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives. diff --git a/proftpd.spec b/proftpd.spec index 0d3f99b..b2641af 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -41,12 +41,12 @@ %define _hardened_build 1 #global prever rc3 -%global rpmrel 2 +%global rpmrel 4 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd Version: 1.3.4d -Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist}.2 +Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://www.proftpd.org/ @@ -71,6 +71,7 @@ Patch23: proftpd-1.3.4c-bug3744.patch Patch24: proftpd-1.3.4a-bug3745.patch Patch25: proftpd-1.3.4a-bug3746.patch Patch27: proftpd-mod-vroot-0.9.2-bug3841.patch +Patch28: proftpd-1.3.4d-bug3973.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires(preun): coreutils, findutils %if %{use_systemd} @@ -236,6 +237,10 @@ cp -p %{SOURCE1} proftpd.conf # http://bugs.proftpd.org/show_bug.cgi?id=3841 %patch27 +# Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication +# http://bugs.proftpd.org/show_bug.cgi?id=3973 +%patch28 + # Avoid documentation name conflicts mv contrib/README contrib/README.contrib @@ -532,10 +537,14 @@ fi %{_mandir}/man1/ftpwho.1* %changelog -* Sun Aug 04 2013 Fedora Release Engineering - 1.3.4d-2.2 +* Sat Sep 14 2013 Paul Howarth 1.3.4d-4 +- Fix mod_sftp/mod_sftp_pam invalid pool allocation during kbdint authentication + (#1007678, upstream bug #3973) + +* Sun Aug 04 2013 Fedora Release Engineering 1.3.4d-2.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild -* Wed Jul 17 2013 Petr Pisar - 1.3.4d-2.1 +* Wed Jul 17 2013 Petr Pisar 1.3.4d-2.1 - Perl 5.18 rebuild * Mon Jun 17 2013 Paul Howarth 1.3.4d-2 @@ -1141,7 +1150,7 @@ fi * Tue May 10 2005 Matthias Saou 1.2.10-4 - Disable stripping in order to get useful debuginfo packages. -* Fri Apr 7 2005 Michael Schwendt 1.2.10-3 +* Wed Apr 6 2005 Michael Schwendt 1.2.10-3 - rebuilt * Tue Nov 16 2004 Matthias Saou 1.2.10-2 @@ -1153,7 +1162,7 @@ fi * Tue Jun 22 2004 Matthias Saou 1.2.9-8 - Added ncurses-devel build requires to fix the ftptop utility. -* Fri Feb 26 2004 Magnus-swe 1.2.9-7 +* Thu Feb 26 2004 Magnus-swe 1.2.9-7 - Fixed the scoreboard and pidfile issues. * Fri Jan 9 2004 Matthias Saou 1.2.9-6 @@ -1228,7 +1237,7 @@ fi * Wed Apr 25 2001 Matthias Saou - Update to 1.2.2rc2. -* Mon Apr 1 2001 Matthias Saou +* Mon Apr 2 2001 Matthias Saou - Update to 1.2.2rc1. * Tue Mar 20 2001 Matthias Saou