From cb550ae897aea61ebc8e76cc6eb11b3064d312d6 Mon Sep 17 00:00:00 2001 From: Paul Howarth Date: Jun 11 2016 10:24:13 +0000 Subject: Additional tweak (to avoid null pointer dereference) for upstream bug 3868 --- diff --git a/proftpd-mod_tls-bug3868.patch b/proftpd-mod_tls-bug3868.patch index 8fe2877..769b8cd 100644 --- a/proftpd-mod_tls-bug3868.patch +++ b/proftpd-mod_tls-bug3868.patch @@ -9,7 +9,7 @@ static RSA *tls_tmp_rsa = NULL; /* SSL/TLS support functions */ -@@ -1952,58 +1952,56 @@ static int tls_ctrl_renegotiate_cb(CALLB +@@ -1952,58 +1952,60 @@ static int tls_ctrl_renegotiate_cb(CALLB #endif static DH *tls_dh_cb(SSL *ssl, int is_export, int keylength) { @@ -84,13 +84,17 @@ - return tls_tmp_dh; + /* Add this DH to the list, so that it can be freed properly later. */ ++ if (tls_tmp_dhs == NULL) { ++ tls_tmp_dhs = make_array(session.pool, 1, sizeof(DH *)); ++ } ++ + *((DH **) push_array(tls_tmp_dhs)) = dh; + + return dh; } /* Post 0.9.7a, RSA blinding is turned on by default, so there is no need to -@@ -3018,9 +3016,16 @@ static void tls_cleanup(int flags) { +@@ -3018,9 +3020,16 @@ static void tls_cleanup(int flags) { ssl_ctx = NULL; } @@ -110,7 +114,7 @@ } if (tls_tmp_rsa) { -@@ -7320,6 +7325,38 @@ static int tls_sess_init(void) { +@@ -7320,6 +7329,38 @@ static int tls_sess_init(void) { tls_crl_path = get_param_ptr(main_server->conf, "TLSCARevocationPath", FALSE); tls_dhparam_file = get_param_ptr(main_server->conf, "TLSDHParamFile", FALSE); diff --git a/proftpd-mod_tls-bug4230.patch b/proftpd-mod_tls-bug4230.patch index c37dcce..4da9063 100644 --- a/proftpd-mod_tls-bug4230.patch +++ b/proftpd-mod_tls-bug4230.patch @@ -156,10 +156,9 @@ + "using best DH parameter for key length %d (length %d)", keylen, + best_dhlen); + return best_dh; - } - } - -- switch (keylength) { ++ } ++ } ++ + /* Still no DH parameters found? Use the built-in ones. */ + + if (keylen < TLS_DH_MIN_LEN) { @@ -168,9 +167,10 @@ + "requested key length %d less than %d bits, using %d " + "(see AllowWeakDH TLSOption)", keylen, TLS_DH_MIN_LEN, TLS_DH_MIN_LEN); + keylen = TLS_DH_MIN_LEN; -+ } -+ } -+ + } + } + +- switch (keylength) { + if (use_pkeylen) { + keylen = pkeylen; + } @@ -179,7 +179,7 @@ case 512: dh = get_dh512(); break; -@@ -1979,28 +2104,29 @@ static DH *tls_dh_cb(SSL *ssl, int is_ex +@@ -1979,25 +2104,27 @@ static DH *tls_dh_cb(SSL *ssl, int is_ex dh = get_dh768(); break; @@ -222,12 +222,9 @@ + pr_trace_msg(trace_channel, 11, "using builtin DH for %d bits", keylen); + /* Add this DH to the list, so that it can be freed properly later. */ - *((DH **) push_array(tls_tmp_dhs)) = dh; -- - return dh; - } - -@@ -6306,6 +6432,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) { + if (tls_tmp_dhs == NULL) { + tls_tmp_dhs = make_array(session.pool, 1, sizeof(DH *)); +@@ -6310,6 +6437,9 @@ MODRET set_tlsoptions(cmd_rec *cmd) { strcmp(cmd->argv[i], "AllowClientRenegotiations") == 0) { opts |= TLS_OPT_ALLOW_CLIENT_RENEGOTIATIONS; diff --git a/proftpd.spec b/proftpd.spec index bc3303d..5b95054 100644 --- a/proftpd.spec +++ b/proftpd.spec @@ -6,8 +6,7 @@ %global pkidir %{_datadir}/ssl %endif -#global prever rc4 -%global rpmrel 5 +%global rpmrel 6 Summary: Flexible, stable and highly-configurable FTP server Name: proftpd @@ -112,6 +111,7 @@ mv contrib/README contrib/README.contrib # Bug#3868: Only first DH param in TLSDHParamFile is used, regardless of requested keylength # https://github.com/proftpd/proftpd/commit/888f7c27 +# https://github.com/proftpd/proftpd/commit/8bd9bdae %patch7 # Bug#4230: TLSDHParamFile directive appears ignored because unexpected DH is chosen @@ -308,6 +308,9 @@ fi %{_libexecdir}/proftpd/mod_sql_postgres.so %changelog +* Thu Jun 2 2016 Paul Howarth - 1.3.3g-6 +- Additional tweak (to avoid null pointer dereference) for upstream bug 3868 + * Mon Mar 14 2016 Paul Howarth - 1.3.3g-5 - Fix for CVE-2016-3125: usage of 1024 bit DH key even with manual parameters set (http://bugs.proftpd.org/show_bug.cgi?id=4230)