Bug#946560: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#946560: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u3
From: Hilmar Preusse <hille42@web.de>
Date: Tue, 10 Dec 2019 23:51:21 +0100
Message-id: <[🔎] 157601828149.18582.7962117616821497760.reportbug@sid.showcase.amasol.de>
Reply-to: Hilmar Preusse <hille42@web.de>, 946560@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

te attached debdiff fixes the issues

#946345 proftpd-dfsg: CVE-2019-19269

...for Debian stretch. I built/installed the package an Debian oldstable
and could login into the server and transfer file.

Hilmar

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 5.3.0-3-686-pae (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog	2019-10-23 23:34:50.000000000 +0200
+++ proftpd-dfsg-1.3.5b/debian/changelog	2019-12-08 16:52:34.000000000 +0100
@@ -1,3 +1,11 @@
+proftpd-dfsg (1.3.5b-4+deb9u3) stretch-security; urgency=medium
+
+  *  Cherry pick patch from upstream:
+     - for upstream 861 (CVE-2019-19269) (Closes: #946345)
+     upstream_pull_861_CVE-2019-19269
+
+ -- Hilmar Preusse <hille42@web.de>  Sun, 08 Dec 2019 16:52:34 +0100
+
 proftpd-dfsg (1.3.5b-4+deb9u2) stretch-security; urgency=high

   * Add patch from upstream to address CVE-2019-18217.
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series	2019-10-23 23:24:27.000000000 +0200
+++ proftpd-dfsg-1.3.5b/debian/patches/series	2019-12-08 16:52:34.000000000 +0100
@@ -17,3 +17,4 @@
 CVE-2017-7418
 proftpd-1.3.5e-CVE-2019-12815.patch
 bug_846_CVE-2019-18217.patch
+upstream_861_CVE-2019-19269
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269 proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269
--- proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269	2019-12-08 16:52:34.000000000 +0100
@@ -0,0 +1,12 @@
+--- proftpd-dfsg.orig/contrib/mod_tls.c
++++ proftpd-dfsg/contrib/mod_tls.c
+@@ -5862,6 +5862,9 @@
+       ASN1_INTEGER *sn;
+
+       revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
++      if (revoked == NULL) {
++          continue;
++      }
+       sn = revoked->serialNumber;
+
+       if (ASN1_INTEGER_cmp(sn, X509_get_serialNumber(xs)) == 0) {

Reply to:

Follow-Ups:
- Bug#946560: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u3
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#946560: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#946559: buster-pu: package proftpd-dfsg/1.3.6-4+deb10u3
Next by Date: Bug#946570: stretch-pu: package libpst/0.6.59-1+deb9u1
Previous by thread: Processed: Re: Bug#946559: buster-pu: package proftpd-dfsg/1.3.6-4+deb10u3
Next by thread: Bug#946560: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u3
Index(es):
- Date
- Thread