Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200611-26 ] ProFTPD: Remote execution of arbitrary code
Date: Thu, 30 Nov 2006 23:01:03
Message-Id: 20061130224128.GF27244@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200611-26
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: ProFTPD: Remote execution of arbitrary code
9 Date: November 30, 2006
10 Bugs: #154650
11 ID: 200611-26
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 ProFTPD is affected by mutiple vulnerabilities allowing for the remote
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 ProFTPD is a highly-configurable FTP server.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-ftp/proftpd < 1.3.0a >= 1.3.0a
33
34 Description
35 ===========
36
37 Evgeny Legerov discovered a stack-based buffer overflow in the
38 s_replace() function in support.c, as well as a buffer overflow in in
39 the mod_tls module. Additionally, an off-by-two error related to the
40 CommandBufferSize configuration directive was reported.
41
42 Impact
43 ======
44
45 An authenticated attacker could exploit the s_replace() vulnerability
46 by uploading a crafted .message file or sending specially crafted
47 commands to the server, possibly resulting in the execution of
48 arbitrary code with the rights of the user running ProFTPD. An
49 unauthenticated attacker could send specially crafted data to the
50 server with mod_tls enabled which could result in the execution of
51 arbitrary code with the rights of the user running ProFTPD. Finally,
52 the off-by-two error related to the CommandBufferSize configuration
53 directive was fixed - exploitability of this error is disputed. Note
54 that the default configuration on Gentoo is to run ProFTPD as an
55 unprivileged user, and has mod_tls disabled.
56
57 Workaround
58 ==========
59
60 There is no known workaround at this time.
61
62 Resolution
63 ==========
64
65 All ProFTPD users should upgrade to the latest version:
66
67 # emerge --sync
68 # emerge --ask --oneshot --verbose ">=net-ftp/proftpd-1.3.0a"
69
70 References
71 ==========
72
73 [ 1 ] CVE-2006-5815
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
75 [ 2 ] CVE-2006-6170
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170
77 [ 3 ] CVE-2006-6171 (disputed)
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171
79
80 Availability
81 ============
82
83 This GLSA and any updates to it are available for viewing at
84 the Gentoo Security Website:
85
86 http://security.gentoo.org/glsa/glsa-200611-26.xml
87
88 Concerns?
89 =========
90
91 Security is a primary focus of Gentoo Linux and ensuring the
92 confidentiality and security of our users machines is of utmost
93 importance to us. Any security concerns should be addressed to
94 security@g.o or alternatively, you may file a bug at
95 http://bugs.gentoo.org.
96
97 License
98 =======
99
100 Copyright 2006 Gentoo Foundation, Inc; referenced text
101 belongs to its owner(s).
102
103 The contents of this document are licensed under the
104 Creative Commons - Attribution / Share Alike license.
105
106 http://creativecommons.org/licenses/by-sa/2.5