2 files changed, 144 insertions, 1 deletions
diff --git a/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch b/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch
new file mode 100644
index 000000000..8c71263b0
--- /dev/null
+++ b/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch
@@ -0,0 +1,142 @@
+proftpd/mod_sftp: fix too much memory allocation bug of mod_sftp
+This patch fixes the too much memory allocation bug of the mod_sftp by
+ensuring both that a) the received response count matches the number of
+challenges sent, and b) that the received response count is not too high
+(as an additional sanity check); the upper bound is still set to 500.
+The patch is picked from: http://bugs.proftpd.org/show_bug.cgi?id=3973
+Upstream-Status: Backport CVE-2013-4359
+diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
+index 0271fb2..de651fa 100644
+--- a/contrib/mod_sftp/kbdint.c
+++ b/contrib/mod_sftp/kbdint.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
+- * Copyright (c) 2008-2009 TJ Saunders
+ * Copyright (c) 2008-2013 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -31,6 +31,8 @@
+ #include "utf8.h"
+ #include "kbdint.h"
+ 
+#define SFTP_KBDINT_MAX_RESPONSES      500
+
+ struct kbdint_driver {
+   struct kbdint_driver *next, *prev;
+ 
+@@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction,
+   return res;
+ }
+ 
+-int sftp_kbdint_recv_response(pool *p, unsigned int *count,
+-    const char ***responses) {
+int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
+    unsigned int *rcvd_count, const char ***responses) {
+   register unsigned int i;
+   char *buf;
+   cmd_rec *cmd;
+@@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool *p, unsigned int *count,
+   int res;
+ 
+   if (p == NULL ||
+-      count == NULL ||
+      rcvd_count == NULL ||
+       responses == NULL) {
+     errno = EINVAL;
+     return -1;
+@@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool *p, unsigned int *count,
+ 
+   resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
+ 
+  /* Ensure that the number of responses sent by the client is the same
+   * as the number of challenges sent, lest a malicious client attempt to
+   * trick us into allocating too much memory (Bug#3973).
+   */
+  if (resp_count != expected_count) {
+    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+      "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
+      expected_count != 1 ? "challenges" : "challenge",
+      (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
+    destroy_pool(pkt->pool);
+    errno = EPERM;
+    return -1;
+  }
+
+  if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
+    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
+      "received too many responses (%lu > max %lu), rejecting",
+      (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
+    destroy_pool(pkt->pool);
+    errno = EPERM;
+    return -1;
+  }
+
+   list = make_array(p, resp_count, sizeof(char *));
+   for (i = 0; i < resp_count; i++) {
+     char *resp;
+@@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool *p, unsigned int *count,
+     *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
+   }
+ 
+-  *count = (unsigned int) resp_count;
+  *rcvd_count = (unsigned int) resp_count;
+   *responses = ((const char **) list->elts);
+   return 0;
+ }
+diff --git a/contrib/mod_sftp/mod_sftp.h.in b/contrib/mod_sftp/mod_sftp.h.in
+index 3e91390..c547be0 100644
+--- a/contrib/mod_sftp/mod_sftp.h.in
+++ b/contrib/mod_sftp/mod_sftp.h.in
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - mod_sftp
+- * Copyright (c) 2008-2011 TJ Saunders
+ * Copyright (c) 2008-2013 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const char *name, sftp_kbdint_driver_t *driver);
+ int sftp_kbdint_unregister_driver(const char *name);
+ int sftp_kbdint_send_challenge(const char *, const char *, unsigned int,
+   sftp_kbdint_challenge_t *);
+-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***);
+int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *,
+  const char ***);
+ 
+ /* API for modules that which to register keystores, for the
+  * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.
+diff --git a/contrib/mod_sftp_pam.c b/contrib/mod_sftp_pam.c
+index 6c32df0..81aa113 100644
+--- a/contrib/mod_sftp_pam.c
+++ b/contrib/mod_sftp_pam.c
+@@ -179,22 +179,13 @@ static int sftppam_converse(int nmsgs, PR_PAM_CONST struct pam_message **msgs,
+     return PAM_CONV_ERR;
+   }
+ 
+-  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
+-      &recvd_responses) < 0) {
+  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
+      &recvd_count, &recvd_responses) < 0) {
+     pr_trace_msg(trace_channel, 3,
+       "error receiving keyboard-interactive responses: %s", strerror(errno));
+     return PAM_CONV_ERR;
+   }
+ 
+-  /* Make sure that the count of responses matches the challenge count. */
+-  if (recvd_count != list->nelts) {
+-    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
+-      "sent %d %s, but received %u %s", nmsgs,
+-      list->nelts != 1 ? "challenges" : "challenge", recvd_count,
+-      recvd_count != 1 ? "responses" : "response");
+-    return PAM_CONV_ERR;
+-  }
+-
+   res = calloc(nmsgs, sizeof(struct pam_response));
+   if (res == NULL) {
+     pr_log_pri(PR_LOG_CRIT, "Out of memory!");
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
index 4d2fcd725..a5e766af5 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.proftpd.org"
 LICENSE = "GPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=fb0d1484d11915fa88a6a7702f1dc184"
-PR = "r3"
+PR = "r4"
 SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
           file://make.patch \
@@ -15,6 +15,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
           file://move-pidfile-to-var-run.patch \
           file://close-RequireValidShell-check.patch \
           file://move-runfile-to-var-run.patch \
+           file://proftpd-sftp.patch \
 "
 SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2"

diff --git a/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch b/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch new file mode 100644 index 000000000..8c71263b0 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch
@@ -0,0 +1,142 @@
		1	proftpd/mod_sftp: fix too much memory allocation bug of mod_sftp
		2
		3	This patch fixes the too much memory allocation bug of the mod_sftp by
		4	ensuring both that a) the received response count matches the number of
		5	challenges sent, and b) that the received response count is not too high
		6	(as an additional sanity check); the upper bound is still set to 500.
		7
		8	The patch is picked from: http://bugs.proftpd.org/show_bug.cgi?id=3973
		9
		10	Upstream-Status: Backport CVE-2013-4359
		11
		12	diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
		13	index 0271fb2..de651fa 100644
		14	--- a/contrib/mod_sftp/kbdint.c
		15	+++ b/contrib/mod_sftp/kbdint.c
		16	@@ -1,6 +1,6 @@
		17	/*
		18	* ProFTPD - mod_sftp keyboard-interactive driver mgmt
		19	- * Copyright (c) 2008-2009 TJ Saunders
		20	+ * Copyright (c) 2008-2013 TJ Saunders
		21	*
		22	* This program is free software; you can redistribute it and/or modify
		23	* it under the terms of the GNU General Public License as published by
		24	@@ -31,6 +31,8 @@
		25	#include "utf8.h"
		26	#include "kbdint.h"
		27
		28	+#define SFTP_KBDINT_MAX_RESPONSES 500
		29	+
		30	struct kbdint_driver {
		31	struct kbdint_driver next, prev;
		32
		33	@@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const char user, const char instruction,
		34	return res;
		35	}
		36
		37	-int sftp_kbdint_recv_response(pool p, unsigned int count,
		38	- const char ***responses) {
		39	+int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
		40	+ unsigned int rcvd_count, const char **responses) {
		41	register unsigned int i;
		42	char *buf;
		43	cmd_rec *cmd;
		44	@@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool p, unsigned int count,
		45	int res;
		46
		47	if (p == NULL \|\|
		48	- count == NULL \|\|
		49	+ rcvd_count == NULL \|\|
		50	responses == NULL) {
		51	errno = EINVAL;
		52	return -1;
		53	@@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool p, unsigned int count,
		54
		55	resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
		56
		57	+ /* Ensure that the number of responses sent by the client is the same
		58	+ * as the number of challenges sent, lest a malicious client attempt to
		59	+ * trick us into allocating too much memory (Bug#3973).
		60	+ */
		61	+ if (resp_count != expected_count) {
		62	+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
		63	+ "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
		64	+ expected_count != 1 ? "challenges" : "challenge",
		65	+ (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
		66	+ destroy_pool(pkt->pool);
		67	+ errno = EPERM;
		68	+ return -1;
		69	+ }
		70	+
		71	+ if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
		72	+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
		73	+ "received too many responses (%lu > max %lu), rejecting",
		74	+ (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
		75	+ destroy_pool(pkt->pool);
		76	+ errno = EPERM;
		77	+ return -1;
		78	+ }
		79	+
		80	list = make_array(p, resp_count, sizeof(char *));
		81	for (i = 0; i < resp_count; i++) {
		82	char *resp;
		83	@@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool p, unsigned int count,
		84	((char *) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
		85	}
		86
		87	- *count = (unsigned int) resp_count;
		88	+ *rcvd_count = (unsigned int) resp_count;
		89	responses = ((const char *) list->elts);
		90	return 0;
		91	}
		92	diff --git a/contrib/mod_sftp/mod_sftp.h.in b/contrib/mod_sftp/mod_sftp.h.in
		93	index 3e91390..c547be0 100644
		94	--- a/contrib/mod_sftp/mod_sftp.h.in
		95	+++ b/contrib/mod_sftp/mod_sftp.h.in
		96	@@ -1,6 +1,6 @@
		97	/*
		98	* ProFTPD - mod_sftp
		99	- * Copyright (c) 2008-2011 TJ Saunders
		100	+ * Copyright (c) 2008-2013 TJ Saunders
		101	*
		102	* This program is free software; you can redistribute it and/or modify
		103	* it under the terms of the GNU General Public License as published by
		104	@@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const char name, sftp_kbdint_driver_t driver);
		105	int sftp_kbdint_unregister_driver(const char *name);
		106	int sftp_kbdint_send_challenge(const char , const char , unsigned int,
		107	sftp_kbdint_challenge_t *);
		108	-int sftp_kbdint_recv_response(pool , unsigned int , const char ***);
		109	+int sftp_kbdint_recv_response(pool , unsigned int, unsigned int ,
		110	+ const char ***);
		111
		112	/* API for modules that which to register keystores, for the
		113	* SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.
		114	diff --git a/contrib/mod_sftp_pam.c b/contrib/mod_sftp_pam.c
		115	index 6c32df0..81aa113 100644
		116	--- a/contrib/mod_sftp_pam.c
		117	+++ b/contrib/mod_sftp_pam.c
		118	@@ -179,22 +179,13 @@ static int sftppam_converse(int nmsgs, PR_PAM_CONST struct pam_message **msgs,
		119	return PAM_CONV_ERR;
		120	}
		121
		122	- if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
		123	- &recvd_responses) < 0) {
		124	+ if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
		125	+ &recvd_count, &recvd_responses) < 0) {
		126	pr_trace_msg(trace_channel, 3,
		127	"error receiving keyboard-interactive responses: %s", strerror(errno));
		128	return PAM_CONV_ERR;
		129	}
		130
		131	- /* Make sure that the count of responses matches the challenge count. */
		132	- if (recvd_count != list->nelts) {
		133	- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
		134	- "sent %d %s, but received %u %s", nmsgs,
		135	- list->nelts != 1 ? "challenges" : "challenge", recvd_count,
		136	- recvd_count != 1 ? "responses" : "response");
		137	- return PAM_CONV_ERR;
		138	- }
		139	-
		140	res = calloc(nmsgs, sizeof(struct pam_response));
		141	if (res == NULL) {
		142	pr_log_pri(PR_LOG_CRIT, "Out of memory!");


diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb index 4d2fcd725..a5e766af5 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.proftpd.org"
4	LICENSE = "GPLv2+"	4	LICENSE = "GPLv2+"
5	LIC_FILES_CHKSUM = "file://COPYING;md5=fb0d1484d11915fa88a6a7702f1dc184"	5	LIC_FILES_CHKSUM = "file://COPYING;md5=fb0d1484d11915fa88a6a7702f1dc184"
6		6
7	PR = "r3"	7	PR = "r4"
8		8
9	SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \	9	SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
10	file://make.patch \	10	file://make.patch \
@@ -15,6 +15,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
15	file://move-pidfile-to-var-run.patch \	15	file://move-pidfile-to-var-run.patch \
16	file://close-RequireValidShell-check.patch \	16	file://close-RequireValidShell-check.patch \
17	file://move-runfile-to-var-run.patch \	17	file://move-runfile-to-var-run.patch \
		18	file://proftpd-sftp.patch \
18	"	19	"
19		20
20	SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2"	21	SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2"