From c113ad611b3586e309d45d05e958c310c3028263 Mon Sep 17 00:00:00 2001 From: Matthias Saou Date: Jan 02 2009 12:51:49 +0000 Subject: Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115) and backport recent minor changes on all current branches. --- diff --git a/proftpd-1.3.1-csrf.patch b/proftpd-1.3.1-csrf.patch new file mode 100644 index 0000000..2b2d706 --- /dev/null +++ b/proftpd-1.3.1-csrf.patch @@ -0,0 +1,176 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 3115.dpatch by Francesco Paolo Lovergine +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad trunk~/src/main.c trunk/src/main.c +--- trunk~/src/main.c 2008-09-21 23:50:55.000000000 +0200 ++++ trunk/src/main.c 2008-09-21 23:50:55.000000000 +0200 +@@ -674,12 +674,17 @@ + while (TRUE) { + pr_signals_handle(); + ++ memset(buf,'\0',sizeof(buf)); ++ + if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm, + session.c->outstrm) == NULL) { + +- if (PR_NETIO_ERRNO(session.c->instrm) == EINTR) +- /* Simple interrupted syscall */ ++ if (errno == E2BIG) { ++ /* The client sent a too-long command which was ignored; give ++ * them another chance? ++ */ + continue; ++ } + + #ifndef PR_DEVEL_NO_DAEMON + /* Otherwise, EOF */ +@@ -695,20 +700,31 @@ + + if (cmd_buf_size == -1) { + int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE); ++ size_t default_cmd_bufsz; ++ ++ /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which ++ * is smaller than PR_DEFAULT_CMD_BUFSZ. We need to handle such cases ++ * properly. ++ */ ++ default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ; ++ if (default_cmd_bufsz > sizeof(buf)) { ++ default_cmd_bufsz = sizeof(buf); ++ } ++ + if (bufsz == NULL) { +- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ cmd_buf_size = default_cmd_bufsz; + + } else if (*bufsz <= 0) { + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " + "given, using default buffer size (%u) instead", +- *bufsz, PR_DEFAULT_CMD_BUFSZ); +- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ *bufsz, default_cmd_bufsz); ++ cmd_buf_size = default_cmd_bufsz; + + } else if (*bufsz + 1 > sizeof(buf)) { + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " + "given, using default buffer size (%u) instead", +- *bufsz, PR_DEFAULT_CMD_BUFSZ); +- cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; ++ *bufsz, default_cmd_bufsz); ++ cmd_buf_size = default_cmd_bufsz; + + } else { + pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz); +diff -urNad trunk~/src/netio.c trunk/src/netio.c +--- trunk~/src/netio.c 2008-09-21 23:39:34.000000000 +0200 ++++ trunk/src/netio.c 2008-09-21 23:52:17.000000000 +0200 +@@ -1,6 +1,6 @@ + /* + * ProFTPD - FTP server daemon +- * Copyright (c) 2001-2007 The ProFTPD Project team ++ * Copyright (c) 2001-2008 The ProFTPD Project team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -30,19 +30,19 @@ + #include + + #ifndef IAC +-#define IAC 255 ++# define IAC 255 + #endif + #ifndef DONT +-#define DONT 254 ++# define DONT 254 + #endif + #ifndef DO +-#define DO 253 ++# define DO 253 + #endif + #ifndef WONT +-#define WONT 252 ++# define WONT 252 + #endif + #ifndef WILL +-#define WILL 251 ++# define WILL 251 + #endif + + static const char *trace_channel = "netio"; +@@ -51,6 +51,17 @@ + static pr_netio_t *core_data_netio = NULL, *data_netio = NULL; + static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL; + ++/* Used to track whether the previous text read from the client's control ++ * connection was a properly-terminated command. If so, then read in the ++ * next/current text as per normal. If NOT (e.g. the client sent a too-long ++ * command), then read in the next/current text, but ignore it. Only clear ++ * this flag if the next/current command can be read as per normal. ++ * ++ * The pr_netio_telnet_gets() uses this variable, in conjunction with its ++ * saw_newline flag, for handling too-long commands from clients. ++ */ ++static int properly_terminated_prev_command = TRUE; ++ + static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) { + pool *netio_pool = NULL; + pr_netio_stream_t *nstrm = NULL; +@@ -911,7 +922,7 @@ + char *bp = buf; + unsigned char cp; + static unsigned char mode = 0; +- int toread; ++ int toread, saw_newline = FALSE; + pr_buffer_t *pbuf = NULL; + + if (buflen == 0) { +@@ -940,8 +951,9 @@ + *bp = '\0'; + return buf; + +- } else ++ } else { + return NULL; ++ } + } + + pbuf->remaining = pbuf->buflen - toread; +@@ -1004,6 +1016,8 @@ + toread--; + *bp++ = *pbuf->current++; + pbuf->remaining++; ++ ++ saw_newline = TRUE; + break; + } + +@@ -1011,6 +1025,25 @@ + pbuf->current = NULL; + } + ++ if (!saw_newline) { ++ /* If we haven't seen a newline, then assume the client is deliberately ++ * sending a too-long command, trying to exploit buffer sizes and make ++ * the server make some possibly bad assumptions. ++ */ ++ ++ properly_terminated_prev_command = FALSE; ++ errno = E2BIG; ++ return NULL; ++ } ++ ++ if (!properly_terminated_prev_command) { ++ properly_terminated_prev_command = TRUE; ++ pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring"); ++ errno = E2BIG; ++ return NULL; ++ } ++ ++ properly_terminated_prev_command = TRUE; + *bp = '\0'; + return buf; + } diff --git a/proftpd.spec b/proftpd.spec index b09126d..4d55b1b 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -1,7 +1,7 @@ Summary: Flexible, stable and highly-configurable FTP server Name: proftpd Version: 1.3.1 -Release: 5%{?dist} +Release: 7%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://www.proftpd.org/ @@ -15,6 +15,7 @@ Source6: proftpd.pam Source7: proftpd-mod_quotatab_ldap.ldif Source8: proftpd-mod_quotatab_ldap.schema Patch0: proftpd-1.3.1-find-umode_t.patch +Patch1: proftpd-1.3.1-csrf.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root Requires: pam >= 0.59 Requires(post): /sbin/chkconfig @@ -66,6 +67,7 @@ Module to add PostgreSQL support to the ProFTPD FTP server. %prep %setup -q %patch0 -p1 -b .find-umode_t +%patch1 -p1 -b .csrf %build @@ -84,7 +86,7 @@ Module to add PostgreSQL support to the ProFTPD FTP server. --with-libraries="%{_libdir}/mysql" \ --with-includes="%{_includedir}/mysql" \ --with-modules=mod_readme:mod_auth_pam:mod_tls \ - --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql:mod_ifsession + --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql:mod_ifsession:mod_ban # It seems that with _smp_mflags -lsupp tries to get linked before being built # (as of 1.3.0a-4 F7/devel with koji, happened on F8 x86_64 and F7 ppc64) @@ -161,6 +163,7 @@ fi %{_bindir}/* %exclude %{_includedir}/proftpd/ %dir %{_libexecdir}/proftpd/ +%{_libexecdir}/proftpd/mod_ban.so %{_libexecdir}/proftpd/mod_ifsession.so %{_libexecdir}/proftpd/mod_quotatab.so %{_libexecdir}/proftpd/mod_quotatab_file.so @@ -195,7 +198,13 @@ fi %changelog -* Tue Feb 19 2008 Fedora Release Engineering - 1.3.1-5 +* Fri Jan 2 2009 Matthias Saou 1.3.1-7 +- Add Debian patch to fix CSRF vulnerability (#464127, upstream #3115). + +* Fri Aug 8 2008 Matthias Saou 1.3.1-6 +- Add mod_ban support (#457289, Philip Prindeville). + +* Tue Feb 19 2008 Fedora Release Engineering - Autorebuild for GCC 4.3 * Wed Feb 13 2008 Matthias Saou 1.3.1-4