Bug#790245: jessie-pu: package ftpd-ssl/0.17.33+0.3-1deb8u1

Sat, 27 Jun 2015 10:51:40 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Dear all,

the SSL-enhanced FTP server built from linux-ftpd-ssl
was recently uncovered to produce a denial of service,
as was demonstrated in #788331. The package has been
updated in testing and unstable, but since the error
is present ever since at least June, 2010 [sic!],
I would like to propose an update also to the stable
package release. The needed change can be made verbatim
with the alteration to unstable. The corresponding
debdiff output and a description is attached.

Best regards,
  Mats Erik Andersson, present maintainer


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This proposed change protects against #788331,
which in an identical form has been applied
to version 0.17.35+0.3+2, present in testing.

Observe that the update of the source patch
'debian/patches/500-ssl.diff' is the first
change during five years of time, so the very
same change is applicable to old-old-stable!

The problem is that the present server crashes
when the client asks for a name listing, using
the command 'nl', i.e., NLST, of an empty directory.
The cause is missing code block in the original
patch, which can cause the execution of 'fclose(NULL)'
and a segmentation fault. This results in a denial
of service since the server side executable dies.


diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/changelog 
linux-ftpd-ssl-0.17.33+0.3/debian/changelog
- --- linux-ftpd-ssl-0.17.33+0.3/debian/changelog       2011-04-20 
03:47:23.000000000 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/changelog 2015-06-16 14:00:05.000000000 
+0200
@@ -1,3 +1,11 @@
+linux-ftpd-ssl (0.17.33+0.3-1deb8u1) jessie; urgency=medium
+
+  * QA Upload
+  * NLST of empty directory results in segfault.
+    + debian/patches/500-ssl.diff: Updated.
+
+ -- Mats Erik Andersson <mats.anders...@gisladisker.se>  Tue, 16 Jun 2015 
13:47:15 +0200
+
 linux-ftpd-ssl (0.17.33+0.3-1) unstable; urgency=low
 
   * Update to linux-ftpd 0.17-33.
diff -Nru linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff 
linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff
- --- linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff    2011-04-20 
03:47:23.000000000 +0200
+++ linux-ftpd-ssl-0.17.33+0.3/debian/patches/500-ssl.diff      2015-06-16 
13:46:42.000000000 +0200
@@ -3,7 +3,7 @@
 Origin: 
ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/linux-ftpd-0.17+ssl-0.3.diff.gz
 Forwarded: not-needed
 Author: Tim Hudson <t...@cryptsoft.com>
- -Last-Update: 2010-06-21
+Last-Update: 2015-06-11
 
 Index: linux-ftpd-ssl/ftpd/Makefile
 ===================================================================
@@ -917,10 +917,12 @@
                                byte_count += strlen(nbuf) + 1;
                        }
                }
- -@@ -2705,6 +3193,13 @@
+@@ -2704,8 +3193,16 @@
+               reply(226, "Transfer complete.");
  
        transflag = 0;
- -     if (dout != NULL)
+-      if (dout != NULL)
++      if (dout != NULL) {
 +#ifdef USE_SSL
 +                if (ssl_data_active_flag && (ssl_data_con!=NULL)) {
 +                  SSL_free(ssl_data_con);
@@ -929,8 +931,10 @@
 +              }
 +#endif /* USE_SSL */
                (void) fclose(dout);
++      }
        data = -1;
        pdata = -1;
+ out:
 @@ -2792,3 +3287,223 @@
  }
  #endif        /* TCPWRAPPERS */
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlWJ6asACgkQG7N1M011A3anNwCgyPrqn5d2yohLGIFoywmPytA7
HaUAnRX79aB4IjjCY/RUpmUVXNIO81K0
=vgHI
-----END PGP SIGNATURE-----

Reply via email to