Your message dated Fri, 2 Sep 2016 09:02:36 +0200
with message-id <[email protected]>
and subject line Re: Bug#762516: proftpd-basic: segfault in TLS mode with
certificate when strlen on NULL, string
has caused the Debian Bug report #762516,
regarding proftpd-basic: segfault in TLS mode with certificate when strlen on
NULL, string
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
762516: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762516
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: proftpd-basic: segfault in TLS mode with certificate when strlen on
NULL string
Package: proftpd-basic
Version: 1.3.4a-5+deb7u1
Severity: important
Tags: upstream patch
-- System Information:
Debian Release: 7.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages proftpd-basic depends on:
ii adduser 3.113+nmu3
ii debconf 1.5.49
ii debianutils 4.3.2
ii libacl1 2.2.51-8
ii libc6 2.13-38+deb7u4
ii libcap2 1:2.22-1.2
ii libncurses5 5.9-10
ii libpam-runtime 1.1.3-7.1
ii libpam0g 1.1.3-7.1
ii libpcre3 1:8.30-5
ii libssl1.0.0 1.0.1e-2+deb7u12
ii libtinfo5 5.9-10
ii libwrap0 7.6.q-24
ii netbase 5.0
ii sed 4.2.1-10
ii ucf 3.0025+nmu3
ii update-inetd 4.43
ii zlib1g 1:1.2.7.dfsg-13
Versions of packages proftpd-basic recommends:
ii proftpd-mod-vroot 0.9.2-2+b2
Versions of packages proftpd-basic suggests:
pn openbsd-inetd | inet-superserver <none>
ii openssl 1.0.1e-2+deb7u12
pn proftpd-doc <none>
pn proftpd-mod-ldap <none>
pn proftpd-mod-mysql <none>
pn proftpd-mod-odbc <none>
pn proftpd-mod-pgsql <none>
pn proftpd-mod-sqlite <none>
-- debconf information excluded
I use proftpd with TLS configuration like:
# TLS
<IfModule mod_tls.c>
TLSEngine on
TLSLog /home/debian/test/proftpd/logs/proftpd_tls.log ALL
TLSProtocol SSLv23
# TLSProtocol TLSv1
# reject protection of the data channel
TLSRequired !data
TLSOptions AllowDotLogin
# Server's certificate
TLSRSACertificateFile /etc/ssl/certs/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/ssl/certs/proftpd.key.pem
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
# Change renegotiations so that they are not required, only requested
TLSRenegotiate required off
</IfModule>
And then try to connect to it using certificates with a commande like:
curl -v --ftp-create-dirs -k --ftp-ssl-control -u debian:null -E
~/.ssl/ftps.cat.pem ftp://server//home/debian/toto
proftpd then segfaults on line 269 of modules/mod_auth.c:
passwd_len = strlen(cmd->arg);
cmd->arg is NULL in this configuration, and strlen segfaults.
To solve the bug, this line can be replaced by:
passwd_len = (cmd->arg == NULL) ? 0 : strlen(cmd->arg);
--- End Message ---
--- Begin Message ---
Version: 1.3.5~rc1-1
On 01.09.2016 15:38, Hilmar Preusse wrote:
> On 23.09.14 Frédéric Magnard ([email protected]) wrote:
Hi Frédéric,
>> Subject: proftpd-basic: segfault in TLS mode with certificate when strlen on
>> NULL string
>> Package: proftpd-basic
>> Version: 1.3.4a-5+deb7u1
>> Severity: important
>> Tags: upstream patch
>>
>>
> I /think/ I found that bug already reported in upstream. The upstream
> bug is already closed, but I guess this is an error. I left some
> comments in the bug in the hope it will be re-opened.
>
> Using that old bug as forwarding address for now.
>
Upstream confirmed that bug is solved, it was just done a little
differently than you suggested. Code reads in 1.3.4b ff:
if (cmd->arg != NULL) {
/* And scrub the memory holding the password sent by the client, for
* safety/security.
*/
passwd_len = strlen(cmd->arg);
pr_memscrub(cmd->arg, passwd_len);
}
-> Closing
Hilmar
--
http://www.hilmar-preusse.de.vu/ #206401 http://counter.li.org
--- End Message ---
