Bug 670170 (CVE-2010-4652)

Summary: CVE-2010-4652 ProFTPD (mod_sql): Heap-based buffer overflow by processing certain usernames, when mod_sql module enabled
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: matthias, paul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-29 11:46:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 670172    
Bug Blocks:    

Description Jan Lieskovsky 2011-01-17 12:37:02 UTC
A heap-based buffer overflow flaw was found in the way ProFTPD FTP server
prepared SQL queries for certain usernames, when the mod_sql module was
enabled. A remote, unauthenticated attacker could use this flaw to
cause proftpd daemon to crash or, potentially, to execute arbitrary
code with the privileges of the user running 'proftpd' via a specially-crafted
username, provided in the authentication dialog.

Upstream bug report:
[1] http://bugs.proftpd.org/show_bug.cgi?id=3536

[2] http://www.securityfocus.com/bid/44933
[3] http://phrack.org/issues.html?issue=67&id=7#article
[4] http://bugs.gentoo.org/show_bug.cgi?id=348998
[5] http://proftpd.org/docs/RELEASE_NOTES-1.3.3d (ProFTPD v1.3.3d release notes)

CVE identifier:
[6] http://www.openwall.com/lists/oss-security/2011/01/14/6

Comment 1 Jan Lieskovsky 2011-01-17 12:40:25 UTC
This issue affects the versions of the proftpd package, as shipped
with Fedora release of 13 and 14.

This issue affects the versions of the proftpd package, as present
within EPEL-4 and EPEL-5 repositories.

Please rebase to latest (1.3.3d) version.

Comment 2 Jan Lieskovsky 2011-01-17 12:41:25 UTC
Created proftpd tracking bugs for this issue

Affects: fedora-all [bug 670172]

Comment 3 Paul Howarth 2011-06-29 10:55:35 UTC
Do these Security Response bugs ever get closed?

Comment 4 Jan Lieskovsky 2011-06-29 11:46:17 UTC
Hi Paul,

  they are closed when the particular issue got addressed in all affected
versions. Which seems to be the case of this issue already. Thank you for
the updates. Closing.

(In reply to comment #3)
> Do these Security Response bugs ever get closed?