--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear all,
the SSL-enhanced FTP server built from linux-ftpd-ssl
was recently uncovered to produce a denial of service,
as was demonstrated in #788331. The package has been
updated in testing and unstable, but since the error
is present ever since at least June, 2010 [sic!],
I would like to propose an update also to the stable
package release. The needed change can be made verbatim
with the alteration to unstable. The corresponding
debdiff output and a description is attached.
Best regards,
Mats Erik Andersson, present maintainer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This proposed change protects against #788331,
which in an identical form has been applied
to version 0.17.35+0.3+2, present in testing.
Observe that the update of the source patch
'debian/patches/500-ssl.diff' is the first
change during five years of time, so the very
same change is applicable to old-old-stable!
The problem is that the present server crashes
when the client asks for a name listing, using
the command 'nl', i.e., NLST, of an empty directory.
The cause is missing code block in the original
patch, which can cause the execution of 'fclose(NULL)'
and a segmentation fault. This results in a denial
of service since the server side executable dies.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog linux-ftpd-ssl-0.17.33+0.3/debian/changelog
- --- linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2011-04-20 03:47:23.000000000 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-16 14:00:05.000000000 +0200
@@ -1,3 +1,11 @@
+linux-ftpd-ssl (0.17.33+0.3-1deb8u1) jessie; urgency=medium
+
+ * QA Upload
+ * NLST of empty directory results in segfault.
+ + debian/patches/500-ssl.diff: Updated.
+
+ -- Mats Erik Andersson <mats.andersson@gisladisker.se> Tue, 16 Jun 2015 13:47:15 +0200
+
linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low
* Update to linux-ftpd 0.17-33.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
- --- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2011-04-20 03:47:23.000000000 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 2015-06-16 13:46:42.000000000 +0200
@@ -3,7 +3,7 @@
Origin: ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz
Forwarded: not-needed
Author: Tim Hudson <tjh@cryptsoft.com>
- -Last-Update: 2010-06-21
+Last-Update: 2015-06-11
Index: linux-ftpd-ssl/ftpd/Makefile
===================================================================
@@ -917,10 +917,12 @@
byte_count += strlen(nbuf) + 1;
}
}
- -@@ -2705,6 +3193,13 @@
+@@ -2704,8 +3193,16 @@
+ reply(226, "Transfer complete.");
transflag = 0;
- - if (dout != NULL)
+- if (dout != NULL)
++ if (dout != NULL) {
+#ifdef USE_SSL
+ if (ssl_data_active_flag && (ssl_data_con!=NULL)) {
+ SSL_free(ssl_data_con);
@@ -929,8 +931,10 @@
+ }
+#endif /* USE_SSL */
(void) fclose(dout);
++ }
data = -1;
pdata = -1;
+ out:
@@ -2792,3 +3287,223 @@
}
#endif /* TCPWRAPPERS */
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlWJ6asACgkQG7N1M011A3anNwCgyPrqn5d2yohLGIFoywmPytA7
HaUAnRX79aB4IjjCY/RUpmUVXNIO81K0
=vgHI
-----END PGP SIGNATURE-----
--- End Message ---