Hello community, here is the log from the commit of package proftpd for openSUSE:13.1 checked in at 2013-10-04 10:27:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1/proftpd (Old) and /work/SRC/openSUSE:13.1/.proftpd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "proftpd" Changes: -------- --- /work/SRC/openSUSE:13.1/proftpd/proftpd.changes 2013-09-23 11:06:01.000000000 +0200 +++ /work/SRC/openSUSE:13.1/.proftpd.new/proftpd.changes 2013-10-04 10:27:46.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Oct 3 20:48:44 UTC 2013 - [email protected] + +- update to 1.3.4d + * Fixed broken build when using --disable-ipv6 configure option + * Fixed mod_sql "SQLAuthType Backend" MySQL issues +- fix for bnc#843444 (CVE-2013-4359) + * http://bugs.proftpd.org/show_bug.cgi?id=3973 + * add proftpd-sftp-kbdint-max-responses-bug3973.patch + +------------------------------------------------------------------- Old: ---- proftpd-1.3.4c.tar.gz proftpd-1.3.4c.tar.gz.asc New: ---- proftpd-1.3.4d.tar.gz proftpd-1.3.4d.tar.gz.asc proftpd-sftp-kbdint-max-responses-bug3973.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ proftpd.spec ++++++ --- /var/tmp/diff_new_pack.0BRxGf/_old 2013-10-04 10:27:47.000000000 +0200 +++ /var/tmp/diff_new_pack.0BRxGf/_new 2013-10-04 10:27:47.000000000 +0200 @@ -22,7 +22,7 @@ Group: Productivity/Networking/Ftp/Servers # Please save your time and do not update to "rc" versions. # We only accept updates for "STABLE" Versions -Version: 1.3.4c +Version: 1.3.4d Release: 0 Url: http://www.proftpd.org/ Source0: ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz @@ -41,6 +41,8 @@ Patch103: %{name}-strip.patch #PATCH-FIX-openSUSE: file-contains-date-and-time Patch104: %{name}-no_BuildDate.patch +# PATCH-FIX-upstream: sftp-kbdint-max-responses-bug3973 +Patch105: %{name}-sftp-kbdint-max-responses-bug3973.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gpg-offline BuildRequires: krb5-devel @@ -141,6 +143,7 @@ %patch102 %patch103 %patch104 +%patch105 %build PROFTPD_SHARED_MODS="$(for spec_mod in $(find contrib -name mod_\*.c); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')" ++++++ proftpd-1.3.4c.tar.gz -> proftpd-1.3.4d.tar.gz ++++++ /work/SRC/openSUSE:13.1/proftpd/proftpd-1.3.4c.tar.gz /work/SRC/openSUSE:13.1/.proftpd.new/proftpd-1.3.4d.tar.gz differ: char 5, line 1 ++++++ proftpd-no_BuildDate.patch ++++++ --- /var/tmp/diff_new_pack.0BRxGf/_old 2013-10-04 10:27:47.000000000 +0200 +++ /var/tmp/diff_new_pack.0BRxGf/_new 2013-10-04 10:27:47.000000000 +0200 @@ -76,5 +76,5 @@ -#include "buildstamp.h" - /* Application version (in various forms) */ - #define PROFTPD_VERSION_NUMBER 0x0001030407 - #define PROFTPD_VERSION_TEXT "1.3.4c" + #define PROFTPD_VERSION_NUMBER 0x0001030408 + #define PROFTPD_VERSION_TEXT "1.3.4d" ++++++ proftpd-sftp-kbdint-max-responses-bug3973.patch ++++++ Index: contrib/mod_sftp_pam.c =================================================================== --- contrib/mod_sftp_pam.c.orig +++ contrib/mod_sftp_pam.c @@ -197,22 +197,13 @@ static int sftppam_converse(int nmsgs, P return PAM_CONV_ERR; } - if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count, - &recvd_responses) < 0) { + if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts, + &recvd_count, &recvd_responses) < 0) { pr_trace_msg(trace_channel, 3, "error receiving keyboard-interactive responses: %s", strerror(errno)); return PAM_CONV_ERR; } - /* Make sure that the count of responses matches the challenge count. */ - if (recvd_count != list->nelts) { - (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION, - "sent %d %s, but received %u %s", nmsgs, - list->nelts != 1 ? "challenges" : "challenge", recvd_count, - recvd_count != 1 ? "responses" : "response"); - return PAM_CONV_ERR; - } - res = calloc(nmsgs, sizeof(struct pam_response)); if (res == NULL) { pr_log_pri(PR_LOG_CRIT, "Out of memory!"); Index: contrib/mod_sftp/kbdint.c =================================================================== --- contrib/mod_sftp/kbdint.c.orig +++ contrib/mod_sftp/kbdint.c @@ -1,6 +1,6 @@ /* * ProFTPD - mod_sftp keyboard-interactive driver mgmt - * Copyright (c) 2008-2009 TJ Saunders + * Copyright (c) 2008-2013 TJ Saunders * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -31,6 +31,8 @@ #include "utf8.h" #include "kbdint.h" +#define SFTP_KBDINT_MAX_RESPONSES 500 + struct kbdint_driver { struct kbdint_driver *next, *prev; @@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const cha return res; } -int sftp_kbdint_recv_response(pool *p, unsigned int *count, - const char ***responses) { +int sftp_kbdint_recv_response(pool *p, unsigned int expected_count, + unsigned int *rcvd_count, const char ***responses) { register unsigned int i; char *buf; cmd_rec *cmd; @@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool *p, u int res; if (p == NULL || - count == NULL || + rcvd_count == NULL || responses == NULL) { errno = EINVAL; return -1; @@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool *p, u resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen); + /* Ensure that the number of responses sent by the client is the same + * as the number of challenges sent, lest a malicious client attempt to + * trick us into allocating too much memory (Bug#3973). + */ + if (resp_count != expected_count) { + (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, + "sent %lu %s, but received %lu %s", (unsigned long) expected_count, + expected_count != 1 ? "challenges" : "challenge", + (unsigned long) resp_count, resp_count != 1 ? "responses" : "response"); + destroy_pool(pkt->pool); + errno = EPERM; + return -1; + } + + if (resp_count > SFTP_KBDINT_MAX_RESPONSES) { + (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, + "received too many responses (%lu > max %lu), rejecting", + (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES); + destroy_pool(pkt->pool); + errno = EPERM; + return -1; + } + list = make_array(p, resp_count, sizeof(char *)); for (i = 0; i < resp_count; i++) { char *resp; @@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool *p, u *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp)); } - *count = (unsigned int) resp_count; + *rcvd_count = (unsigned int) resp_count; *responses = ((const char **) list->elts); return 0; } Index: contrib/mod_sftp/mod_sftp.h.in =================================================================== --- contrib/mod_sftp/mod_sftp.h.in.orig +++ contrib/mod_sftp/mod_sftp.h.in @@ -1,6 +1,6 @@ /* * ProFTPD - mod_sftp - * Copyright (c) 2008-2011 TJ Saunders + * Copyright (c) 2008-2013 TJ Saunders * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const ch int sftp_kbdint_unregister_driver(const char *name); int sftp_kbdint_send_challenge(const char *, const char *, unsigned int, sftp_kbdint_challenge_t *); -int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***); +int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *, + const char ***); /* API for modules that which to register keystores, for the * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives. -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
