Bug#353175: proftpd-ldap segfaults in (probably) ldap module

[Ralph Rößner]

Package: proftpd-ldap
Version: 1.2.10-27

proftpd segfaults trying to authenticate users via LDAP in all observed
cases. Authenticating users via PAM (which relies on files, not on LDAP
in our configuration) works.

We found no workaround, so downgraded to 1.2.10-26 for now.


This is a sample ftp session as seen by the client:

--8><---------------------------------------------------------------

ftp> open XXXXX
Connected to XXXXX.capcom.de.
220 XXXXXXXXX FTP Server ready.
Name (XXXXX:XXXXXXXX):
331 Password required for XXXXXXXX.
Password:
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Permission denied

--8><---------------------------------------------------------------


This is the corresponding syslog entry:

--8><---------------------------------------------------------------

Feb 16 17:06:41 XXXXX proftpd[6458]: XXXXX.capcom.de 
(XXXXXX.capcom.de[XXXXXXXXXXXXXXX]) - FTP session opened.
Feb 16 17:06:45 XXXXX proftpd[6458]: XXXXX.capcom.de 
(XXXXXX.capcom.de[XXXXXXXXXXXXXXX]) - ProFTPD terminating (signal 11)
Feb 16 17:06:45 XXXXX proftpd[6458]: XXXXX.capcom.de 
(XXXXXX.capcom.de[XXXXXXXXXXXXXXX]) - FTP session closed.

--8><---------------------------------------------------------------


The last observable activity of the proftpd is enquiring the user and
group information from the LDAP server and receiving appropriate
responses. The segfault occurs after receiving the last group search
response. strace shows that the segfault occurs outside of a system
call. ltrace shows two searches for configuration keys (AnonymousGroup
and AuthAliasOnly, both unset) and then this (last line of the config
search included):

--8><---------------------------------------------------------------

[pid 6511] strcmp("AuthAliasOnly", "USER")       = -1
[pid 6511] memset(0x815e53c, '\000', 48)         = 0x815e53c
[pid 6511] memset(0x815e56c, '\000', 4)          = 0x815e56c
[pid 6511] strcasecmp("getpwnam", "getpwnam")    = 0
[pid 6511] memcpy(0xbfd72a40, "", 2048)          = 0xbfd72a40
[pid 6511] strcasecmp("getpwnam", "getpwnam")    = 0
[pid 6511] memcpy(0xbfd72a40, "", 2048)          = 0xbfd72a40
[pid 6511] strcasecmp("XXXXXXXX", "XXXXXXXX")    = 0
[pid 6511] memset(0x8155904, '\000', 20)         = 0x8155904
[pid 6511] memset(0x815e574, '\000', 28)         = 0x815e574
[pid 6511] strlen("XXXXXXXX")                    = 8
[pid 6511] strlen("XXXXXXXXXXXXXXXXXXXXX")       = 21
[pid 6511] strlen("")                            = 0
[pid 6511] strlen("XXXXXXXX")                    = 8
[pid 6511] memset(0x815e5d4, '\000', 48)         = 0x815e5d4
[pid 6511] memset(0x815e604, '\000', 4)          = 0x815e604
[pid 6511] strcasecmp("gid_name", "gid_name")    = 0
[pid 6511] memcpy(0xbfd72a40, "", 2048)          = 0xbfd72a40
[pid 6511] strcasecmp("gid_name", "gid_name")    = 0
[pid 6511] memcpy(0xbfd72a40, "", 2048)          = 0xbfd72a40
[pid 6511] --- SIGSEGV (Segmentation fault) ---

--8><---------------------------------------------------------------


proftpd configuration file:

--8><---------------------------------------------------------------

#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
# 

ServerName                      "XXXXXXXXX FTP Server"
ServerType                      standalone
ServerAdmin                     [EMAIL PROTECTED]
DeferWelcome                    off
IdentLookups                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on
Umask                           0113 0002

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

ServerIdent                     on "XXXXXXXXX FTP Server ready."
DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                     "-l"

DenyFilter                      \*.*/

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd                off

# Uncomment this if you would use TLS module:
#TLSEngine                      on

# Uncomment this if you would use quota module:
#Quotas                         on

# Uncomment this if you would use ratio module:
#Ratios                         on

# Port 21 is the standard FTP port.
Port                            21

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            nobody
Group                           nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default. 
#DelayEngine                    off

# A basic anonymous configuration, no upload directories.

<Anonymous ~ftp>
  User                          ftp
  Group                         ftp
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp
  # Cosmetic changes, all files belongs to ftp user
  DirFakeUser   on ftp
  HideNoAccess                  on
  DirFakeGroup on ftp

  RequireValidShell             off

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot
  <Directory *>
    <Limit WRITE>
      DenyAll
    </Limit>
  </Directory>

  # Limit downloads to 300kB/s, first MB does not count against this limit.
  TransferRate RETR 300:1024
# 
#   # Uncomment this if you're brave.
#   # <Directory incoming>
#   #   # Umask 022 is a good standard umask to prevent new files and dirs
#   #   # (second parm) from being group and world writable.
#   #   Umask                           022  022
#   #            <Limit READ WRITE>
#   #            DenyAll
#   #            </Limit>
#   #            <Limit STOR>
#   #            AllowAll
#   #            </Limit>
#   # </Directory>

</Anonymous>


# Nicht-anonyme Benutzer

DefaultChDir ~ capcom
DefaultRoot ~ !capcom

LDAPServer XXXXXXXXXX.capcom.de
LDAPDNInfo "" ""
LDAPDoAuth on ou=people,dc=capcom,dc=de "(uid=%v)"
LDAPAuthBinds on
LDAPDefaultUID 101
LDAPDefaultGID 104
LDAPDoUIDLookups on ou=people,dc=capcom,dc=de "(uid=%v)"
LDAPDoGIDLookups on ou=groups,dc=capcom,dc=de
CreateHome on
LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /ccftp/projects
RequireValidShell off

<Directory /ccftp/home>
  Umask 0177 0077
</Directory>

--8><---------------------------------------------------------------


Kernel version: 2.6.15-1-686

Installed versions of packages on which protpd-ldap depends:
netbase 4.24
libc6 2.3.5-13
libcap1 1:1.10-14
debconf 1.4.70
libldap2 2.1.30-12
libpam0g 0.79-3
libssl0.9.8 0.9.8a-7
libwrap0 7.6.dbs-8
proftpd-common 1.2.10-27
adduser 3.80
ucf 2.005


Regards,
   Ralph Rößner


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]