219938 – CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow

Bug 219938 - CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow

Summary: CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	proftpd
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Matthias Saou
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-12-17 09:38 UTC by Ville Skyttä
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	1.3.0a-3
Clone Of:
Environment:
Last Closed:	2007-02-06 11:26:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ville Skyttä 2006-12-17 09:38:17 UTC

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6563

"Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in
the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute
arbitrary code via a large reqarglen length value."

All FC-3+ releases possibly affected.

Comment 1 Matthias Saou 2006-12-18 16:47:17 UTC

It seems like the 1.3.0 + patches from devel, FC-6 and FC-5 might not be
affected. Still, I'd like to try this release candidate and eventually deploy
it, but it fails to build on FC-6 with errors very early in the buils... *sigh*
I'll have a look at it when I have time, and make it high priority if anyone
confirms that the current builds are vulnerable.

Comment 2 Chris Ricker 2006-12-18 19:32:35 UTC

1.3.1rc1 builds for me on fc6

Configured as

 ./configure --libexecdir=/usr/libexec/proftpd --localstatedir=/var/run --ena
ble-ctrls --enable-facl --enable-dso --enable-ipv6 --with-libraries=/usr/lib/mys
ql --with-includes=/usr/include/mysql --with-modules=mod_readme:mod_auth_pam:mod
_tls --with-shared=mod_ldap:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab:
mod_quotatab_file:mod_quotatab_ldap:mod_quotatab_sql

(same as fe6 rpm, built on ia32)

That's using the stock upstream code, I haven't added the shipped patches yet....

Comment 3 Matthias Saou 2007-02-05 13:22:35 UTC

As already written, the 1.3.0a + patches builds in all supported branches (FC-5,
FC-6 and devel) have this bug fixed. If you feel this isn't the case and are
able to reproduce the problem with those builds, please reopen this report.

BTW, the latest 1.3.1rc still doesn't build for me on devel (soon to be Fedora
7)... but that's a different problem. Patches to my email address are welcome,
though, as well as pointers to upstream bug reports which might contain some.

Comment 4 Ville Skyttä 2007-02-05 19:50:15 UTC

No reproducer here and this could use reviewing by someone better versed with C
than myself, but reopening based on an observation:

The patch which I gather fixes the reported issue in 1.3.1rc1, committed to CVS
with log entry "Bug#2867 - Local authorized user buffer overflow in Controls
request handling." is not yet applied in the current FE packages:
http://proftp.cvs.sourceforge.net/proftp/proftpd/src/ctrls.c?r1=1.14&r2=1.15

Comment 5 Ville Skyttä 2007-02-05 19:51:57 UTC

Eh?  I ticked the "reopen bug" radio button but all it did was added a
"Reopened" keyword, bug status is still closed.  Trying again.

Comment 6 Red Hat Bugzilla 2007-02-05 20:14:34 UTC

Please try reopening again. Should be fixed now.

Comment 7 Matthias Saou 2007-02-06 11:26:54 UTC

Thanks a lot for the details, Ville. I've included the patch in FC-5, FC-6 and
devel branches, and rebuilds are waiting for the next push.

Note You need to log in before you can comment on or make changes to this bug.