Bug#699647: proftpd-dfsg: diff for NMU version 1.3.5~rc3-2.1

Sat, 05 Oct 2013 06:28:08 -0700 

Control: tags 699647 + pending
Control: tags 723179 + pending patch

Dear maintainer,

I've prepared an NMU for proftpd-dfsg (versioned as 1.3.5~rc3-2.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -Nru proftpd-dfsg-1.3.5~rc3/debian/changelog proftpd-dfsg-1.3.5~rc3/debian/changelog
--- proftpd-dfsg-1.3.5~rc3/debian/changelog	2013-07-04 14:18:15.000000000 +0200
+++ proftpd-dfsg-1.3.5~rc3/debian/changelog	2013-10-05 14:59:31.000000000 +0200
@@ -1,3 +1,17 @@
+proftpd-dfsg (1.3.5~rc3-2.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Add CVE-2013-4359.patch patch.
+    CVE-2013-4359: Fix invalid pool authentication in mod_sftp/mod_sftp_pam
+    during kbdint authentication leading to DoS conditions. (Closes: #723179)
+  * Correct Breaks and Replaces on proftpd-mod-geoip package.
+    The old proftpd-mod-geoip addon module is now obsoleted by core proftpd.
+    Adjusted the Breaks/Replaces to 1.3.5~rc1-1 which introduced the geoip
+    module in proftpd core.
+    Thanks to Andreas Beckmann <a...@debian.org> (Closes: #699647)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 05 Oct 2013 14:51:36 +0200
+
 proftpd-dfsg (1.3.5~rc3-2) unstable; urgency=low
 
   * Added version for dependency on memcached, for completeness.
diff -Nru proftpd-dfsg-1.3.5~rc3/debian/control proftpd-dfsg-1.3.5~rc3/debian/control
--- proftpd-dfsg-1.3.5~rc3/debian/control	2013-07-04 16:45:01.000000000 +0200
+++ proftpd-dfsg-1.3.5~rc3/debian/control	2013-10-05 15:00:53.000000000 +0200
@@ -192,8 +192,8 @@
 Package: proftpd-mod-geoip
 Architecture: any
 Depends: proftpd-basic (=${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
-Breaks: proftpd-mod-geoip (<< 1.3.5)
-Replaces: proftpd-mod-geoip (<< 1.3.5)
+Breaks: proftpd-mod-geoip (<< 1.3.5~rc1-1)
+Replaces: proftpd-mod-geoip (<< 1.3.5~rc1-1)
 Description: Versatile, virtual-hosting FTP daemon - GeoIP module
  ProFTPD is a powerful modular FTP/SFTP/FTPS server. This File Transfer
  Protocol daemon supports also hidden directories, virtual hosts, and
diff -Nru proftpd-dfsg-1.3.5~rc3/debian/control.in proftpd-dfsg-1.3.5~rc3/debian/control.in
--- proftpd-dfsg-1.3.5~rc3/debian/control.in	2013-07-04 14:18:15.000000000 +0200
+++ proftpd-dfsg-1.3.5~rc3/debian/control.in	2013-10-05 14:59:31.000000000 +0200
@@ -192,8 +192,8 @@
 Package: proftpd-mod-geoip
 Architecture: any
 Depends: proftpd-basic (=${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
-Breaks: proftpd-mod-geoip (<< 1.3.5)
-Replaces: proftpd-mod-geoip (<< 1.3.5)
+Breaks: proftpd-mod-geoip (<< 1.3.5~rc1-1)
+Replaces: proftpd-mod-geoip (<< 1.3.5~rc1-1)
 Description: Versatile, virtual-hosting FTP daemon - GeoIP module
  ProFTPD is a powerful modular FTP/SFTP/FTPS server. This File Transfer
  Protocol daemon supports also hidden directories, virtual hosts, and
diff -Nru proftpd-dfsg-1.3.5~rc3/debian/patches/CVE-2013-4359.patch proftpd-dfsg-1.3.5~rc3/debian/patches/CVE-2013-4359.patch
--- proftpd-dfsg-1.3.5~rc3/debian/patches/CVE-2013-4359.patch	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5~rc3/debian/patches/CVE-2013-4359.patch	2013-10-05 14:59:31.000000000 +0200
@@ -0,0 +1,119 @@
+Description: Fix invalid pool authentication in mod_sftp/mod_sftp_pam
+ CVE-2013-4359: Fix invalid pool authentication in mod_sftp/mod_sftp_pam
+ during kbdint authentication leading to DoS conditions.
+Origin: upstream, http://bugs.proftpd.org/attachment.cgi?id=4075
+Bug: http://bugs.proftpd.org/show_bug.cgi?id=3973
+Bug-Debian: http://bugs.debian.org/723179
+Forwarded: not-needed
+Author: Salvatore Bonaccorso <car...@debian.org>
+Last-Update: 2013-10-05
+
+--- a/contrib/mod_sftp_pam.c
++++ b/contrib/mod_sftp_pam.c
+@@ -197,22 +197,13 @@
+     return PAM_CONV_ERR;
+   }
+ 
+-  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
+-      &recvd_responses) < 0) {
++  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
++      &recvd_count, &recvd_responses) < 0) {
+     pr_trace_msg(trace_channel, 3,
+       "error receiving keyboard-interactive responses: %s", strerror(errno));
+     return PAM_CONV_ERR;
+   }
+ 
+-  /* Make sure that the count of responses matches the challenge count. */
+-  if (recvd_count != list->nelts) {
+-    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
+-      "sent %d %s, but received %u %s", nmsgs,
+-      list->nelts != 1 ? "challenges" : "challenge", recvd_count,
+-      recvd_count != 1 ? "responses" : "response");
+-    return PAM_CONV_ERR;
+-  }
+-
+   res = calloc(nmsgs, sizeof(struct pam_response));
+   if (res == NULL) {
+     pr_log_pri(PR_LOG_CRIT, "Out of memory!");
+--- a/contrib/mod_sftp/kbdint.c
++++ b/contrib/mod_sftp/kbdint.c
+@@ -31,6 +31,8 @@
+ #include "utf8.h"
+ #include "kbdint.h"
+ 
++#define SFTP_KBDINT_MAX_RESPONSES	500
++
+ struct kbdint_driver {
+   struct kbdint_driver *next, *prev;
+ 
+@@ -252,8 +254,8 @@
+   return res;
+ }
+ 
+-int sftp_kbdint_recv_response(pool *p, unsigned int *count,
+-    const char ***responses) {
++int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
++    unsigned int *rcvd_count, const char ***responses) {
+   register unsigned int i;
+   unsigned char *buf;
+   cmd_rec *cmd;
+@@ -264,7 +266,7 @@
+   int res;
+ 
+   if (p == NULL ||
+-      count == NULL ||
++      rcvd_count == NULL ||
+       responses == NULL) {
+     errno = EINVAL;
+     return -1;
+@@ -299,6 +301,29 @@
+ 
+   resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
+ 
++  /* Ensure that the number of responses sent by the client is the same
++   * as the number of challenges sent, lest a malicious client attempt to
++   * trick us into allocating too much memory (Bug#3973).
++   */
++  if (resp_count != expected_count) {
++    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
++      "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
++      expected_count != 1 ? "challenges" : "challenge",
++      (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
++    destroy_pool(pkt->pool);
++    errno = EPERM;
++    return -1;
++  }
++
++  if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
++    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
++      "received too many responses (%lu > max %lu), rejecting",
++      (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
++    destroy_pool(pkt->pool);
++    errno = EPERM;
++    return -1;
++  }
++
+   list = make_array(p, resp_count, sizeof(char *));
+   for (i = 0; i < resp_count; i++) {
+     char *resp;
+@@ -307,7 +332,7 @@
+     *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
+   }
+ 
+-  *count = (unsigned int) resp_count;
++  *rcvd_count = (unsigned int) resp_count;
+   *responses = ((const char **) list->elts);
+   return 0;
+ }
+--- a/contrib/mod_sftp/mod_sftp.h.in
++++ b/contrib/mod_sftp/mod_sftp.h.in
+@@ -180,7 +180,8 @@
+ int sftp_kbdint_unregister_driver(const char *name);
+ int sftp_kbdint_send_challenge(const char *, const char *, unsigned int,
+   sftp_kbdint_challenge_t *);
+-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***);
++int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *,
++  const char ***);
+ 
+ /* API for modules that which to register keystores, for the
+  * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.
diff -Nru proftpd-dfsg-1.3.5~rc3/debian/patches/series proftpd-dfsg-1.3.5~rc3/debian/patches/series
--- proftpd-dfsg-1.3.5~rc3/debian/patches/series	2013-07-04 14:18:15.000000000 +0200
+++ proftpd-dfsg-1.3.5~rc3/debian/patches/series	2013-10-05 14:59:31.000000000 +0200
@@ -11,3 +11,4 @@
 silent
 use_hypen_in_manpage
 contrib_hardening_flags
+CVE-2013-4359.patch

Reply via email to