--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package proftpd-dfsg/1.3.6-4+deb10u3
- From: Hilmar Preusse <hille42@web.de>
- Date: Tue, 10 Dec 2019 23:48:00 +0100
- Message-id: <157601808012.18495.4019902221521967854.reportbug@sid.showcase.amasol.de>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
te attached debdiff fixes the issues
#946345 proftpd-dfsg: CVE-2019-19269
#946346 proftpd-dfsg: CVE-2019-19270
...for Debian buster. I built/installed the package an Debian stable
and could login into the server and transfer file.
Hilmar
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 5.3.0-3-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog
--- proftpd-dfsg-1.3.6/debian/changelog 2019-10-23 16:22:38.000000000 +0200
+++ proftpd-dfsg-1.3.6/debian/changelog 2019-12-08 16:19:57.000000000 +0100
@@ -1,3 +1,12 @@
+proftpd-dfsg (1.3.6-4+deb10u3) buster-security; urgency=medium
+
+ * Cherry pick patch from upstream:
+ - for upstream 861 (CVE-2019-19269) (Closes: #946345)
+ - for upstream 859 (CVE-2019-19270) (Closes: #946346)
+ upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
+
+ -- Hilmar Preusse <hille42@web.de> Sun, 08 Dec 2019 16:19:57 +0100
+
proftpd-dfsg (1.3.6-4+deb10u2) buster-security; urgency=medium
* Add patch from upstream to address CVE-2019-18217.
diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series
--- proftpd-dfsg-1.3.6/debian/patches/series 2019-10-23 16:22:38.000000000 +0200
+++ proftpd-dfsg-1.3.6/debian/patches/series 2019-12-08 16:19:57.000000000 +0100
@@ -19,3 +19,4 @@
github_pr_594
CVE-2019-12815.patch
bug_846_CVE-2019-18217.patch
+upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
--- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 2019-12-08 16:19:57.000000000 +0100
@@ -0,0 +1,35 @@
+From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Sun, 24 Nov 2019 14:03:54 -0800
+Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly
+ using issuer for lookups, and guarding against null pointers.
+
+---
+ contrib/mod_tls.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- proftpd-dfsg.orig/contrib/mod_tls.c
++++ proftpd-dfsg/contrib/mod_tls.c
+@@ -8968,10 +8968,10 @@
+
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(HAVE_LIBRESSL)
+- crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
++ crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ !defined(HAVE_LIBRESSL)
+- crls = X509_STORE_get1_crls(store_ctx, subject);
++ crls = X509_STORE_get1_crls(store_ctx, issuer);
+ #else
+ /* Your OpenSSL is before 1.0.0. You really need to upgrade. */
+ crls = NULL;
+@@ -8990,6 +8990,9 @@
+ ASN1_INTEGER *sn;
+
+ revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
++ if (revoked == NULL) {
++ continue;
++ }
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+ !defined(HAVE_LIBRESSL)
+ sn = X509_REVOKED_get0_serialNumber(revoked);
--- End Message ---