Re: Security update: proftpd-dfsg 1.3.1-17

To: "Francesco P. Lovergine" <frankie@debian.org>
Cc: debian-release@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org
Subject: Re: Security update: proftpd-dfsg 1.3.1-17
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 6 Feb 2009 08:14:47 -0500
Message-id: <200902060814.48122.steffen.joeris@skolelinux.de>
In-reply-to: <20090206124616.GD29296@mithrandir>
References: <alpine.DEB.2.00.0902052323170.6543@hydride.iit.edu> <20090206124616.GD29296@mithrandir>

Hi Francesco

Thanks for informing us.
> I just uploaded a new version of proftpd-dfsg on sid fixing a recently
> discovered security issue. After some discussion with TJ (proftpd PM)
> The problem is not of interest for 1.3.0 (etch version) because it lacks
> relevant code present in successive versions. At the same time, I found
> a libtool-related problem due to an uncomplete cleaning of working
> files, which causes a FTBS in 1.3.1-16 with current libtool.
>
> Relevant changelog:
>
> proftpd-dfsg (1.3.1-17) unstable; urgency=high
> .
>  * Security: added 3173.dpatch patch to manage a critical
> encoding-dependent SQL injection with SQL-based authentication.
>    See http://bugs.proftpd.org/show_bug.cgi?id=3173. This is fixed in
> 1.3.2. Thanks TJ for backported patch.
>  * Now debian/rules removes at cleaning time a couple of .la files
>    under contrib/ still around after building. This fixes a recently
> discovered FTBS error due to those files.
>
> Cheers.
>
> PS: No CVE code is assigned at my knowledge at this time.
I am not sure that the issue really exists. Since upstream quotes similar CVE 
ids, I know that for mod-auth-mysql to be exploitable, it had to be possible 
to specify the client encoding. Same goes for courier-authlib, which had a 
similar issue. So there was some code present already, which could be used to 
set the client encoding to some multibyte encoding, like GBK.
After a quick glance, I don't see this code in current proftpd-dfsg. However, 
I only checked the two sql mod files. Could you check as well and point me to 
the code that makes it possible to set the client encoding?
Also, do you have a possible exploit, which you could email us in a private 
mail?
If this issue is really present, then note that upstream uses PQescapeString() 
instead of PQescapeStringConn(). The former being deprecated[0], because 
afaik it does not honour the encoding of the connection. This would most 
likely make the fix for postgresql incomplete.

Cheers
Steffen

[0]: http://www.postgresql.org/docs/7.4/static/libpq-exec.html

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: Security update: proftpd-dfsg 1.3.1-17
  - From: "Francesco P. Lovergine" <frankie@debian.org>

References:
- Requesting a freeze exception for gpib
  - From: Carlo Segre <segre@iit.edu>
- Security update: proftpd-dfsg 1.3.1-17
  - From: "Francesco P. Lovergine" <frankie@debian.org>

Prev by Date: Re: mdadm 2.6.7.2-1 uploaded, please unblock
Next by Date: Re: new upstream gEDA bug fix release
Previous by thread: Security update: proftpd-dfsg 1.3.1-17
Next by thread: Re: Security update: proftpd-dfsg 1.3.1-17
Index(es):
- Date
- Thread