Re: ProFTPD still vulnerable (Sarge)

[Lupe Christoph <lupe@lupe-christoph.de>]

On Thursday, 2006-11-30 at 13:49:44 +0100, Stefan Fritsch wrote:

> Oh, that's bad. You don't have ftps enabled explicitly either?

No, just plain ftp.

> This probably means that there is at least some exploit to DoS sarge's 1.2.x.

As I said, the FTP access from "outside" is disabled now.  So I can't
test without mod_delay, and can't check if this is distinct from the
effect described in 308313 and 301275. But I doubt that.

> >> There is a thread about this at
> >> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000972.html

> > CVE-2006-5815: "Buffer overflow in ProFTPD 1.3.0 and earlier, when
> > configured to use the CommandBufferSize directive ...". This directive
> > is not in the default Debian Config file, I believe, and it isn't in the
> > one on that machine.

> This description is wrong. There was some confusion about what
> CVE-2006-5815 is. It is really about a flaw in sreplace(). There is more
> info about this confusion later in the thread above, e.g.
> http://lists.alioth.debian.org/pipermail/secure-testing-team/2006-November/000990.html
> or at
> http://bugs.proftpd.org/show_bug.cgi?id=2858

> The CommandBufferSize issue was fixed by DSA-1218-1.

CommandBufferSize isn't used, so it couldn't be that in any case.

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |