Bug 219938 - CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
Product: Fedora
Classification: Fedora
Component: proftpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Matthias Saou
Fedora Extras Quality Assurance
: Reopened, Security
Depends On:
  Show dependency treegraph
Reported: 2006-12-17 04:38 EST by Ville Skyttä
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.3.0a-3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-06 06:26:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2006-12-17 04:38:17 EST

"Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in
the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute
arbitrary code via a large reqarglen length value."

All FC-3+ releases possibly affected.
Comment 1 Matthias Saou 2006-12-18 11:47:17 EST
It seems like the 1.3.0 + patches from devel, FC-6 and FC-5 might not be
affected. Still, I'd like to try this release candidate and eventually deploy
it, but it fails to build on FC-6 with errors very early in the buils... *sigh*
I'll have a look at it when I have time, and make it high priority if anyone
confirms that the current builds are vulnerable.
Comment 2 Chris Ricker 2006-12-18 14:32:35 EST
1.3.1rc1 builds for me on fc6

Configured as

 ./configure --libexecdir=/usr/libexec/proftpd --localstatedir=/var/run --ena
ble-ctrls --enable-facl --enable-dso --enable-ipv6 --with-libraries=/usr/lib/mys
ql --with-includes=/usr/include/mysql --with-modules=mod_readme:mod_auth_pam:mod
_tls --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:

(same as fe6 rpm, built on ia32)

That's using the stock upstream code, I haven't added the shipped patches yet....
Comment 3 Matthias Saou 2007-02-05 08:22:35 EST
As already written, the 1.3.0a + patches builds in all supported branches (FC-5,
FC-6 and devel) have this bug fixed. If you feel this isn't the case and are
able to reproduce the problem with those builds, please reopen this report.

BTW, the latest 1.3.1rc still doesn't build for me on devel (soon to be Fedora
7)... but that's a different problem. Patches to my email address are welcome,
though, as well as pointers to upstream bug reports which might contain some.
Comment 4 Ville Skyttä 2007-02-05 14:50:15 EST
No reproducer here and this could use reviewing by someone better versed with C
than myself, but reopening based on an observation:

The patch which I gather fixes the reported issue in 1.3.1rc1, committed to CVS
with log entry "Bug#2867 - Local authorized user buffer overflow in Controls
request handling." is not yet applied in the current FE packages:
Comment 5 Ville Skyttä 2007-02-05 14:51:57 EST
Eh?  I ticked the "reopen bug" radio button but all it did was added a
"Reopened" keyword, bug status is still closed.  Trying again.
Comment 6 Red Hat Bugzilla 2007-02-05 15:14:34 EST
Please try reopening again. Should be fixed now.
Comment 7 Matthias Saou 2007-02-06 06:26:54 EST
Thanks a lot for the details, Ville. I've included the patch in FC-5, FC-6 and
devel branches, and rebuilds are waiting for the next push.

Note You need to log in before you can comment on or make changes to this bug.