Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Dear Release managers, the package fixes two critical issues, which impacts the usability of the mod_sftp proftp module. There are situations, where users can't connect to an proftp server using sftp in case the client is recent enough. - Issue is solved in Debian unstable since 1.3.6c-1 - Both bugs are set to important - debdiff is attached I tested a build on Debian stable and the reporters confirmed that the patch solved the issue. The debdiff is against deb10u4, which has been uploaded by the sec team. Consider to include it in Debian stable. Thanks! Hilmar -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 5.4.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- sigmentation fault
diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog
--- proftpd-dfsg-1.3.6/debian/changelog 2020-02-25 22:23:14.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/changelog 2020-03-11 00:03:08.000000000 +0100
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.6-4+deb10u5) buster; urgency=medium
+
+ * Patch for upstream Issue #656 (Closes: #951412)
+ * Patch for upstream Bug #4385 (Closes: #949622)
+
+ -- Hilmar Preusse <hille42@web.de> Wed, 11 Mar 2020 00:03:08 +0100
+
proftpd-dfsg (1.3.6-4+deb10u4) buster-security; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series
--- proftpd-dfsg-1.3.6/debian/patches/series 2020-02-25 22:23:14.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/series 2020-03-11 00:03:08.000000000 +0100
@@ -22,3 +22,5 @@
upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
Issue-903-Ensure-that-we-do-not-reuse-already-destro.patch
Issue-903-We-want-to-remove-the-data-transfer-comman.patch
+upstream_pull_657
+upstream_pull_885
diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657
--- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_657 2020-03-11 00:03:08.000000000 +0100
@@ -0,0 +1,77 @@
+From 1e056ee9171d44b85bfe2b09a6e78be78567d585 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Thu, 30 Nov 2017 07:19:06 -0800
+Subject: [PATCH] Issue #656: The keyboard-interative code in mod_sftp was
+ changing the memory pool used for response, but not restoring the previous
+ pool.
+
+Newer compilers/distros are far better about catching this, with e.g. ASLR
+and such; the previous behavior "worked" only because the memory areas in
+question _usually_ were not trampled. But with e.g. Ubuntu 17.10, such
+trampling is noticed, caught, and rejected.
+---
+ contrib/mod_sftp/kbdint.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
+index 2a925c12b..6900f4dfc 100644
+--- a/contrib/mod_sftp/kbdint.c
++++ b/contrib/mod_sftp/kbdint.c
+@@ -1,6 +1,6 @@
+ /*
+ * ProFTPD - mod_sftp keyboard-interactive driver mgmt
+- * Copyright (c) 2008-2016 TJ Saunders
++ * Copyright (c) 2008-2017 TJ Saunders
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -264,6 +264,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ struct ssh2_packet *pkt;
+ char mesg_type;
+ int res;
++ pool *resp_pool = NULL;
+
+ if (p == NULL ||
+ rcvd_count == NULL ||
+@@ -282,6 +283,9 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+
+ pr_response_clear(&resp_list);
+ pr_response_clear(&resp_err_list);
++
++ /* Cache a reference to the current response pool used. */
++ resp_pool = pr_response_get_pool();
+ pr_response_set_pool(pkt->pool);
+
+ mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
+@@ -290,6 +294,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
+ sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
+ destroy_pool(pkt->pool);
++ pr_response_set_pool(resp_pool);
+ errno = EPERM;
+ return -1;
+ }
+@@ -315,6 +320,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ expected_count != 1 ? "challenges" : "challenge",
+ (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
+ destroy_pool(pkt->pool);
++ pr_response_set_pool(resp_pool);
+ errno = EPERM;
+ return -1;
+ }
+@@ -324,6 +330,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ "received too many responses (%lu > max %lu), rejecting",
+ (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
+ destroy_pool(pkt->pool);
++ pr_response_set_pool(resp_pool);
+ errno = EPERM;
+ return -1;
+ }
+@@ -339,6 +346,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ *rcvd_count = resp_count;
+ *responses = ((const char **) list->elts);
+ destroy_pool(pkt->pool);
++ pr_response_set_pool(resp_pool);
+
+ return 0;
+ }
diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885
--- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_885 2020-03-11 00:03:08.000000000 +0100
@@ -0,0 +1,147 @@
+From 3d17c8419afb10580b942f392f0a5c6de995c4e2 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Tue, 21 Jan 2020 11:09:08 -0800
+Subject: [PATCH] Bug #4385: When handling the `keyboard-interactive`
+ authentication mechanism, as used for _e.g._ PAM, make sure to properly
+ handle DEBUG, IGNORE, DISCONNECT, and UNIMPLEMENTED messages, per RFC 4253.
+
+---
+ contrib/mod_sftp/kbdint.c | 99 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 76 insertions(+), 23 deletions(-)
+
+diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
+index 6900f4dfc..98b0a28af 100644
+--- a/contrib/mod_sftp/kbdint.c
++++ b/contrib/mod_sftp/kbdint.c
+@@ -1,6 +1,6 @@
+ /*
+ * ProFTPD - mod_sftp keyboard-interactive driver mgmt
+- * Copyright (c) 2008-2017 TJ Saunders
++ * Copyright (c) 2008-2020 TJ Saunders
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -254,6 +254,77 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction,
+ return res;
+ }
+
++static struct ssh2_packet *read_response_packet(pool *p) {
++ struct ssh2_packet *pkt = NULL;
++
++ /* Keep looping until we get the desired message, or we time out. */
++ while (pkt == NULL) {
++ int res;
++ char mesg_type;
++
++ pr_signals_handle();
++
++ pkt = sftp_ssh2_packet_create(kbdint_pool);
++ res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
++ if (res < 0) {
++ int xerrno = errno;
++
++ destroy_pool(pkt->pool);
++
++ errno = xerrno;
++ return NULL;
++ }
++
++ pr_response_clear(&resp_list);
++ pr_response_clear(&resp_err_list);
++
++ /* Per RFC 4253, Section 11, DEBUG, DISCONNECT, IGNORE, and UNIMPLEMENTED
++ * messages can occur at any time, even during KEX. We have to be prepared
++ * for this, and Do The Right Thing(tm).
++ */
++
++ mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
++
++ switch (mesg_type) {
++ case SFTP_SSH2_MSG_DEBUG:
++ sftp_ssh2_packet_handle_debug(pkt);
++ pkt = NULL;
++ break;
++
++ case SFTP_SSH2_MSG_DISCONNECT:
++ sftp_ssh2_packet_handle_disconnect(pkt);
++ pkt = NULL;
++ break;
++
++ case SFTP_SSH2_MSG_IGNORE:
++ sftp_ssh2_packet_handle_ignore(pkt);
++ pkt = NULL;
++ break;
++
++ case SFTP_SSH2_MSG_UNIMPLEMENTED:
++ sftp_ssh2_packet_handle_unimplemented(pkt);
++ pkt = NULL;
++ break;
++
++ case SFTP_SSH2_MSG_USER_AUTH_INFO_RESP:
++ pr_trace_msg(trace_channel, 13,
++ "received expected %s message",
++ sftp_ssh2_packet_get_mesg_type_desc(mesg_type));
++ break;
++
++ default:
++ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
++ "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
++ sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
++ destroy_pool(pkt->pool);
++ errno = EPERM;
++ return NULL;
++ }
++ }
++
++ return pkt;
++}
++
+ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ uint32_t *rcvd_count, const char ***responses) {
+ register unsigned int i;
+@@ -261,8 +332,7 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ cmd_rec *cmd;
+ array_header *list;
+ uint32_t buflen, resp_count;
+- struct ssh2_packet *pkt;
+- char mesg_type;
++ struct ssh2_packet *pkt = NULL;
+ int res;
+ pool *resp_pool = NULL;
+
+@@ -273,32 +343,15 @@ int sftp_kbdint_recv_response(pool *p, uint32_t expected_count,
+ return -1;
+ }
+
+- pkt = sftp_ssh2_packet_create(kbdint_pool);
+-
+- res = sftp_ssh2_packet_read(sftp_conn->rfd, pkt);
+- if (res < 0) {
+- destroy_pool(pkt->pool);
+- return res;
++ pkt = read_response_packet(p);
++ if (pkt == NULL) {
++ return -1;
+ }
+
+- pr_response_clear(&resp_list);
+- pr_response_clear(&resp_err_list);
+-
+ /* Cache a reference to the current response pool used. */
+ resp_pool = pr_response_get_pool();
+ pr_response_set_pool(pkt->pool);
+
+- mesg_type = sftp_ssh2_packet_get_mesg_type(pkt);
+- if (mesg_type != SFTP_SSH2_MSG_USER_AUTH_INFO_RESP) {
+- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+- "expecting USER_AUTH_INFO_RESP message, received %s (%d)",
+- sftp_ssh2_packet_get_mesg_type_desc(mesg_type), mesg_type);
+- destroy_pool(pkt->pool);
+- pr_response_set_pool(resp_pool);
+- errno = EPERM;
+- return -1;
+- }
+-
+ cmd = pr_cmd_alloc(pkt->pool, 2, pstrdup(pkt->pool, "USER_AUTH_INFO_RESP"));
+ cmd->arg = "(data)";
+
Attachment:
signature.asc
Description: PGP signature