Package: proftpd-basic Version: 1.3.5-1.1 Severity: normal Tags: upstream patch
Dear Maintainer, mod_ls.c does not properly check the bounds of the options array and cand read into neighboring addresses. This issue has been discussed upstream here: https://github.com/proftpd/proftpd/pull/85 and has been corrected here: https://github.com/proftpd/proftpd/commit/70c13c005c9a5080212c3c36b07b239710ef5520 Thanks! Scott -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages proftpd-basic depends on: ii adduser 3.113+nmu3 ii debconf 1.5.56 ii debianutils 4.4+b1 ii libacl1 2.2.52-2 ii libc6 2.19-15 ii libcap2 1:2.24-7 ii libmemcached11 1.0.18-4 ii libmemcachedutil2 1.0.18-4 ii libncursesw5 5.9+20140913-1+b1 ii libpam-runtime 1.1.8-3.1 ii libpam0g 1.1.8-3.1 ii libpcre3 2:8.35-3.3 ii libssl1.0.0 1.0.1k-1 ii libtinfo5 5.9+20140913-1+b1 ii libwrap0 7.6.q-25 ii netbase 5.3 ii sed 4.2.2-4+b1 ii ucf 3.0030 ii zlib1g 1:1.2.8.dfsg-2+b1 proftpd-basic recommends no packages. Versions of packages proftpd-basic suggests: pn openbsd-inetd | inet-superserver <none> ii openssl 1.0.1k-1 pn proftpd-doc <none> pn proftpd-mod-geoip <none> pn proftpd-mod-ldap <none> pn proftpd-mod-mysql <none> pn proftpd-mod-odbc <none> pn proftpd-mod-pgsql <none> pn proftpd-mod-sqlite <none> -- debconf information excluded
diff --git a/modules/mod_ls.c b/modules/mod_ls.c index e074946..a29e314 100644 --- a/modules/mod_ls.c +++ b/modules/mod_ls.c @@ -2,7 +2,7 @@ * ProFTPD - FTP server daemon * Copyright (c) 1997, 1998 Public Flood Software * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <[email protected]> - * Copyright (c) 2001-2014 The ProFTPD Project team + * Copyright (c) 2001-2015 The ProFTPD Project team * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -1534,7 +1534,7 @@ static void parse_list_opts(char **opt, int *glob_flags, int handle_plus_opts) { /* Options are found; skip past the leading whitespace. */ *opt = ptr; - } else if (*(*opt + 1) == ' ') { + } else if (**opt && *(*opt + 1) == ' ') { /* If the next character is a blank space, advance just one character. */ (*opt)++; break; @@ -1644,7 +1644,7 @@ static void parse_list_opts(char **opt, int *glob_flags, int handle_plus_opts) { /* Options are found; skip past the leading whitespace. */ *opt = ptr; - } else if (*(*opt + 1) == ' ') { + } else if (**opt && *(*opt + 1) == ' ') { /* If the next character is a blank space, advance just one character. */ (*opt)++; break;
