From bba59f1dab2e47d255550aaee796855330371a2a Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Feb 19 2020 14:16:54 +0000 Subject: Update to 1.3.6c - New upstream release 1.3.6c - Use-after-free vulnerability in memory pools during data transfer (https://github.com/proftpd/proftpd/issues/903) - Fix mod_tls compilation with LibreSSL 2.9.x (https://github.com/proftpd/proftpd/issues/810) - MaxClientsPerUser was not enforced for SFTP logins when mod_digest was enabled (https://github.com/proftpd/proftpd/issues/750) - mod_sftp now handles an OpenSSH-specific private key format; it detects such keys, and logs a hint about reformatting them to a supported format (https://github.com/proftpd/proftpd/issues/793) - Directory listing was slower compared to previous ProFTPD versions (https://github.com/proftpd/proftpd/issues/793) - mod_sftp crashed when using pubkey-auth with DSA keys (https://github.com/proftpd/proftpd/issues/866) - Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270, https://github.com/proftpd/proftpd/issues/859) - Leaking PAM handler and data in case of unsuccessful authentication (https://github.com/proftpd/proftpd/issues/870) - SSH authentication failed for many clients due to receiving of SSH_MSG_IGNORE packet (http://bugs.proftpd.org/show_bug.cgi?id=4385) - SFTP publickey authentication failed unexpectedly when user had no shadow password info. (https://github.com/proftpd/proftpd/issues/890) - ftpasswd failed to restore password file permissions in some cases (https://github.com/proftpd/proftpd/issues/898) - Out-of-bounds read in mod_cap getstateflags() function; this has been addressed by updating the bundled version of libcap (https://github.com/proftpd/proftpd/issues/902) Note that this build of ProFTPD uses the system version of libcap and not the bundled version --- diff --git a/.gitignore b/.gitignore index 05195ca..6b65d8e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,8 @@ -# master/f31/epel8-playground (split configuration) -/proftpd-1.3.6b.tar.gz +# master/f32/f31/epel8 (split configuration) +/proftpd-1.3.6c.tar.gz /v0.9.5.tar.gz -# f30/f29 (monolithic configuration) -/proftpd-1.3.6b.tar.gz +# f30 (monolithic configuration) +/proftpd-1.3.6c.tar.gz /v0.9.5.tar.gz # el7 (monolithic configuration) /proftpd-1.3.5e.tar.gz diff --git a/7f2f0ab1.patch b/7f2f0ab1.patch deleted file mode 100644 index 39a9241..0000000 --- a/7f2f0ab1.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 7f2f0ab15909c470cabb892e3c2a17803a439bee Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Tue, 21 Jan 2020 11:09:08 -0800 -Subject: [PATCH] Bug #4385: When handling the `keyboard-interactive` - authentication mechanism, as used for _e.g._ PAM, make sure to properly - handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253. - ---- - contrib/mod_sftp/kbdint.c | 99 ++++++++++++++++++++++++++++++--------- - 1 file changed, 76 insertions(+), 23 deletions(-) - -diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c -index 6900f4dfc..98b0a28af 100644 ---- a/contrib/mod_sftp/kbdint.c -+++ b/contrib/mod_sftp/kbdint.c -@@ -1,6 +1,6 @@ - /* - * ProFTPD - mod_sftp keyboard-interactive driver mgmt -- * Copyright (c) 2008-2017 TJ Saunders -+ * Copyright (c) 2008-2020 TJ Saunders - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by -@@ -254,6 +254,77 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction, - return res; - } - -+static struct ssh2_packet *read_response_packet(pool *p) { -+ struct ssh2_packet *pkt = NULL; -+ -+ /* Keep looping until we get the desired message, or we time out. */ -+ while (pkt == NULL) { -+ int res; -+ char mesg_type; -+ -+ pr_signals_handle(); -+ -+ pkt = sftp_ssh2_packet_create(kbdint_pool); -+ res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt); -+ if (res < 0) { -+ int xerrno = errno; -+ -+ destroy_pool(pkt->pool); -+ -+ errno = xerrno; -+ return NULL; -+ } -+ -+ pr_response_clear(&resp_list); -+ pr_response_clear(&resp_err_list); -+ -+ /* Per RFC 4253, Section 11, DEBUG, DISCONNECT, IGNORE, and UNIMPLEMENTED -+ * messages can occur at any time, even during KEX. We have to be prepared -+ * for this, and Do The Right Thing(tm). -+ */ -+ -+ mesg_type = sftp_ssh2_packet_get_mesg_type(pkt); -+ -+ switch (mesg_type) { -+ case SFTP_SSH2_MSG_DEBUG: -+ sftp_ssh2_packet_handle_debug(pkt); -+ pkt = NULL; -+ break; -+ -+ case SFTP_SSH2_MSG_DISCONNECT: -+ sftp_ssh2_packet_handle_disconnect(pkt); -+ pkt = NULL; -+ break; -+ -+ case SFTP_SSH2_MSG_IGNORE: -+ sftp_ssh2_packet_handle_ignore(pkt); -+ pkt = NULL; -+ break; -+ -+ case SFTP_SSH2_MSG_UNIMPLEMENTED: -+ sftp_ssh2_packet_handle_unimplemented(pkt); -+ pkt = NULL; -+ break; -+ -+ case SFTP_SSH2_MSG_USER_AUTH_INFO_RESP: -+ pr_trace_msg(trace_channel, 13, -+ "received expected %s message", -+ sftp_ssh2_packet_get_mesg_type_desc(mesg_type)); -+ break; -+ -+ default: -+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, -+ "expecting USER_AUTH_INFO_RESP message, received %s (%d)", -+ sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type); -+ destroy_pool(pkt->pool); -+ errno = EPERM; -+ return NULL; -+ } -+ } -+ -+ return pkt; -+} -+ - int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, - uint32_t *rcvd_count, const char ***responses) { - register unsigned int i; -@@ -261,8 +332,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, - cmd_rec *cmd; - array_header *list; - uint32_t buflen, resp_count; -- struct ssh2_packet *pkt; -- char mesg_type; -+ struct ssh2_packet *pkt = NULL; - int res; - pool *resp_pool = NULL; - -@@ -273,32 +343,15 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count, - return -1; - } - -- pkt = sftp_ssh2_packet_create(kbdint_pool); -- -- res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt); -- if (res < 0) { -- destroy_pool(pkt->pool); -- return res; -+ pkt = read_response_packet(p); -+ if (pkt == NULL) { -+ return -1; - } - -- pr_response_clear(&resp_list); -- pr_response_clear(&resp_err_list); -- - /* Cache a reference to the current response pool used. */ - resp_pool = pr_response_get_pool(); - pr_response_set_pool(pkt->pool); - -- mesg_type = sftp_ssh2_packet_get_mesg_type(pkt); -- if (mesg_type != SFTP_SSH2_MSG_USER_AUTH_INFO_RESP) { -- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, -- "expecting USER_AUTH_INFO_RESP message, received %s (%d)", -- sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type); -- destroy_pool(pkt->pool); -- pr_response_set_pool(resp_pool); -- errno = EPERM; -- return -1; -- } -- - cmd = pr_cmd_alloc(pkt->pool, 2, pstrdup(pkt->pool, "USER_AUTH_INFO_RESP")); - cmd->arg = "(data)"; - diff --git a/be8e1687.patch b/be8e1687.patch deleted file mode 100644 index c2b8c84..0000000 --- a/be8e1687.patch +++ /dev/null @@ -1,37 +0,0 @@ -From be8e1687819cb665359bd62b4c896ff4b1a09c3f Mon Sep 17 00:00:00 2001 -From: TJ Saunders -Date: Sun, 24 Nov 2019 14:03:54 -0800 -Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly - using issuer for lookups, and guarding against null pointers. - ---- - contrib/mod_tls.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c -index bd20a843b..df89545e9 100644 ---- a/contrib/mod_tls.c -+++ b/contrib/mod_tls.c -@@ -9066,10 +9066,10 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) { - - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(HAVE_LIBRESSL) -- crls = X509_STORE_CTX_get1_crls(store_ctx, subject); -+ crls = X509_STORE_CTX_get1_crls(store_ctx, issuer); - #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \ - !defined(HAVE_LIBRESSL) -- crls = X509_STORE_get1_crls(store_ctx, subject); -+ crls = X509_STORE_get1_crls(store_ctx, issuer); - #else - /* Your OpenSSL is before 1.0.0. You really need to upgrade. */ - crls = NULL; -@@ -9088,6 +9088,9 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) { - ASN1_INTEGER *sn; - - revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j); -+ if (revoked == NULL) { -+ continue; -+ } - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - !defined(HAVE_LIBRESSL) - sn = X509_REVOKED_get0_serialNumber(revoked); diff --git a/proftpd-1.3.6-shellbang.patch b/proftpd-1.3.6-shellbang.patch deleted file mode 100644 index 63e5b64..0000000 --- a/proftpd-1.3.6-shellbang.patch +++ /dev/null @@ -1,40 +0,0 @@ ---- contrib/ftpasswd -+++ contrib/ftpasswd -@@ -1,4 +1,4 @@ --#!/usr/bin/env perl -+#!/usr/bin/perl - # --------------------------------------------------------------------------- - # Copyright (C) 2000-2015 TJ Saunders - # ---- contrib/ftpmail -+++ contrib/ftpmail -@@ -1,4 +1,4 @@ --#!/usr/bin/env perl -+#!/usr/bin/perl - # --------------------------------------------------------------------------- - # Copyright (C) 2008-2013 TJ Saunders - # ---- contrib/ftpquota -+++ contrib/ftpquota -@@ -1,4 +1,4 @@ --#!/usr/bin/env perl -+#!/usr/bin/perl - # ------------------------------------------------------------------------- - # Copyright (C) 2000-2017 TJ Saunders - # ---- contrib/xferstats.holger-preiss -+++ contrib/xferstats.holger-preiss -@@ -1,4 +1,4 @@ --#!/usr/bin/env perl -+#!/usr/bin/perl - # --------------------------------------------------------------------------- - # - # USAGE: xferstats ---- src/prxs.in -+++ src/prxs.in -@@ -1,4 +1,4 @@ --#!/usr/bin/env perl -+#!/usr/bin/perl - - # --------------------------------------------------------------------------- - # Copyright (C) 2008-2012 TJ Saunders diff --git a/proftpd-1.3.6c-shellbang.patch b/proftpd-1.3.6c-shellbang.patch new file mode 100644 index 0000000..5af88d5 --- /dev/null +++ b/proftpd-1.3.6c-shellbang.patch @@ -0,0 +1,40 @@ +--- contrib/ftpasswd ++++ contrib/ftpasswd +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2000-2020 TJ Saunders + # +--- contrib/ftpmail ++++ contrib/ftpmail +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2013 TJ Saunders + # +--- contrib/ftpquota ++++ contrib/ftpquota +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # ------------------------------------------------------------------------- + # Copyright (C) 2000-2017 TJ Saunders + # +--- contrib/xferstats.holger-preiss ++++ contrib/xferstats.holger-preiss +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + # --------------------------------------------------------------------------- + # + # USAGE: xferstats +--- src/prxs.in ++++ src/prxs.in +@@ -1,4 +1,4 @@ +-#!/usr/bin/env perl ++#!/usr/bin/perl + + # --------------------------------------------------------------------------- + # Copyright (C) 2008-2012 TJ Saunders diff --git a/proftpd.spec b/proftpd.spec index eb491cd..5920bee 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -66,12 +66,12 @@ %undefine _strict_symbol_defs_build #global prever rc3 -%global rpmrel 4 +%global rpmrel 1 %global mod_vroot_version 0.9.5 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd -Version: 1.3.6b +Version: 1.3.6c Release: %{?prever:0.}%{rpmrel}%{?prever:.%{prever}}%{?dist} License: GPLv2+ URL: http://www.proftpd.org/ @@ -87,13 +87,11 @@ Source8: proftpd-welcome.msg Source9: proftpd.sysconfig Source10: http://github.com/Castaglia/proftpd-mod_vroot/archive/v%{mod_vroot_version}.tar.gz -Patch1: proftpd-1.3.6-shellbang.patch +Patch1: proftpd-1.3.6c-shellbang.patch Patch2: proftpd.conf-no-memcached.patch Patch3: proftpd-1.3.4rc1-mod_vroot-test.patch Patch4: proftpd-1.3.6-no-mod-wrap.patch Patch5: proftpd-1.3.6-no-mod-geoip.patch -Patch6: https://github.com/proftpd/proftpd/commit/be8e1687.patch -Patch7: https://github.com/proftpd/proftpd/commit/7f2f0ab1.patch Patch100: 0001-Move-definition-of-recvd_signal_flags-for-API-tests.patch Patch116: proftpd-1.3.6-ENOATTR.patch @@ -301,18 +299,6 @@ mv contrib/README contrib/README.contrib %patch5 -b .nogeoip %endif -# Fix handling of CRL lookups by properly using issuer for lookups, and -# guarding against null pointers -# https://github.com/proftpd/proftpd/issues/859 (CVE-2019-19270) -# https://github.com/proftpd/proftpd/issues/861 (CVE-2019-19269) -%patch6 -p1 -b .CVE-2019-19269 - -# mod_sftp: When handling the 'keyboard-interactive' authentication mechanism, -# as used for (e.g.) PAM, make sure to properly handle DEBUG, IGNORE, -# DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253 -# (http://bugs.proftpd.org/show_bug.cgi?id=4385) -%patch7 -p1 - # Fix API tests compile failure with GCC 10 # https://github.com/proftpd/proftpd/pull/886 %patch100 -p1 @@ -607,6 +593,37 @@ fi %{_mandir}/man1/ftpwho.1* %changelog +* Wed Feb 19 2020 Paul Howarth - 1.3.6c-1 +- Update to 1.3.6c + - Use-after-free vulnerability in memory pools during data transfer + (https://github.com/proftpd/proftpd/issues/903) + - Fix mod_tls compilation with LibreSSL 2.9.x + (https://github.com/proftpd/proftpd/issues/810) + - MaxClientsPerUser was not enforced for SFTP logins when mod_digest was + enabled (https://github.com/proftpd/proftpd/issues/750) + - mod_sftp now handles an OpenSSH-specific private key format; it detects + such keys, and logs a hint about reformatting them to a supported format + (https://github.com/proftpd/proftpd/issues/793) + - Directory listing was slower compared to previous ProFTPD versions + (https://github.com/proftpd/proftpd/issues/793) + - mod_sftp crashed when using pubkey-auth with DSA keys + (https://github.com/proftpd/proftpd/issues/866) + - Fix improper handling of TLS CRL lookups (CVE-2019-19269, CVE-2019-19270, + https://github.com/proftpd/proftpd/issues/859) + - Leaking PAM handler and data in case of unsuccessful authentication + (https://github.com/proftpd/proftpd/issues/870) + - SSH authentication failed for many clients due to receiving of + SSH_MSG_IGNORE packet (http://bugs.proftpd.org/show_bug.cgi?id=4385) + - SFTP publickey authentication failed unexpectedly when user had no shadow + password info. (https://github.com/proftpd/proftpd/issues/890) + - ftpasswd failed to restore password file permissions in some cases + (https://github.com/proftpd/proftpd/issues/898) + - Out-of-bounds read in mod_cap getstateflags() function; this has been + addressed by updating the bundled version of libcap + (https://github.com/proftpd/proftpd/issues/902) + Note that this build of ProFTPD uses the system version of libcap and not + the bundled version + * Thu Jan 30 2020 Fedora Release Engineering - 1.3.6b-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/sources b/sources index 8a9c5f6..53775e5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (proftpd-1.3.6b.tar.gz) = 51511f05f481a038fa3826bdf1bdb866423d9f8df48071a8a263347a1ed096a553e66daefcc95dfdfcde503e664ed4140cdbb2a4f95ade8b7aadf2007aa3a671 +SHA512 (proftpd-1.3.6c.tar.gz) = 9b10e603b26d527b594682a4905e70dc0a8361372ed80a8e2617167305047bf94ea16b441f9d5782ae04dd50768d32e12f9cb68708c1f80dcd219b09e0d4fd15 SHA512 (v0.9.5.tar.gz) = 10e4de29d84c2f2f5e88502fcd62768e2b0797b05a95fc22b59605e3c7377bfe3609c99e2f6fc2a17f9c3a267ff815c651ae39be8b6cb133565a4590f767353d