Bug#760557: pu: package proftpd-dfsg/1.3.4a-5+deb7u1
Package: release.debian.org
Severity: wishlist
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: wheezy
X-Debbugs-CC: proftpd-dfsg@packages.debian.org
Hi,
I'd like to fix #738067 in stable, which is a crash in ProFTPD's SFTP
module with larger files. The fix is trivial - two instances of memcpy
become memmove (yay overlapping regions); a debdiff is attached.
We've been running packages containing the fix at $dayjob for a few
months with no issues.
I've mentioned the fix to the maintainers a few times, at least once on
IRC and via the BTS and @packages.d.o but not received a {,n}ack. I've
X-Debbugs-CCed them in case they wish to comment.
Regards,
Adam
diff -Nru proftpd-dfsg-1.3.4a/debian/changelog proftpd-dfsg-1.3.4a/debian/changelog
--- proftpd-dfsg-1.3.4a/debian/changelog 2013-09-28 17:57:27.000000000 +0100
+++ proftpd-dfsg-1.3.4a/debian/changelog 2014-09-04 15:33:47.000000000 +0100
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.4a-5+deb7u2) wheezy; urgency=low
+
+ * Non-maintainer upload.
+ * Fix SFTP crash with large files (Closes: #738067)
+
+ -- Adam D. Barratt <adam@adam-barratt.org.uk> Thu, 04 Sep 2014 15:33:21 +0100
+
proftpd-dfsg (1.3.4a-5+deb7u1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru proftpd-dfsg-1.3.4a/debian/patches/series proftpd-dfsg-1.3.4a/debian/patches/series
--- proftpd-dfsg-1.3.4a/debian/patches/series 2013-09-28 17:46:11.000000000 +0100
+++ proftpd-dfsg-1.3.4a/debian/patches/series 2014-09-04 15:34:45.000000000 +0100
@@ -12,3 +12,4 @@
use_hypen_in_manpage
3841
CVE-2013-4359.patch
+sftp_crash_memmove
diff -Nru proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove
--- proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove 2014-09-04 15:34:03.000000000 +0100
@@ -0,0 +1,48 @@
+Index: contrib/mod_sftp/fxp.c
+===================================================================
+RCS file: /cvsroot/proftp/proftpd/contrib/mod_sftp/fxp.c,v
+retrieving revision 1.139
+diff -u -r1.139 fxp.c
+--- a/contrib/mod_sftp/fxp.c 15 Feb 2012 22:10:56 -0000 1.139
++++ b/contrib/mod_sftp/fxp.c 15 Feb 2012 22:30:19 -0000
+@@ -2511,7 +2511,18 @@
+ fxp_packet_data_allocsz += sz;
+ }
+
+- memcpy(curr_buf, data, datalen);
++ /* We explicitly want to use memmove(3) here rather than memcpy(3),
++ * since it is possible (and likely) that after reading data out
++ * of this buffer, there will be leftover data which is put back into
++ * the buffer, only at a different offset. This means that the
++ * source and destination pointers CAN overlap; using memcpy(3) would
++ * lead to subtle memory copy issue (e.g. Bug#3743).
++ *
++ * This manifested as hard-to-reproduce SFTP upload/download stalls,
++ * segfaults, etc, due to corrupted memory being read out as
++ * packet lengths and such.
++ */
++ memmove(curr_buf, data, datalen);
+ curr_buflen = datalen;
+
+ return;
+@@ -2556,8 +2567,18 @@
+ }
+ }
+
+- /* Append the SSH2 data to the current unconsumed buffer. */
+- memcpy(curr_buf + curr_buflen, data, datalen);
++ /* We explicitly want to use memmove(3) here rather than memcpy(3),
++ * since it is possible (and likely) that after reading data out
++ * of this buffer, there will be leftover data which is put back into
++ * the buffer, only at a different offset. This means that the
++ * source and destination pointers CAN overlap; using memcpy(3) would
++ * lead to subtle memory copy issue (e.g. Bug#3743).
++ *
++ * This manifested as hard-to-reproduce SFTP upload/download stalls,
++ * segfaults, etc, due to corrupted memory being read out as
++ * packet lengths and such.
++ */
++ memmove(curr_buf + curr_buflen, data, datalen);
+ curr_buflen += datalen;
+ }
+
Reply to: