[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#953647: marked as done (buster-pu: package proftpd-dfsg/1.3.6-4+deb10u5)

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #953647,
regarding buster-pu: package proftpd-dfsg/1.3.6-4+deb10u5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
953647: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953647
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Dear Release managers,

the package fixes two critical issues, which impacts the usability of the
mod_sftp proftp module. There are situations, where users can't connect to
an proftp server using sftp in case the client is recent enough.

- Issue is solved in Debian unstable since 1.3.6c-1
- Both bugs are set to important
- debdiff is attached

I tested a build on Debian stable and the reporters confirmed that the patch
solved the issue. The debdiff is against deb10u4, which has been uploaded by
the sec team.

Consider to include it in Debian stable. Thanks!

Hilmar

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
sigmentation fault

diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog
--- proftpd-dfsg-1.3.6/debian/changelog	2020-02-25 22:23:14.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/changelog	2020-03-11 00:03:08.000000000 +0100
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.6-4+deb10u5) buster; urgency=medium
+
+  * Patch for upstream Issue #656 (Closes: #951412)
+  * Patch for upstream Bug #4385 (Closes: #949622)
+
+ -- Hilmar Preusse <hille42@web.de>  Wed, 11 Mar 2020 00:03:08 +0100
+
 proftpd-dfsg (1.3.6-4+deb10u4) buster-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series
--- proftpd-dfsg-1.3.6/debian/patches/series	2020-02-25 22:23:14.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/series	2020-03-11 00:03:08.000000000 +0100
@@ -22,3 +22,5 @@
 upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
 Issue-903-Ensure-that-we-do-not-reuse-already-destro.patch
 Issue-903-We-want-to-remove-the-data-transfer-comman.patch
+upstream_pull_657
+upstream_pull_885
diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657
--- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657	2020-03-11 00:03:08.000000000 +0100
@@ -0,0 +1,77 @@
+From 1e056ee9171d44b85bfe2b09a6e78be78567d585 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Thu, 30 Nov 2017 07:19:06 -0800
+Subject: [PATCH] Issue #656: The keyboard-interative code in mod_sftp was
+ changing the memory pool used for response, but not restoring the previous
+ pool.
+
+Newer compilers/distros are far better about catching this, with e.g. ASLR
+and such; the previous behavior "worked" only because the memory areas in
+question _usually_ were not trampled.  But with e.g. Ubuntu 17.10, such
+trampling is noticed, caught, and rejected.
+---
+ contrib/mod_sftp/kbdint.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
+index 2a925c12b..6900f4dfc 100644
+--- a/contrib/mod_sftp/kbdint.c
++++ b/contrib/mod_sftp/kbdint.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
+- * Copyright (c) 2008-2016 TJ Saunders
++ * Copyright (c) 2008-2017 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -264,6 +264,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+   struct ssh2_packet *pkt;
+   char mesg_type;
+   int res;
++  pool *resp_pool = NULL;
+ 
+   if (p == NULL ||
+       rcvd_count == NULL ||
+@@ -282,6 +283,9 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ 
+   pr_response_clear(&resp_list);
+   pr_response_clear(&resp_err_list);
++
++  /* Cache a reference to the current response pool used. */
++  resp_pool = pr_response_get_pool();
+   pr_response_set_pool(pkt->pool);
+ 
+   mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
+@@ -290,6 +294,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+       "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
+       sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
+     destroy_pool(pkt->pool);
++    pr_response_set_pool(resp_pool);
+     errno = EPERM;
+     return -1;
+   }
+@@ -315,6 +320,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+       expected_count != 1 ? "challenges" : "challenge",
+       (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
+     destroy_pool(pkt->pool);
++    pr_response_set_pool(resp_pool);
+     errno = EPERM;
+     return -1;
+   }
+@@ -324,6 +330,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+       "received too many responses (%lu > max %lu), rejecting",
+       (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
+     destroy_pool(pkt->pool);
++    pr_response_set_pool(resp_pool);
+     errno = EPERM;
+     return -1;
+   }
+@@ -339,6 +346,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+   *rcvd_count = resp_count;
+   *responses = ((const char **) list->elts);
+   destroy_pool(pkt->pool);
++  pr_response_set_pool(resp_pool);
+ 
+   return 0;
+ }
diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885
--- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885	2020-03-11 00:03:08.000000000 +0100
@@ -0,0 +1,147 @@
+From 3d17c8419afb10580b942f392f0a5c6de995c4e2 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Tue, 21 Jan 2020 11:09:08 -0800
+Subject: [PATCH] Bug #4385: When handling the `keyboard-interactive`
+ authentication mechanism, as used for _e.g._ PAM, make sure to properly
+ handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253.
+
+---
+ contrib/mod_sftp/kbdint.c | 99 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 76 insertions(+), 23 deletions(-)
+
+diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
+index 6900f4dfc..98b0a28af 100644
+--- a/contrib/mod_sftp/kbdint.c
++++ b/contrib/mod_sftp/kbdint.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
+- * Copyright (c) 2008-2017 TJ Saunders
++ * Copyright (c) 2008-2020 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -254,6 +254,77 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction,
+   return res;
+ }
+ 
++static struct ssh2_packet *read_response_packet(pool *p) {
++  struct ssh2_packet *pkt = NULL;
++
++  /* Keep looping until we get the desired message, or we time out. */
++  while (pkt == NULL) {
++    int res;
++    char mesg_type;
++
++    pr_signals_handle();
++
++    pkt = sftp_ssh2_packet_create(kbdint_pool);
++    res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
++    if (res < 0) {
++      int xerrno = errno;
++
++      destroy_pool(pkt->pool);
++
++      errno = xerrno;
++      return NULL;
++    }
++
++    pr_response_clear(&resp_list);
++    pr_response_clear(&resp_err_list);
++
++    /* Per RFC 4253, Section 11, DEBUG, DISCONNECT, IGNORE, and UNIMPLEMENTED
++     * messages can occur at any time, even during KEX.  We have to be prepared
++     * for this, and Do The Right Thing(tm).
++     */
++
++    mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
++
++    switch (mesg_type) {
++      case SFTP_SSH2_MSG_DEBUG:
++        sftp_ssh2_packet_handle_debug(pkt);
++        pkt = NULL;
++        break;
++
++      case SFTP_SSH2_MSG_DISCONNECT:
++        sftp_ssh2_packet_handle_disconnect(pkt);
++        pkt = NULL;
++        break;
++
++      case SFTP_SSH2_MSG_IGNORE:
++        sftp_ssh2_packet_handle_ignore(pkt);
++        pkt = NULL;
++        break;
++
++      case SFTP_SSH2_MSG_UNIMPLEMENTED:
++        sftp_ssh2_packet_handle_unimplemented(pkt);
++        pkt = NULL;
++        break;
++
++      case SFTP_SSH2_MSG_USER_AUTH_INFO_RESP:
++        pr_trace_msg(trace_channel, 13,
++          "received expected %s message",
++          sftp_ssh2_packet_get_mesg_type_desc(mesg_type));
++        break;
++
++      default:
++        (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
++          "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
++          sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
++        destroy_pool(pkt->pool);
++        errno = EPERM;
++        return NULL;
++    }
++  }
++
++  return pkt;
++}
++
+ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+     uint32_t *rcvd_count, const char ***responses) {
+   register unsigned int i;
+@@ -261,8 +332,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+   cmd_rec *cmd;
+   array_header *list;
+   uint32_t buflen, resp_count;
+-  struct ssh2_packet *pkt;
+-  char mesg_type;
++  struct ssh2_packet *pkt = NULL;
+   int res;
+   pool *resp_pool = NULL;
+ 
+@@ -273,32 +343,15 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+     return -1;
+   }
+ 
+-  pkt = sftp_ssh2_packet_create(kbdint_pool);
+-
+-  res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
+-  if (res < 0) {
+-    destroy_pool(pkt->pool);
+-    return res;
++  pkt = read_response_packet(p);
++  if (pkt == NULL) {
++    return -1;
+   }
+ 
+-  pr_response_clear(&resp_list);
+-  pr_response_clear(&resp_err_list);
+-
+   /* Cache a reference to the current response pool used. */
+   resp_pool = pr_response_get_pool();
+   pr_response_set_pool(pkt->pool);
+ 
+-  mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
+-  if (mesg_type != SFTP_SSH2_MSG_USER_AUTH_INFO_RESP) {
+-    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+-      "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
+-      sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
+-    destroy_pool(pkt->pool);
+-    pr_response_set_pool(resp_pool);
+-    errno = EPERM;
+-    return -1;
+-  }
+-
+   cmd = pr_cmd_alloc(pkt->pool, 2, pstrdup(pkt->pool, "USER_AUTH_INFO_RESP"));
+   cmd->arg = "(data)";
+

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: