[SRM] [2nd try] linux-ftpd-ssl stable update for CVE-2008-4247

To: debian-release@lists.debian.org
Subject: [SRM] [2nd try] linux-ftpd-ssl stable update for CVE-2008-4247
From: Ian Beckwith <ianb@erislabs.net>
Date: Wed, 17 Dec 2008 10:42:48 +0000
Message-id: <[🔎] 20081217104248.GA6507@jezebel.angsthaus.jumper.org.uk>

Hi,

I sent this a week or two ago, with no reply, trying again:

----------

Nico Golde suggested I prepare a package of linux-ftpd-ssl for a
stable point release, fixing CVE-2008-4247, as it doesn't warrant
a DSA.

SRMs, is the patch below OK?

Are DMs allowed to upload to stable? If not, can someone sponsor the upload,
package at:

http://erislabs.net/ianb/debian/linux-ftpd-ssl_0.17.18+0.3-6etch1.dsc

thanks,

Ian

diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/debian/changelog linux-ftpd-ssl-0.17.18+0.3-6etch1/debian/changelog
--- linux-ftpd-ssl-0.17.18+0.3-6/debian/changelog	2008-12-06 17:56:10.000000000 +0000
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/debian/changelog	2008-12-07 23:48:44.000000000 +0000
@@ -1,3 +1,10 @@
+linux-ftpd-ssl (0.17.18+0.3-6etch1) stable; urgency=low
+
+  * Fix CVE-2008-4247, a cross-site request forgery caused by splitting
+    long command lines (Closes: #500518).
+
+ -- Ian Beckwith <ianb@erislabs.net>  Sun, 07 Dec 2008 23:48:44 +0000
+
 linux-ftpd-ssl (0.17.18+0.3-6) unstable; urgency=low
 
   * Move the certificate file to /etc/ftpd-ssl. Patch from James Westby
diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/extern.h linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/extern.h
--- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/extern.h	1999-07-16 02:12:54.000000000 +0100
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/extern.h	2008-10-16 23:16:45.000000000 +0100
@@ -43,7 +43,7 @@
 void	fatal __P((const char *));
 int	ftpd_pclose __P((FILE *));
 FILE   *ftpd_popen __P((char *, const char *));
-char   *ftpd_getline __P((char *, int, FILE *));
+int     ftpd_getline __P((char *, int, FILE *));
 void	ftpdlogwtmp __P((const char *, const char *, const char *));
 void	lreply __P((int, const char *, ...));
 void	makedir __P((char *));
diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpcmd.y linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpcmd.y
--- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpcmd.y	2008-12-06 17:56:10.000000000 +0000
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpcmd.y	2008-10-16 23:16:45.000000000 +0100
@@ -980,7 +980,7 @@
 /*
  * getline - a hacked up version of fgets to ignore TELNET escape codes.
  */
-char * ftpd_getline(char *s, int n, FILE *iop)
+int ftpd_getline(char *s, int n, FILE *iop)
 {
 	int c;
 	register char *cs;
@@ -995,7 +995,7 @@
 			if (debug)
 				syslog(LOG_FTP | LOG_DEBUG, "command: %s", s);
 			tmpline[0] = '\0';
-			return(s);
+			return(0);
 		}
 		if (c == 0)
 			tmpline[0] = '\0';
@@ -1037,11 +1037,22 @@
 		    }
 		}
 		*cs++ = c;
-		if (--n <= 0 || c == '\n')
+		if (--n <= 0) {
+                       /*
+                        * If command doesn't fit into buffer, discard the
+                        * rest of the command and indicate truncation.
+                        * This prevents the command to be split up into
+                        * multiple commands.
+                        */
+		       while (c != '\n' && (c = GETC(iop)) != EOF)
+                               ;
+                       return (-2);
+               }
+               if (c == '\n')
 			break;
 	}
 	if (c == EOF && cs == s)
-		return (NULL);
+		return (-1);
 	*cs++ = '\0';
 	if (debug) {
 		if (!guest && strncasecmp("pass ", s, 5) == 0) {
@@ -1061,7 +1072,7 @@
 			syslog(LOG_FTP | LOG_DEBUG, "command: %.*s", len, s);
 		}
 	}
-	return (s);
+	return (0);
 }
 
 void toolong(int signo)
@@ -1090,9 +1101,14 @@
 		case CMD:
 			(void) signal(SIGALRM, toolong);
 			(void) alarm((unsigned) timeout);
-			if (ftpd_getline(cbuf, sizeof(cbuf)-1, stdin)==NULL) {
-				reply(221, "You could at least say goodbye.");
-				dologout(0);
+			n=ftpd_getline(cbuf, sizeof(cbuf)-1, stdin);
+			if (n == -1) {
+				 reply(221, "You could at least say goodbye.");
+				 dologout(0);
+			} else if (n == -2) {
+                                reply(500, "Command too long.");
+                                alarm(0);
+                                continue;
 			}
 			(void) alarm(0);
 			if ((cp = strchr(cbuf, '\r'))) {
diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpd.c linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpd.c
--- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpd.c	2008-12-06 17:56:10.000000000 +0000
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpd.c	2008-10-16 23:16:45.000000000 +0100
@@ -2576,6 +2576,7 @@
 static void myoob(int signo)
 {
 	char *cp;
+	int ret;
 	int save_errno = errno;
 
 	(void)signo;
@@ -2584,9 +2585,13 @@
 	if (!transflag)
 		return;
 	cp = tmpline;
-	if (ftpd_getline(cp, 7, stdin) == NULL) {
+	ret=ftpd_getline(cp, 7, stdin);
+	if (ret == -1) {
 		reply(221, "You could at least say goodbye.");
 		dologout(0);
+	} else if (ret == -2) {
+	        /* Ignore truncated command */
+	        return;
 	}
 	upper(cp);
 	if (strcmp(cp, "ABOR\r\n") == 0) {


-- 
Ian Beckwith - ianb@erislabs.net - http://erislabs.net/ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA
Listening to: Beck - Sea Change - Guess I'm Doing Fine

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [SRM] [2nd try] linux-ftpd-ssl stable update for CVE-2008-4247
  - From: Neil McGovern <maulkin@halon.org.uk>

Prev by Date: Building Debian from Sources
Next by Date: Re: Building Debian from Sources
Previous by thread: Re: Building Debian from Sources
Next by thread: Re: [SRM] [2nd try] linux-ftpd-ssl stable update for CVE-2008-4247
Index(es):
- Date
- Thread