Bug 3311

Summary: proftpd use after free memory corruption error
Product: Mageia Reporter: Dave Hodgins <davidwhodgins>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: dmorganec, ennael1, luigiwalser, mageia, misc, pterjan, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://www.h-online.com/security/news/item/Critical-bug-in-ProFTPD-closed-1377080.html
Whiteboard:
Source RPM: proftpd-1.3.3e-3.mga1.src.rpm CVE:
Status comment:

Description Dave Hodgins 2011-11-10 20:48:03 CET 
For mageia 1, an update to version 1.3.3g should be released to
fix the error.

For cauldron, I think 1.3.4 should be used.
Comment 1 Manuel Hiebel 2011-11-11 00:27:03 CET 
Hi, thanks for the bug report.

As there is no maintainer of this package, I add the committers in the CC list.

CC: (none) => ennael1, mageia, misc, pterjan

Comment 2 Manuel Hiebel 2011-12-06 01:56:50 CET 
Ping ?
Comment 3 David Walser 2011-12-30 03:05:23 CET 
Mandriva has issued this update:
http://lists.mandriva.com/security-announce/2011-12/msg00003.php

CC: (none) => luigiwalser

Comment 4 D Morgan 2012-01-02 00:31:56 CET 
Please test  proftpd-1.3.3g that fixes this CVE

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Comment 5 claire robinson 2012-01-04 16:40:04 CET 
No POC but the vulnerability involved the use of SSL so testing with mod_tls

x86_64

To test I installed proftpd and proftpd-mod_tls

I largely followed the configuration instructions here substituting some paths:-
http://www.howtoforge.com/setting-up-proftpd-tls-on-ubuntu-10.04-lucid-lynx

# mkdir /etc/proftpd.d/ssl

# openssl req -new -x509 -days 365 -nodes -out /etc/proftpd.d/ssl/proftpd.cert.pem -keyout /etc/proftpd.d/ssl/proftpd.key.pem

Enter the requested information, it doesn't have to be real.

Edit /etc/proftpd.conf and look for the part below :-

<IfModule mod_tls.c>
TLSEngine                  off
</IfModule>

Change it to..

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile      /etc/proftpd.d/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd.d/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
</IfModule>

Save it and restart proftpd. If you need to accept non encrypted connections aswell then TLSRequired can be set to off.

# service proftpd restart
Stopping proftpd                                                [  OK  ]
Starting proftpd                                                [  OK  ]


I used FileZilla to connect to localhost with the following settings :-

Host: localhost
Port: Empty
Protocol: FTP
Encryption: Require explicit FTP over TLS
Logon Type: Normal
User: <Linux username>
Password: <Linux user password>

Connected and was able to access my home directory. When it connects it asks to accept the certificate. No regressions noticed after the update.

Testing complete x86_64

Hardware: i586 => All

Comment 6 Dave Hodgins 2012-01-09 02:48:51 CET 
Testing complete on i586 using same procedure as Comment 5 (Thanks Claire),
except running filezilla in a vb mageia 1 guest, with proftpd on the host.

Could someone from the sysadmin team push the srpm
proftpd-1.3.3g-0.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: This security update for proftpd corrects a use-after-free
memory corruption error.  See
http://www.h-online.com/security/news/item/Critical-bug-in-ProFTPD-closed-1377080.html
for more information.

https://bugs.mageia.org/show_bug.cgi?id=3311

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2012-01-09 15:00:08 CET 
update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED