--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:proftpd-dfsg
User: [email protected]
Usertags: pu
(Please provide enough information to help the release team
to judge the request efficiently. E.g. by filling in the
sections below.)
[ Reason ]
The bug is described in the description CVE-2026-42167 & CVE-2024-57392
and upstream issue #1840. https://github.com/proftpd/proftpd/issues/1840
[ Impact ]
1. Users are impacted CVE-2026-42167.
https://app.opencve.io/cve/CVE-2026-42167
The CVSS score of 8.1 indicates a high severity risk. No EPSS
score is available, so the current exploration probability is
unknown; however, the exploit requires specific configuration
conditions (mod_sql enabled, %U logging, and a permissive SQL
backend).
2. Users are impacted by CVE-2024-57392. The severity of this CVE
is rather low, hence it was ignored until today. The patch fixes
possible crashes of the proftp server.
3. Fix for #1133677:
proftpd before commit 3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6 fails
to validate the RADIUS MAC signature, when talking to current
FreeRADIUS (f.e. 3.2.7).
[ Tests ]
The proftp package has a test suite, which was executed
successfully.
[ Risks ]
The inserted changes (maybe except that for CVE-2026-42167) are
rather old and well tested. I don't expect surprises.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Add patch from upstream to address CVE-2024-57392.
* Add patch from upstream to address issues #1840 (Closes: #1133677).
* Add patch for CVE-2026-42167 (Closes: #1135119).
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/changelog
proftpd-dfsg-1.3.8+dfsg/debian/changelog
--- proftpd-dfsg-1.3.8+dfsg/debian/changelog 2024-11-30 23:32:48.000000000
+0100
+++ proftpd-dfsg-1.3.8+dfsg/debian/changelog 2026-05-01 22:02:15.000000000
+0200
@@ -1,3 +1,11 @@
+proftpd-dfsg (1.3.8+dfsg-4+deb12u5) bookworm; urgency=medium
+
+ * Add patch from upstream to address CVE-2024-57392.
+ * Add patch from upstream to address issues #1840 (Closes: #1133677).
+ * Add patch for CVE-2026-42167 (Closes: #1135119).
+
+ -- Hilmar Preuße <[email protected]> Fri, 01 May 2026 22:02:15 +0200
+
proftpd-dfsg (1.3.8+dfsg-4+deb12u4) bookworm-security; urgency=high
* Add my Debian E-Mail address to Field Uploaders.
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff
proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff
--- proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff 1970-01-01
01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff 2026-05-01
22:00:38.000000000 +0200
@@ -0,0 +1,193 @@
+From 415395b795436ae47cc25b2394e80033b80f11be Mon Sep 17 00:00:00 2001
+From: TJ Saunders <[email protected]>
+Date: Mon, 27 Apr 2026 12:13:09 -0700
+Subject: [PATCH] Issue #2052: When resolving any variable whose value is
+ supplied by the client, make sure we **always** escape that value text.
+
+---
+ contrib/mod_sql.c | 103 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 64 insertions(+), 39 deletions(-)
+
+--- proftpd.orig/contrib/mod_sql.c
++++ proftpd/contrib/mod_sql.c
+@@ -2,7 +2,7 @@
+ * ProFTPD: mod_sql -- SQL frontend
+ * Copyright (c) 1998-1999 Johnie Ingram.
+ * Copyright (c) 2001 Andrew Houghton.
+- * Copyright (c) 2004-2022 TJ Saunders
++ * Copyright (c) 2004-2026 TJ Saunders
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -758,40 +758,46 @@
+ }
+
+ static int sql_resolved_append_text(pool *p, struct sql_resolved *resolved,
+- const char *text, size_t text_len) {
+- char *new_text;
+- size_t new_textlen;
++ const char *text, size_t text_len, int already_escaped) {
++ char *new_text = NULL;
++ size_t new_textlen = 0;
+
+ if (text == NULL ||
+ text_len == 0) {
+ return 0;
+ }
+
+- /* For backward compatibility (see Issue #1149), we indulge in a little
+- * heuristic here, and only escape the text if it hasn't already been
+- * escaped. How to properly tell? If the first and last characters of
+- * the given text are `'`, AND there are no other occurrences of that
+- * character in the text, assume it has already been quoted.
+- */
+- if (is_escaped_text(text, text_len) == FALSE) {
+- modret_t *mr;
++ new_text = (char *) text;
++ new_textlen = text_len;
+
+- mr = sql_dispatch(sql_make_cmd(p, 2, resolved->conn_name, text),
+- "sql_escapestring");
+- if (check_response(mr, resolved->conn_flags) < 0) {
+- errno = EIO;
+- return -1;
+- }
++ if (already_escaped == FALSE) {
++ /* For backward compatibility (see Issue #1149), we indulge in a little
++ * heuristic here, and only escape the text if it hasn't already been
++ * escaped. How to properly tell? If the first and last characters of
++ * the given text are `'`, AND there are no other occurrences of that
++ * character in the text, assume it has already been quoted.
++ *
++ * Per Issue #2052, we refine this to use this heuristic only if we do
++ * not already know that the text has been escaped. Some callers may
++ * have already escaped the provided text for us.
++ */
++ if (is_escaped_text(text, text_len) == FALSE) {
++ modret_t *mr;
+
+- new_text = (char *) mr->data;
+- new_textlen = strlen(new_text);
++ mr = sql_dispatch(sql_make_cmd(p, 2, resolved->conn_name, text),
++ "sql_escapestring");
++ if (check_response(mr, resolved->conn_flags) < 0) {
++ errno = EIO;
++ return -1;
++ }
+
+- } else {
+- pr_trace_msg(trace_channel, 17,
+- "text '%s' is already escaped, skipping escaping it again", text);
++ new_text = (char *) mr->data;
++ new_textlen = strlen(new_text);
+
+- new_text = (char *) text;
+- new_textlen = text_len;
++ } else {
++ pr_trace_msg(trace_channel, 17,
++ "text '%s' is already escaped, skipping escaping it again", text);
++ }
+ }
+
+ if (new_textlen > resolved->buflen) {
+@@ -809,7 +815,7 @@
+
+ static int sql_resolve_on_meta(pool *p, pr_jot_ctx_t *jot_ctx,
+ unsigned char logfmt_id, const char *jot_hint, const void *val) {
+- int res = 0;
++ int res = 0, already_escaped = FALSE;
+ struct sql_resolved *resolved;
+
+ resolved = jot_ctx->log;
+@@ -968,35 +974,53 @@
+ break;
+ }
+
++ /* Per Issue #2052, the following variable values can all be supplied
++ * remotely by the client. As such, they should be escaped
preemptively.
++ */
+ case LOGFMT_META_ANON_PASS:
+ case LOGFMT_META_BASENAME:
+- case LOGFMT_META_CLASS:
+ case LOGFMT_META_CMD_PARAMS:
+ case LOGFMT_META_COMMAND:
+ case LOGFMT_META_DIR_NAME:
+ case LOGFMT_META_DIR_PATH:
++ case LOGFMT_META_FILENAME:
++ case LOGFMT_META_IDENT_USER:
++ case LOGFMT_META_METHOD:
++ case LOGFMT_META_ORIGINAL_USER:
++ case LOGFMT_META_RESPONSE_STR:
++ case LOGFMT_META_REMOTE_HOST:
++ case LOGFMT_META_RENAME_FROM:
++ case LOGFMT_META_USER:
++ case LOGFMT_META_XFER_PATH: {
++ modret_t *mr;
++
++ mr = sql_dispatch(sql_make_cmd(p, 2, resolved->conn_name,
++ (const char *) val), "sql_escapestring");
++ if (check_response(mr, resolved->conn_flags) < 0) {
++ errno = EIO;
++ return -1;
++ }
++
++ text = (char *) mr->data;
++ text_len = strlen(text);
++ already_escaped = TRUE;
++ break;
++ }
++
++ case LOGFMT_META_CLASS:
+ case LOGFMT_META_ENV_VAR:
+ case LOGFMT_META_EOS_REASON:
+- case LOGFMT_META_FILENAME:
+ case LOGFMT_META_GROUP:
+- case LOGFMT_META_IDENT_USER:
+ case LOGFMT_META_ISO8601:
+ case LOGFMT_META_LOCAL_FQDN:
+ case LOGFMT_META_LOCAL_IP:
+ case LOGFMT_META_LOCAL_NAME:
+- case LOGFMT_META_METHOD:
+ case LOGFMT_META_NOTE_VAR:
+- case LOGFMT_META_ORIGINAL_USER:
+ case LOGFMT_META_PROTOCOL:
+- case LOGFMT_META_REMOTE_HOST:
+ case LOGFMT_META_REMOTE_IP:
+- case LOGFMT_META_RENAME_FROM:
+- case LOGFMT_META_RESPONSE_STR:
+- case LOGFMT_META_USER:
+ case LOGFMT_META_VERSION:
+ case LOGFMT_META_VHOST_IP:
+ case LOGFMT_META_XFER_FAILURE:
+- case LOGFMT_META_XFER_PATH:
+ case LOGFMT_META_XFER_STATUS:
+ case LOGFMT_META_XFER_TYPE:
+ default:
+@@ -1009,7 +1033,8 @@
+ text_len = strlen(text);
+ }
+
+- res = sql_resolved_append_text(p, resolved, text, text_len);
++ res = sql_resolved_append_text(p, resolved, text, text_len,
++ already_escaped);
+ }
+
+ return res;
+@@ -1072,7 +1097,7 @@
+ break;
+ }
+
+- res = sql_resolved_append_text(p, resolved, text, text_len);
++ res = sql_resolved_append_text(p, resolved, text, text_len, FALSE);
+ }
+
+ return res;
+@@ -3173,7 +3198,7 @@
+ }
+
+ text_len = strlen(text);
+- res = sql_resolved_append_text(p, resolved, text, text_len);
++ res = sql_resolved_append_text(p, resolved, text, text_len, FALSE);
+
+ } else {
+ res = sql_resolve_on_meta(p, jot_ctx, logfmt_id, jot_hint, val);
diff -Nru
proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff
proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff
---
proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff
1970-01-01 01:00:00.000000000 +0100
+++
proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff
2026-05-01 22:00:38.000000000 +0200
@@ -0,0 +1,36 @@
+From 3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <[email protected]>
+Date: Sat, 26 Oct 2024 12:06:00 -0700
+Subject: [PATCH] Issue #1840: Fix the computation of the RADIUS
+ Message-Authenticator signature to conform more properly to RFC 2869. (#1843)
+
+---
+ contrib/mod_radius.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c
+index f232e99290..057bd1a377 100644
+--- a/contrib/mod_radius.c
++++ b/contrib/mod_radius.c
+@@ -1,6 +1,6 @@
+ /*
+ * ProFTPD: mod_radius -- a module for RADIUS authentication and accounting
+- * Copyright (c) 2001-2022 TJ Saunders
++ * Copyright (c) 2001-2024 TJ Saunders
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -2266,8 +2266,11 @@ static int radius_verify_auth_mac(radius_packet_t *pkt,
const char *pkt_type,
+ memset(replied, '\0', sizeof(replied));
+ memcpy(replied, attrib->data, attrib_len);
+
+- /* Next, zero out the value so that we can calculate it ourselves. */
+- memset(attrib->data, '\0', attrib_len);
++ /* Next, zero out the value so that we can calculate it ourselves.
++ *
++ * Note that we only want to zero out the first 16 bytes, per RFC 2869.
++ */
++ memset(attrib->data, '\0', expected_len);
+
+ memset(digest, '\0', sizeof(digest));
+ md = EVP_md5();
diff -Nru
proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
---
proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
1970-01-01 01:00:00.000000000 +0100
+++
proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
2026-05-01 22:00:38.000000000 +0200
@@ -0,0 +1,44 @@
+From 9b2b4a3e32d251798bf8fa841b124ab15ba58f11 Mon Sep 17 00:00:00 2001
+From: TJ Saunders <[email protected]>
+Date: Sun, 9 Feb 2025 12:13:48 -0800
+Subject: [PATCH] Manually backporting some of the null pointer guards from
+ Issue #1866 to the 1.3.8 branch.
+
+---
+ modules/mod_ls.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/mod_ls.c b/modules/mod_ls.c
+index 5458ccc74d..980691b9d6 100644
+--- a/modules/mod_ls.c
++++ b/modules/mod_ls.c
+@@ -2,7 +2,7 @@
+ * ProFTPD - FTP server daemon
+ * Copyright (c) 1997, 1998 Public Flood Software
+ * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <[email protected]>
+- * Copyright (c) 2001-2022 The ProFTPD Project
++ * Copyright (c) 2001-2024 The ProFTPD Project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt, ...) {
+ errno != 0) {
+ int xerrno = errno;
+
+- if (session.d != NULL) {
++ if (session.d != NULL &&
++ session.d->outstrm != NULL) {
+ xerrno = PR_NETIO_ERRNO(session.d->outstrm);
+ }
+
+@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) {
+ return res;
+ }
+
+- tail->down = NULL;
++ if (tail != NULL) {
++ tail->down = NULL;
++ }
+ tail = NULL;
+ colwidth = (colwidth | 7) + 1;
+ if (opt_l || !opt_C) {
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/series
proftpd-dfsg-1.3.8+dfsg/debian/patches/series
--- proftpd-dfsg-1.3.8+dfsg/debian/patches/series 2024-11-30
23:32:48.000000000 +0100
+++ proftpd-dfsg-1.3.8+dfsg/debian/patches/series 2026-05-01
22:00:38.000000000 +0200
@@ -21,3 +21,6 @@
bcec15efe6c53dac40420731013f1cd2fd54123b.diff
97bbe68363ccf2de0c07f67170ec64a8b4d62592.diff
5031d498a71c493b9659e2b5ccafde58b0897e30.diff
+9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff
+3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff
+2052_pghmcfc.diff
signature.asc
Description: PGP signature
--- End Message ---
