[Secure-testing-team] Re: proftpd, low impact DoS bug

Francesco P. Lovergine frankie at debian.org
Wed Nov 29 09:53:10 CET 2006 

CC proftpd secteam...

On Tue, Nov 28, 2006 at 10:43:52PM +0100, Moritz Muehlenhoff wrote:
> Francesco P. Lovergine wrote:
> > we need to properly fix the issue, a wrong patch was around (basically
> > the same 'fixed' by other vendors) so I'm preparing both a sid and sarge
> > package...
> 
> We have two different issues here:
> A denial of service vulnerability discovered by Ralf Engelschall. That's
> what we've fixed so far. It's tracked as CVE-2006-5815 by several
> distributions by now. Although it's not suitable for code injection, it's
> still a DoS vulnerability.
> 
> The sreplace() issue. I'm seeing that mod_tls is referenced in the
> debian/rules as EXTRAMODS, getting linked in the pam target. Does this
> mean mod_tls support is enabled in the stock 1.2 package from Sarge?
> 
> Cheers,
>         Moritz

AFAIK we have currently 3 different issues, indeed. The CVE-2006-5815 points
apparently the CommandBuffer issue. John M. of proftpd team said me 
the true issue is the sreplace() one which is not pointed by that
report (as explained in the proftpd advisory), so probably at least 2 issues 
lack Mitre numbering. Current sid -15 version fixes both CommandBuffer
and sreplace(). The last new issue is due to memcpy() in mod_tls which
is enabled by default in 1.2.10+ (but used only for ftps connections).
At this time there is not an official patch (even if it's trivial at
least pre-checking datalen in the code).

A 1.2.10 fixed version for sarge is in preparation with complete fixes,
but it lacks the very last one (as sid version as well). I would upload sarge
version after fixing also the last issue.

AFAIK the most complete status is shown in Secunia, but we need
a couple of new mitre ref, could you please obtain them ASAP?

Could please anyone of proftpd team update us if required about
current status? Thanks

-- 
Francesco P. Lovergine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20061129/02defa36/attachment.pgp

More information about the Secure-testing-team mailing list