Hi, I sent this a week or two ago, with no reply, trying again: ---------- Nico Golde suggested I prepare a package of linux-ftpd-ssl for a stable point release, fixing CVE-2008-4247, as it doesn't warrant a DSA. SRMs, is the patch below OK? Are DMs allowed to upload to stable? If not, can someone sponsor the upload, package at: http://erislabs.net/ianb/debian/linux-ftpd-ssl_0.17.18+0.3-6etch1.dsc thanks, Ian diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/debian/changelog linux-ftpd-ssl-0.17.18+0.3-6etch1/debian/changelog --- linux-ftpd-ssl-0.17.18+0.3-6/debian/changelog 2008-12-06 17:56:10.000000000 +0000 +++ linux-ftpd-ssl-0.17.18+0.3-6etch1/debian/changelog 2008-12-07 23:48:44.000000000 +0000 @@ -1,3 +1,10 @@ +linux-ftpd-ssl (0.17.18+0.3-6etch1) stable; urgency=low + + * Fix CVE-2008-4247, a cross-site request forgery caused by splitting + long command lines (Closes: #500518). + + -- Ian Beckwith <ianb@erislabs.net> Sun, 07 Dec 2008 23:48:44 +0000 + linux-ftpd-ssl (0.17.18+0.3-6) unstable; urgency=low * Move the certificate file to /etc/ftpd-ssl. Patch from James Westby diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/extern.h linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/extern.h --- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/extern.h 1999-07-16 02:12:54.000000000 +0100 +++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/extern.h 2008-10-16 23:16:45.000000000 +0100 @@ -43,7 +43,7 @@ void fatal __P((const char *)); int ftpd_pclose __P((FILE *)); FILE *ftpd_popen __P((char *, const char *)); -char *ftpd_getline __P((char *, int, FILE *)); +int ftpd_getline __P((char *, int, FILE *)); void ftpdlogwtmp __P((const char *, const char *, const char *)); void lreply __P((int, const char *, ...)); void makedir __P((char *)); diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpcmd.y linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpcmd.y --- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpcmd.y 2008-12-06 17:56:10.000000000 +0000 +++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpcmd.y 2008-10-16 23:16:45.000000000 +0100 @@ -980,7 +980,7 @@ /* * getline - a hacked up version of fgets to ignore TELNET escape codes. */ -char * ftpd_getline(char *s, int n, FILE *iop) +int ftpd_getline(char *s, int n, FILE *iop) { int c; register char *cs; @@ -995,7 +995,7 @@ if (debug) syslog(LOG_FTP | LOG_DEBUG, "command: %s", s); tmpline[0] = '\0'; - return(s); + return(0); } if (c == 0) tmpline[0] = '\0'; @@ -1037,11 +1037,22 @@ } } *cs++ = c; - if (--n <= 0 || c == '\n') + if (--n <= 0) { + /* + * If command doesn't fit into buffer, discard the + * rest of the command and indicate truncation. + * This prevents the command to be split up into + * multiple commands. + */ + while (c != '\n' && (c = GETC(iop)) != EOF) + ; + return (-2); + } + if (c == '\n') break; } if (c == EOF && cs == s) - return (NULL); + return (-1); *cs++ = '\0'; if (debug) { if (!guest && strncasecmp("pass ", s, 5) == 0) { @@ -1061,7 +1072,7 @@ syslog(LOG_FTP | LOG_DEBUG, "command: %.*s", len, s); } } - return (s); + return (0); } void toolong(int signo) @@ -1090,9 +1101,14 @@ case CMD: (void) signal(SIGALRM, toolong); (void) alarm((unsigned) timeout); - if (ftpd_getline(cbuf, sizeof(cbuf)-1, stdin)==NULL) { - reply(221, "You could at least say goodbye."); - dologout(0); + n=ftpd_getline(cbuf, sizeof(cbuf)-1, stdin); + if (n == -1) { + reply(221, "You could at least say goodbye."); + dologout(0); + } else if (n == -2) { + reply(500, "Command too long."); + alarm(0); + continue; } (void) alarm(0); if ((cp = strchr(cbuf, '\r'))) { diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpd.c linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpd.c --- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpd.c 2008-12-06 17:56:10.000000000 +0000 +++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpd.c 2008-10-16 23:16:45.000000000 +0100 @@ -2576,6 +2576,7 @@ static void myoob(int signo) { char *cp; + int ret; int save_errno = errno; (void)signo; @@ -2584,9 +2585,13 @@ if (!transflag) return; cp = tmpline; - if (ftpd_getline(cp, 7, stdin) == NULL) { + ret=ftpd_getline(cp, 7, stdin); + if (ret == -1) { reply(221, "You could at least say goodbye."); dologout(0); + } else if (ret == -2) { + /* Ignore truncated command */ + return; } upper(cp); if (strcmp(cp, "ABOR\r\n") == 0) { -- Ian Beckwith - ianb@erislabs.net - http://erislabs.net/ianb/ GPG fingerprint: AF6C C0F1 1E74 424B BCD5 4814 40EC C154 A8BA C1EA Listening to: Beck - Sea Change - Guess I'm Doing Fine
Attachment:
signature.asc
Description: Digital signature