[SRM] linux-ftpd-ssl stable update for CVE-2008-4247

Sun, 07 Dec 2008 16:55:08 -0800 

Hi,

Nico Golde suggested I prepare a package of linux-ftpd-ssl for a
stable point release, fixing CVE-2008-4247, as it doesn't warrant
a DSA.

SRMs, is the patch below OK?

Are DMs allowed to upload to stable? If not, can someone sponsor the upload,
package at:

http://erislabs.net/ianb/debian/linux-ftpd-ssl_0.17.18+0.3-6etch1.dsc

thanks,

Ian

diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/debian/changelog 
linux-ftpd-ssl-0.17.18+0.3-6etch1/debian/changelog
--- linux-ftpd-ssl-0.17.18+0.3-6/debian/changelog       2008-12-06 
17:56:10.000000000 +0000
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/debian/changelog  2008-12-07 
23:48:44.000000000 +0000
@@ -1,3 +1,10 @@
+linux-ftpd-ssl (0.17.18+0.3-6etch1) stable; urgency=low
+
+  * Fix CVE-2008-4247, a cross-site request forgery caused by splitting
+    long command lines (Closes: #500518).
+
+ -- Ian Beckwith <[EMAIL PROTECTED]>  Sun, 07 Dec 2008 23:48:44 +0000
+
 linux-ftpd-ssl (0.17.18+0.3-6) unstable; urgency=low
 
   * Move the certificate file to /etc/ftpd-ssl. Patch from James Westby
diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/extern.h 
linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/extern.h
--- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/extern.h  1999-07-16 02:12:54.000000000 
+0100
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/extern.h     2008-10-16 
23:16:45.000000000 +0100
@@ -43,7 +43,7 @@
 void   fatal __P((const char *));
 int    ftpd_pclose __P((FILE *));
 FILE   *ftpd_popen __P((char *, const char *));
-char   *ftpd_getline __P((char *, int, FILE *));
+int     ftpd_getline __P((char *, int, FILE *));
 void   ftpdlogwtmp __P((const char *, const char *, const char *));
 void   lreply __P((int, const char *, ...));
 void   makedir __P((char *));
diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpcmd.y 
linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpcmd.y
--- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpcmd.y  2008-12-06 17:56:10.000000000 
+0000
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpcmd.y     2008-10-16 
23:16:45.000000000 +0100
@@ -980,7 +980,7 @@
 /*
  * getline - a hacked up version of fgets to ignore TELNET escape codes.
  */
-char * ftpd_getline(char *s, int n, FILE *iop)
+int ftpd_getline(char *s, int n, FILE *iop)
 {
        int c;
        register char *cs;
@@ -995,7 +995,7 @@
                        if (debug)
                                syslog(LOG_FTP | LOG_DEBUG, "command: %s", s);
                        tmpline[0] = '\0';
-                       return(s);
+                       return(0);
                }
                if (c == 0)
                        tmpline[0] = '\0';
@@ -1037,11 +1037,22 @@
                    }
                }
                *cs++ = c;
-               if (--n <= 0 || c == '\n')
+               if (--n <= 0) {
+                       /*
+                        * If command doesn't fit into buffer, discard the
+                        * rest of the command and indicate truncation.
+                        * This prevents the command to be split up into
+                        * multiple commands.
+                        */
+                      while (c != '\n' && (c = GETC(iop)) != EOF)
+                               ;
+                       return (-2);
+               }
+               if (c == '\n')
                        break;
        }
        if (c == EOF && cs == s)
-               return (NULL);
+               return (-1);
        *cs++ = '\0';
        if (debug) {
                if (!guest && strncasecmp("pass ", s, 5) == 0) {
@@ -1061,7 +1072,7 @@
                        syslog(LOG_FTP | LOG_DEBUG, "command: %.*s", len, s);
                }
        }
-       return (s);
+       return (0);
 }
 
 void toolong(int signo)
@@ -1090,9 +1101,14 @@
                case CMD:
                        (void) signal(SIGALRM, toolong);
                        (void) alarm((unsigned) timeout);
-                       if (ftpd_getline(cbuf, sizeof(cbuf)-1, stdin)==NULL) {
-                               reply(221, "You could at least say goodbye.");
-                               dologout(0);
+                       n=ftpd_getline(cbuf, sizeof(cbuf)-1, stdin);
+                       if (n == -1) {
+                                reply(221, "You could at least say goodbye.");
+                                dologout(0);
+                       } else if (n == -2) {
+                                reply(500, "Command too long.");
+                                alarm(0);
+                                continue;
                        }
                        (void) alarm(0);
                        if ((cp = strchr(cbuf, '\r'))) {
diff -Naur linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpd.c 
linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpd.c
--- linux-ftpd-ssl-0.17.18+0.3-6/ftpd/ftpd.c    2008-12-06 17:56:10.000000000 
+0000
+++ linux-ftpd-ssl-0.17.18+0.3-6etch1/ftpd/ftpd.c       2008-10-16 
23:16:45.000000000 +0100
@@ -2576,6 +2576,7 @@
 static void myoob(int signo)
 {
        char *cp;
+       int ret;
        int save_errno = errno;
 
        (void)signo;
@@ -2584,9 +2585,13 @@
        if (!transflag)
                return;
        cp = tmpline;
-       if (ftpd_getline(cp, 7, stdin) == NULL) {
+       ret=ftpd_getline(cp, 7, stdin);
+       if (ret == -1) {
                reply(221, "You could at least say goodbye.");
                dologout(0);
+       } else if (ret == -2) {
+               /* Ignore truncated command */
+               return;
        }
        upper(cp);
        if (strcmp(cp, "ABOR\r\n") == 0) {



-- 
Ian Beckwith - [EMAIL PROTECTED] - http://erislabs.net/ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA
Listening to: Mark Lanegan - Scraps At Midnight - Last One In The World

Attachment: signature.asc
Description: Digital signature

Reply via email to