From ae503ac311cdb5c1e1b57df9b158a8fc316901bc Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Oct 20 2019 13:48:20 +0000 Subject: Fix pre-authentication remote denial-of-service issue https://github.com/proftpd/proftpd/issues/846 --- diff --git a/.gitignore b/.gitignore index ec24917..05195ca 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,14 @@ -# master/f30/f29 -/proftpd-1.3.6.tar.gz +# master/f31/epel8-playground (split configuration) +/proftpd-1.3.6b.tar.gz /v0.9.5.tar.gz -# el7 +# f30/f29 (monolithic configuration) +/proftpd-1.3.6b.tar.gz +/v0.9.5.tar.gz +# el7 (monolithic configuration) /proftpd-1.3.5e.tar.gz /proftpd-mod-vroot-0.9.2.tar.gz /Test-Unit-0.14.tar.gz -# el6 +# el6 (monolithic configuration) /proftpd-1.3.3g.tar.bz2 /proftpd-mod-geoip-0.2.tar.gz /proftpd-mod-vroot-0.9.2.tar.gz diff --git a/.rpmlint b/.rpmlint deleted file mode 100644 index a209d98..0000000 --- a/.rpmlint +++ /dev/null @@ -1,42 +0,0 @@ -from Config import * - -# Technical terms spelled correctly -addFilter("spelling-error %description -l en_US customizable -> "); -addFilter("spelling-error %description -l en_US passwd -> "); -addFilter("spelling-error %description -l en_US systemd -> "); -addFilter("spelling-error %description -l en_US virtualhost -> "); -addFilter("spelling-error %description -l en_US xinetd -> "); - -# Proftpd allows specification of ciphers; should change proftpd.conf to use system default -addFilter("crypto-policy-non-compliance-openssl /usr/sbin/proftpd SSL_CTX_set_cipher_list"); - -# All FTP daemons provide this -addFilter("unversioned-explicit-provides ftpserver"); - -# This is the correct place for tmpfiles snippets -addFilter("hardcoded-library-path in %{_prefix}/lib/tmpfiles.d"); -addFilter("only-non-binary-in-usr-lib"); - -# These modes are intentional -addFilter("non-readable /etc/proftpd.conf 640"); -addFilter("non-standard-dir-perm /var/ftp/uploads 331"); -addFilter("non-standard-dir-perm /var/log/proftpd 750"); - -# /var/run/proftpd maintained by tmpfiles snippet too -# Owning the directories in the package allows the daemon to run immediately after install, with no reboot -addFilter("dir-or-file-in-var-run /var/run/proftpd"); -addFilter("non-ghost-in-run /run/proftpd"); - -# File should exist but have no default content -addFilter("zero-length /etc/ftpusers"); - -# Same manpage as proftpd -addFilter("no-manual-page-for-binary in.proftpd"); - -# This is normal for libtool projects -addFilter("hidden-file-or-dir /usr/src/debug/proftpd-.*/\.libs"); - -# Upstream does not provide documentation for devel tools/API yet -addFilter("no-documentation"); -addFilter("no-manual-page-for-binary prxs"); - diff --git a/proftpd-1.3.5e-issue-846.patch b/proftpd-1.3.5e-issue-846.patch new file mode 100644 index 0000000..0146f28 --- /dev/null +++ b/proftpd-1.3.5e-issue-846.patch @@ -0,0 +1,40 @@ +Backported from https://github.com/proftpd/proftpd/commit/51b9f9bb6c6dd8ea + +--- src/main.c ++++ src/main.c +@@ -481,6 +481,7 @@ int pr_cmd_read(cmd_rec **res) { + static char *cmd_buf = NULL; + char *cp; + size_t cmd_buflen; ++ unsigned int too_large_count = 0; + + if (res == NULL) { + errno = EINVAL; +@@ -505,8 +506,16 @@ int pr_cmd_read(cmd_rec **res) { + + if (errno == E2BIG) { + /* The client sent a too-long command which was ignored; give +- * them another chance? ++ * them a few more chances, with minor delays? + */ ++ ++ too_large_count++; ++ pr_timer_usleep(250 * 1000); ++ ++ if (too_large_count > 3) { ++ return -1; ++ } ++ + continue; + } + +--- src/netio.c ++++ src/netio.c +@@ -1037,6 +1037,7 @@ int pr_netio_read(pr_netio_stream_t *nst + } + + nstrm->strm_errno = 0; ++ errno = EOF; + break; + } + diff --git a/proftpd.rpmlintrc b/proftpd.rpmlintrc new file mode 100644 index 0000000..a209d98 --- /dev/null +++ b/proftpd.rpmlintrc @@ -0,0 +1,42 @@ +from Config import * + +# Technical terms spelled correctly +addFilter("spelling-error %description -l en_US customizable -> "); +addFilter("spelling-error %description -l en_US passwd -> "); +addFilter("spelling-error %description -l en_US systemd -> "); +addFilter("spelling-error %description -l en_US virtualhost -> "); +addFilter("spelling-error %description -l en_US xinetd -> "); + +# Proftpd allows specification of ciphers; should change proftpd.conf to use system default +addFilter("crypto-policy-non-compliance-openssl /usr/sbin/proftpd SSL_CTX_set_cipher_list"); + +# All FTP daemons provide this +addFilter("unversioned-explicit-provides ftpserver"); + +# This is the correct place for tmpfiles snippets +addFilter("hardcoded-library-path in %{_prefix}/lib/tmpfiles.d"); +addFilter("only-non-binary-in-usr-lib"); + +# These modes are intentional +addFilter("non-readable /etc/proftpd.conf 640"); +addFilter("non-standard-dir-perm /var/ftp/uploads 331"); +addFilter("non-standard-dir-perm /var/log/proftpd 750"); + +# /var/run/proftpd maintained by tmpfiles snippet too +# Owning the directories in the package allows the daemon to run immediately after install, with no reboot +addFilter("dir-or-file-in-var-run /var/run/proftpd"); +addFilter("non-ghost-in-run /run/proftpd"); + +# File should exist but have no default content +addFilter("zero-length /etc/ftpusers"); + +# Same manpage as proftpd +addFilter("no-manual-page-for-binary in.proftpd"); + +# This is normal for libtool projects +addFilter("hidden-file-or-dir /usr/src/debug/proftpd-.*/\.libs"); + +# Upstream does not provide documentation for devel tools/API yet +addFilter("no-documentation"); +addFilter("no-manual-page-for-binary prxs"); + diff --git a/proftpd.spec b/proftpd.spec index ca9901d..f8fd3d6 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -36,7 +36,7 @@ %global _hardened_build 1 #global prever rc3 -%global rpmrel 5 +%global rpmrel 6 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd @@ -63,6 +63,7 @@ Patch3: https://github.com/proftpd/proftpd/commit/459693c7.patch Patch4: proftpd-1.3.4rc1-mod_vroot-test.patch Patch5: proftpd-1.3.5e-insecure-sftp-host-key.patch Patch6: proftpd-1.3.5e-CVE-2019-12815.patch +Patch7: proftpd-1.3.5e-issue-846.patch Patch27: proftpd-mod-vroot-0.9.2-bug3841.patch BuildRequires: coreutils @@ -245,6 +246,10 @@ cp -p %{SOURCE1} proftpd.conf # https://github.com/proftpd/proftpd/pull/816 %patch6 +# Fixed pre-authentication remote denial-of-service issue +# https://github.com/proftpd/proftpd/issues/846 +%patch7 + # Fix possible symlink race when applying UserOwner to newly created directory # http://bugs.proftpd.org/show_bug.cgi?id=3841 %patch27 @@ -523,6 +528,10 @@ fi %{_mandir}/man1/ftpwho.1* %changelog +* Sun Oct 20 2019 Paul Howarth - 1.3.5e-6 +- Fixed pre-authentication remote denial-of-service issue + https://github.com/proftpd/proftpd/issues/846 + * Tue Jul 23 2019 Paul Howarth - 1.3.5e-5 - An arbitrary file copy vulnerability in mod_copy in ProFTPD allowed for remote code execution and information disclosure without authentication