Bug 219938

Summary:	CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
Product:	[Fedora] Fedora	Reporter:	Ville Skyttä <ville.skytta>
Component:	proftpd	Assignee:	Matthias Saou <matthias>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6	CC:	extras-qa, fedora-security-list
Target Milestone:	---	Keywords:	Reopened, Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	1.3.0a-3	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-02-06 11:26:54 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ville Skyttä 2006-12-17 09:38:17 UTC

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6563

"Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in
the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute
arbitrary code via a large reqarglen length value."

All FC-3+ releases possibly affected.

Comment 1 Matthias Saou 2006-12-18 16:47:17 UTC

It seems like the 1.3.0 + patches from devel, FC-6 and FC-5 might not be
affected. Still, I'd like to try this release candidate and eventually deploy
it, but it fails to build on FC-6 with errors very early in the buils... *sigh*
I'll have a look at it when I have time, and make it high priority if anyone
confirms that the current builds are vulnerable.

Comment 2 Chris Ricker 2006-12-18 19:32:35 UTC

1.3.1rc1 builds for me on fc6

Configured as

 ./configure --libexecdir=/usr/libexec/proftpd --localstatedir=/var/run --ena
ble-ctrls --enable-facl --enable-dso --enable-ipv6 --with-libraries=/usr/lib/mys
ql --with-includes=/usr/include/mysql --with-modules=mod_readme:mod_auth_pam:mod
_tls --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:
mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql

(same as fe6 rpm, built on ia32)

That's using the stock upstream code, I haven't added the shipped patches yet....

Comment 3 Matthias Saou 2007-02-05 13:22:35 UTC

As already written, the 1.3.0a + patches builds in all supported branches (FC-5,
FC-6 and devel) have this bug fixed. If you feel this isn't the case and are
able to reproduce the problem with those builds, please reopen this report.

BTW, the latest 1.3.1rc still doesn't build for me on devel (soon to be Fedora
7)... but that's a different problem. Patches to my email address are welcome,
though, as well as pointers to upstream bug reports which might contain some.

Comment 4 Ville Skyttä 2007-02-05 19:50:15 UTC

No reproducer here and this could use reviewing by someone better versed with C
than myself, but reopening based on an observation:

The patch which I gather fixes the reported issue in 1.3.1rc1, committed to CVS
with log entry "Bug#2867 - Local authorized user buffer overflow in Controls
request handling." is not yet applied in the current FE packages:
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/ctrls.c?r1=1.14&r2=1.15

Comment 5 Ville Skyttä 2007-02-05 19:51:57 UTC

Eh?  I ticked the "reopen bug" radio button but all it did was added a
"Reopened" keyword, bug status is still closed.  Trying again.

Comment 6 Red Hat Bugzilla 2007-02-05 20:14:34 UTC

Please try reopening again. Should be fixed now.

Comment 7 Matthias Saou 2007-02-06 11:26:54 UTC

Thanks a lot for the details, Ville. I've included the patch in FC-5, FC-6 and
devel branches, and rebuilds are waiting for the next push.