Bug 1286977

Summary: proftpd: unbounded SFTP extended attribute key/values
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, itamar, matthias, paul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:45:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1286978, 1286979    
Bug Blocks:    

Description Martin Prpič 2015-12-01 09:34:21 UTC 
The following flaw was found in proftpd:

Part of the SFTP handshake involves "extensions", which are key/value pairs, comprised of strings. In SSH, strings are encoded for network transport as a 32-bit length, followed by the bytes.

The mod_sftp module currently places no bounds/length limitations when reading these SFTP extension key/value data from the network. A malicious attacker might attempt to encode large values, and allocate more memory than is necessary.

To avoid undue resource exhaustion by a remote client, mod_sftp should place a limit on the maximum length of acceptable extension keys/values.

Upstream bug:

http://bugs.proftpd.org/show_bug.cgi?id=4210

Upstream patch:

https://github.com/proftpd/proftpd/pull/171
Comment 1 Martin Prpič 2015-12-01 09:34:48 UTC 
Created proftpd tracking bugs for this issue:

Affects: fedora-all [bug 1286978]
Affects: epel-all [bug 1286979]
Comment 2 Paul Howarth 2015-12-01 14:27:05 UTC 
Is it worth waiting for a CVE number for this issue to put in the package changelog before pushing an update?
Comment 3 Martin Prpič 2015-12-01 14:29:47 UTC 
(In reply to Paul Howarth from comment #2)
> Is it worth waiting for a CVE number for this issue to put in the package
> changelog before pushing an update?

Definitely not, I'd go ahead and push the update referencing this BZ.
Comment 4 Fedora Update System 2015-12-11 23:53:02 UTC 
proftpd-1.3.5a-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-12-12 01:54:06 UTC 
proftpd-1.3.5a-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-12-18 07:25:28 UTC 
proftpd-1.3.5a-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Product Security DevOps Team 2019-06-08 02:45:59 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.