Red Hat Bugzilla – Bug 219938
CVE-2006-6563: proftpd < 1.3.1rc1 mod_ctrls buffer overflow
Last modified: 2007-11-30 17:11:51 EST
"Stack-based buffer overflow in the pr_ctrls_recv_request function in ctrls.c in
the mod_ctrls module in ProFTPD before 1.3.1rc1 allows local users to execute
arbitrary code via a large reqarglen length value."
All FC-3+ releases possibly affected.
It seems like the 1.3.0 + patches from devel, FC-6 and FC-5 might not be
affected. Still, I'd like to try this release candidate and eventually deploy
it, but it fails to build on FC-6 with errors very early in the buils... *sigh*
I'll have a look at it when I have time, and make it high priority if anyone
confirms that the current builds are vulnerable.
1.3.1rc1 builds for me on fc6
./configure --libexecdir=/usr/libexec/proftpd --localstatedir=/var/run --ena
ble-ctrls --enable-facl --enable-dso --enable-ipv6 --with-libraries=/usr/lib/mys
ql --with-includes=/usr/include/mysql --with-modules=mod_readme:mod_auth_pam:mod
(same as fe6 rpm, built on ia32)
That's using the stock upstream code, I haven't added the shipped patches yet....
As already written, the 1.3.0a + patches builds in all supported branches (FC-5,
FC-6 and devel) have this bug fixed. If you feel this isn't the case and are
able to reproduce the problem with those builds, please reopen this report.
BTW, the latest 1.3.1rc still doesn't build for me on devel (soon to be Fedora
7)... but that's a different problem. Patches to my email address are welcome,
though, as well as pointers to upstream bug reports which might contain some.
No reproducer here and this could use reviewing by someone better versed with C
than myself, but reopening based on an observation:
The patch which I gather fixes the reported issue in 1.3.1rc1, committed to CVS
with log entry "Bug#2867 - Local authorized user buffer overflow in Controls
request handling." is not yet applied in the current FE packages:
Eh? I ticked the "reopen bug" radio button but all it did was added a
"Reopened" keyword, bug status is still closed. Trying again.
Please try reopening again. Should be fixed now.
Thanks a lot for the details, Ville. I've included the patch in FC-5, FC-6 and
devel branches, and rebuilds are waiting for the next push.