[gentoo-commits] gentoo-x86 commit in net-ftp/proftpd/files: proftpd-1.3.1-CVE-2008-4242.patch

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] gentoo-x86 commit in net-ftp/proftpd/files: proftpd-1.3.1-CVE-2008-4242.patch
@ 2008-11-09 11:56 Christian Hoffmann (hoffie)
  0 siblings, 0 replies; only message in thread
From: Christian Hoffmann (hoffie) @ 2008-11-09 11:56 UTC (permalink / raw
  To: gentoo-commits

hoffie      08/11/09 11:56:31

  Added:                proftpd-1.3.1-CVE-2008-4242.patch
  Log:
  adding proftpd-1.3.1-r1 to get a regression-free version of proftpd which ships a patch for security bug 238762, adding proftpd-1.3.2_rc2-r2 to fix a mod_shaper-related compile failure as pointed out by Joker in bug 238762; also fixing bug 221275
  (Portage version: 2.2_rc13/cvs/Linux 2.6.27-gentoo x86_64)

Revision  Changes    Path
1.1                  net-ftp/proftpd/files/proftpd-1.3.1-CVE-2008-4242.patch

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/proftpd/files/proftpd-1.3.1-CVE-2008-4242.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/proftpd/files/proftpd-1.3.1-CVE-2008-4242.patch?rev=1.1&content-type=text/plain

Index: proftpd-1.3.1-CVE-2008-4242.patch
===================================================================
Patch taken from debian, closes
http://secunia.com/advisories/cve_reference/CVE-2008-4242/
https://bugs.gentoo.org/show_bug.cgi?id=238762
diff -urNad trunk~/src/main.c trunk/src/main.c
--- trunk~/src/main.c	2008-09-21 23:50:55.000000000 +0200
+++ trunk/src/main.c	2008-09-21 23:50:55.000000000 +0200
@@ -674,12 +674,17 @@
   while (TRUE) {
     pr_signals_handle();
 
+    memset(buf,'\0',sizeof(buf));
+
     if (pr_netio_telnet_gets(buf, sizeof(buf)-1, session.c->instrm,
         session.c->outstrm) == NULL) {
 
-      if (PR_NETIO_ERRNO(session.c->instrm) == EINTR)
-        /* Simple interrupted syscall */
+      if (errno == E2BIG) {
+         /* The client sent a too-long command which was ignored; give
+          * them another chance?
+          */
 	continue;
+      }
 
 #ifndef PR_DEVEL_NO_DAEMON
       /* Otherwise, EOF */
@@ -695,20 +700,31 @@
 
     if (cmd_buf_size == -1) {
       int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", FALSE);
+      size_t default_cmd_bufsz;
+
+      /* It's possible for the admin to select a PR_TUNABLE_BUFFER_SIZE which
+       * is smaller than PR_DEFAULT_CMD_BUFSZ.  We need to handle such cases
+       * properly.
+       */
+      default_cmd_bufsz = PR_DEFAULT_CMD_BUFSZ;
+      if (default_cmd_bufsz > sizeof(buf)) {
+        default_cmd_bufsz = sizeof(buf);
+      }
+  
       if (bufsz == NULL) {
-        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+        cmd_buf_size = default_cmd_bufsz;
 
       } else if (*bufsz <= 0) {
         pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
           "given, using default buffer size (%u) instead",
-          *bufsz, PR_DEFAULT_CMD_BUFSZ);
-        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+          *bufsz, default_cmd_bufsz);
+        cmd_buf_size = default_cmd_bufsz;
 
       } else if (*bufsz + 1 > sizeof(buf)) {
         pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
           "given, using default buffer size (%u) instead",
-          *bufsz, PR_DEFAULT_CMD_BUFSZ);
-        cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
+          *bufsz, default_cmd_bufsz);
+        cmd_buf_size = default_cmd_bufsz;
 
       } else {
         pr_log_debug(DEBUG1, "setting CommandBufferSize to %d", *bufsz);
diff -urNad trunk~/src/netio.c trunk/src/netio.c
--- trunk~/src/netio.c	2008-09-21 23:39:34.000000000 +0200
+++ trunk/src/netio.c	2008-09-21 23:52:17.000000000 +0200
@@ -1,6 +1,6 @@
 /*
  * ProFTPD - FTP server daemon
- * Copyright (c) 2001-2007 The ProFTPD Project team
+ * Copyright (c) 2001-2008 The ProFTPD Project team
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -30,19 +30,19 @@
 #include <signal.h>
 
 #ifndef IAC
-#define IAC	255
+# define IAC	255
 #endif
 #ifndef DONT
-#define DONT	254
+# define DONT	254
 #endif
 #ifndef DO
-#define DO	253
+# define DO	253
 #endif
 #ifndef WONT
-#define WONT	252
+# define WONT	252
 #endif
 #ifndef WILL
-#define WILL	251
+# define WILL	251
 #endif
 
 static const char *trace_channel = "netio";
@@ -51,6 +51,17 @@
 static pr_netio_t *core_data_netio = NULL, *data_netio = NULL;
 static pr_netio_t *core_othr_netio = NULL, *othr_netio = NULL;
 
+/* Used to track whether the previous text read from the client's control
+ * connection was a properly-terminated command.  If so, then read in the
+ * next/current text as per normal.  If NOT (e.g. the client sent a too-long
+ * command), then read in the next/current text, but ignore it.  Only clear
+ * this flag if the next/current command can be read as per normal.
+ *
+ * The pr_netio_telnet_gets() uses this variable, in conjunction with its
+ * saw_newline flag, for handling too-long commands from clients.
+ */
+static int properly_terminated_prev_command = TRUE;
+
 static pr_netio_stream_t *netio_stream_alloc(pool *parent_pool) {
   pool *netio_pool = NULL;
   pr_netio_stream_t *nstrm = NULL;
@@ -911,7 +922,7 @@
   char *bp = buf;
   unsigned char cp;
   static unsigned char mode = 0;
-  int toread;
+  int toread, saw_newline = FALSE;
   pr_buffer_t *pbuf = NULL;
 
   if (buflen == 0) {
@@ -940,8 +951,9 @@
           *bp = '\0';
           return buf;
 
-        } else
+        } else {
           return NULL;
+        }
       }
 
       pbuf->remaining = pbuf->buflen - toread;
@@ -1004,6 +1016,8 @@
       toread--;
       *bp++ = *pbuf->current++;
       pbuf->remaining++;
+
+      saw_newline = TRUE;
       break;
     }
 
@@ -1011,6 +1025,25 @@
       pbuf->current = NULL;
   }
 
+  if (!saw_newline) {
+    /* If we haven't seen a newline, then assume the client is deliberately
+     * sending a too-long command, trying to exploit buffer sizes and make
+     * the server make some possibly bad assumptions.
+     */
+
+    properly_terminated_prev_command = FALSE;
+    errno = E2BIG;
+    return NULL;
+  }
+
+  if (!properly_terminated_prev_command) {
+    properly_terminated_prev_command = TRUE;
+    pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring");
+    errno = E2BIG;
+    return NULL;
+  }
+
+  properly_terminated_prev_command = TRUE;
   *bp = '\0';
   return buf;
 }






^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2008-11-09 11:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-09 11:56 [gentoo-commits] gentoo-x86 commit in net-ftp/proftpd/files: proftpd-1.3.1-CVE-2008-4242.patch Christian Hoffmann (hoffie)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox