1 |
hoffie 08/11/06 12:54:07 |
2 |
|
3 |
Added: proftpd-1.3.2_rc2-CVE-2008-4242.patch |
4 |
Log: |
5 |
version bump and patch for security bug 238762 (CVE-2008-4242); this bump has been done due to lack of maintainer activity, as noted in the security handling policy; also fixes bug 238288 and bug 238691 |
6 |
(Portage version: 2.2_rc13/cvs/Linux 2.6.27-gentoo x86_64) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/proftpd/files/proftpd-1.3.2_rc2-CVE-2008-4242.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: proftpd-1.3.2_rc2-CVE-2008-4242.patch |
15 |
=================================================================== |
16 |
This fixes CVE-2008-4242 (Gentoo bug 238762) |
17 |
Source: http://bugs.proftpd.org/show_bug.cgi?id=3115 |
18 |
|
19 |
Index: src/main.c |
20 |
=================================================================== |
21 |
RCS file: /cvsroot/proftp/proftpd/src/main.c,v |
22 |
retrieving revision 1.344 |
23 |
diff -u -r1.344 main.c |
24 |
--- src/main.c 8 Sep 2008 00:47:11 -0000 1.344 |
25 |
+++ src/main.c 20 Sep 2008 20:10:49 -0000 |
26 |
@@ -516,20 +516,32 @@ |
27 |
static long get_max_cmd_len(size_t buflen) { |
28 |
long res; |
29 |
int *bufsz = NULL; |
30 |
+ size_t default_cmd_bufsz; |
31 |
|
32 |
+ /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which |
33 |
+ * is smaller than PR_DEFAULT_CMD_BUFSZ. We need to handle such cases |
34 |
+ * properly. |
35 |
+ */ |
36 |
+ default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ; |
37 |
+ if (default_cmd_bufsz > buflen) { |
38 |
+ default_cmd_bufsz = buflen; |
39 |
+ } |
40 |
+ |
41 |
bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE); |
42 |
if (bufsz == NULL) { |
43 |
- res = PR_DEFAULT_CMD_BUFSZ; |
44 |
+ res = default_cmd_bufsz; |
45 |
|
46 |
} else if (*bufsz <= 0) { |
47 |
pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) given, " |
48 |
- "using default buffer size (%u) instead", *bufsz, PR_DEFAULT_CMD_BUFSZ); |
49 |
- res = PR_DEFAULT_CMD_BUFSZ; |
50 |
+ "using default buffer size (%lu) instead", *bufsz, |
51 |
+ (unsigned long) default_cmd_bufsz); |
52 |
+ res = default_cmd_bufsz; |
53 |
|
54 |
} else if (*bufsz + 1 > buflen) { |
55 |
pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) given, " |
56 |
- "using default buffer size (%u) instead", *bufsz, PR_DEFAULT_CMD_BUFSZ); |
57 |
- res = PR_DEFAULT_CMD_BUFSZ; |
58 |
+ "using default buffer size (%lu) instead", *bufsz, |
59 |
+ (unsigned long) default_cmd_bufsz); |
60 |
+ res = default_cmd_bufsz; |
61 |
|
62 |
} else { |
63 |
pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz); |
64 |
@@ -577,11 +589,26 @@ |
65 |
return -1; |
66 |
} |
67 |
|
68 |
- memset(buf, '\0', sizeof(buf)); |
69 |
+ while (TRUE) { |
70 |
+ pr_signals_handle(); |
71 |
|
72 |
- if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm, |
73 |
- session.c->outstrm) == NULL) |
74 |
- return -1; |
75 |
+ memset(buf, '\0', sizeof(buf)); |
76 |
+ |
77 |
+ if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm, |
78 |
+ session.c->outstrm) == NULL) { |
79 |
+ |
80 |
+ if (errno == E2BIG) { |
81 |
+ /* The client sent a too-long command which was ignored; give |
82 |
+ * them another chance? |
83 |
+ */ |
84 |
+ continue; |
85 |
+ } |
86 |
+ |
87 |
+ return -1; |
88 |
+ } |
89 |
+ |
90 |
+ break; |
91 |
+ } |
92 |
|
93 |
if (cmd_bufsz == -1) |
94 |
cmd_bufsz = get_max_cmd_len(sizeof(buf)); |
95 |
Index: src/netio.c |
96 |
=================================================================== |
97 |
RCS file: /cvsroot/proftp/proftpd/src/netio.c,v |
98 |
retrieving revision 1.33 |
99 |
diff -u -r1.33 netio.c |
100 |
--- src/netio.c 3 Apr 2008 03:14:31 -0000 1.33 |
101 |
+++ src/netio.c 20 Sep 2008 20:10:49 -0000 |
102 |
@@ -1,6 +1,6 @@ |
103 |
/* |
104 |
* ProFTPD - FTP server daemon |
105 |
- * Copyright (c) 2001-2007 The ProFTPD Project team |
106 |
+ * Copyright (c) 2001-2008 The ProFTPD Project team |
107 |
* |
108 |
* This program is free software; you can redistribute it and/or modify |
109 |
* it under the terms of the GNU General Public License as published by |
110 |
@@ -30,19 +30,19 @@ |
111 |
#include <signal.h> |
112 |
|
113 |
#ifndef IAC |
114 |
-#define IAC 255 |
115 |
+# define IAC 255 |
116 |
#endif |
117 |
#ifndef DONT |
118 |
-#define DONT 254 |
119 |
+# define DONT 254 |
120 |
#endif |
121 |
#ifndef DO |
122 |
-#define DO 253 |
123 |
+# define DO 253 |
124 |
#endif |
125 |
#ifndef WONT |
126 |
-#define WONT 252 |
127 |
+# define WONT 252 |
128 |
#endif |
129 |
#ifndef WILL |
130 |
-#define WILL 251 |
131 |
+# define WILL 251 |
132 |
#endif |
133 |
|
134 |
static const char *trace_channel = "netio"; |
135 |
@@ -51,6 +51,17 @@ |
136 |
static pr_netio_t *core_data_netio = NULL, *data_netio = NULL; |
137 |
static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL; |
138 |
|
139 |
+/* Used to track whether the previous text read from the client's control |
140 |
+ * connection was a properly-terminated command. If so, then read in the |
141 |
+ * next/current text as per normal. If NOT (e.g. the client sent a too-long |
142 |
+ * command), then read in the next/current text, but ignore it. Only clear |
143 |
+ * this flag if the next/current command can be read as per normal. |
144 |
+ * |
145 |
+ * The pr_netio_telnet_gets() uses this variable, in conjunction with its |
146 |
+ * saw_newline flag, for handling too-long commands from clients. |
147 |
+ */ |
148 |
+static int properly_terminated_prev_command = TRUE; |
149 |
+ |
150 |
static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) { |
151 |
pool *netio_pool = NULL; |
152 |
pr_netio_stream_t *nstrm = NULL; |
153 |
@@ -950,7 +961,7 @@ |
154 |
char *bp = buf; |
155 |
unsigned char cp; |
156 |
static unsigned char mode = 0; |
157 |
- int toread, handle_iac = TRUE; |
158 |
+ int toread, handle_iac = TRUE, saw_newline = FALSE; |
159 |
pr_buffer_t *pbuf = NULL; |
160 |
|
161 |
if (buflen == 0) { |
162 |
@@ -983,8 +994,9 @@ |
163 |
*bp = '\0'; |
164 |
return buf; |
165 |
|
166 |
- } else |
167 |
+ } else { |
168 |
return NULL; |
169 |
+ } |
170 |
} |
171 |
|
172 |
pbuf->remaining = pbuf->buflen - toread; |
173 |
@@ -1049,6 +1061,8 @@ |
174 |
toread--; |
175 |
*bp++ = *pbuf->current++; |
176 |
pbuf->remaining++; |
177 |
+ |
178 |
+ saw_newline = TRUE; |
179 |
break; |
180 |
} |
181 |
|
182 |
@@ -1056,6 +1070,25 @@ |
183 |
pbuf->current = NULL; |
184 |
} |
185 |
|
186 |
+ if (!saw_newline) { |
187 |
+ /* If we haven't seen a newline, then assume the client is deliberately |
188 |
+ * sending a too-long command, trying to exploit buffer sizes and make |
189 |
+ * the server make some possibly bad assumptions. |
190 |
+ */ |
191 |
+ |
192 |
+ properly_terminated_prev_command = FALSE; |
193 |
+ errno = E2BIG; |
194 |
+ return NULL; |
195 |
+ } |
196 |
+ |
197 |
+ if (!properly_terminated_prev_command) { |
198 |
+ properly_terminated_prev_command = TRUE; |
199 |
+ pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring"); |
200 |
+ errno = E2BIG; |
201 |
+ return NULL; |
202 |
+ } |
203 |
+ |
204 |
+ properly_terminated_prev_command = TRUE; |
205 |
*bp = '\0'; |
206 |
return buf; |
207 |
} |