Version in base suite: 1.3.1-17lenny2 Version in overlay suite: 1.3.1-17lenny3 Base version: proftpd-dfsg_1.3.1-17lenny2 Target version: proftpd-dfsg_1.3.1-17lenny4 Base file: /org/ftp.debian.org/ftp/pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.1-17lenny2.dsc Target file: /org/ftp.debian.org/queue/p-u-new/proftpd-dfsg_1.3.1-17lenny4.dsc debian/patches/3275.dpatch | 83 +++++++++++++++++++++++++++++++ debian/patches/3284.dpatch | 29 ++++++++++ proftpd-dfsg-1.3.1/debian/changelog | 14 +++++ proftpd-dfsg-1.3.1/debian/patches/00list | 2 4 files changed, 128 insertions(+) diff -u proftpd-dfsg-1.3.1/debian/changelog proftpd-dfsg-1.3.1/debian/changelog --- proftpd-dfsg-1.3.1/debian/changelog +++ proftpd-dfsg-1.3.1/debian/changelog @@ -1,3 +1,17 @@ +proftpd-dfsg (1.3.1-17lenny4) stable-security; urgency=high + + * Security: added 3275.dpatch as taken from 1.3.2b branch to fix CVE-2009-3639. + + -- Francesco Paolo Lovergine Tue, 27 Oct 2009 11:02:58 +0100 + +proftpd-dfsg (1.3.1-17lenny3) stable; urgency=low + + * [PATCH] Added 3284.dpatch to fix TCP_NODELAY misuse in inet.c core file. + It negatively impacts >= 1.3.1 versions. Backported from 1.3.2 branch. + See http://bugs.proftpd.org/show_bug.cgi?id=3284 for more information. + + -- Francesco Paolo Lovergine Tue, 15 Sep 2009 14:36:19 +0200 + proftpd-dfsg (1.3.1-17lenny2) stable; urgency=low * Fixed 3173.dpatch to use pr_utf8_get_encoding() (supported in 1.3.1) instead of diff -u proftpd-dfsg-1.3.1/debian/patches/00list proftpd-dfsg-1.3.1/debian/patches/00list --- proftpd-dfsg-1.3.1/debian/patches/00list +++ proftpd-dfsg-1.3.1/debian/patches/00list @@ -31,0 +32,2 @@ +3284 +3275 only in patch2: unchanged: --- proftpd-dfsg-1.3.1.orig/debian/patches/3284.dpatch +++ proftpd-dfsg-1.3.1/debian/patches/3284.dpatch @@ -0,0 +1,29 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 3284.dpatch by Francesco Paolo Lovergine +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad 1.3.1~/src/inet.c 1.3.1/src/inet.c +--- 1.3.1~/src/inet.c 2009-02-09 10:12:58.000000000 +0100 ++++ 1.3.1/src/inet.c 2009-09-15 14:49:55.000000000 +0200 +@@ -609,6 +609,18 @@ + strerror(errno)); + } + } ++ ++ if (c->wfd != -1) ++ if (setsockopt(c->wfd, tcp_level, TCP_NODELAY, (void *) &nodelay, ++ sizeof(nodelay)) < 0) ++ pr_log_pri(PR_LOG_NOTICE, "error setting write fd TCP_NODELAY: %s", ++ strerror(errno)); ++ ++ if (c->rfd != -1) ++ if (setsockopt(c->rfd, IPPROTO_TCP, TCP_NODELAY, (void *) &nodelay, ++ sizeof(nodelay)) < 0) ++ pr_log_pri(PR_LOG_NOTICE, "error setting read fd TCP_NODELAY: %s", ++ strerror(errno)); + } + #endif /* TCP_NODELAY */ + only in patch2: unchanged: --- proftpd-dfsg-1.3.1.orig/debian/patches/3275.dpatch +++ proftpd-dfsg-1.3.1/debian/patches/3275.dpatch @@ -0,0 +1,83 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 3275.dpatch by Francesco Paolo Lovergine +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: when validing SSL client certificates, proftpd does not properly +## DP: check for embedded NULs. + +@DPATCH@ +diff -urNad 1.3.1~/contrib/mod_tls.c 1.3.1/contrib/mod_tls.c +--- 1.3.1~/contrib/mod_tls.c 2009-10-26 14:15:25.000000000 +0100 ++++ 1.3.1/contrib/mod_tls.c 2009-10-26 14:18:47.000000000 +0100 +@@ -471,14 +471,33 @@ + const char *cert_dns_name = (const char *) name->d.ia5->data; + have_dns_ext = TRUE; + +- if (strcmp(cert_dns_name, conn->remote_name) != 0) { +- tls_log("client cert dNSName value '%s' != client FQDN '%s'", +- cert_dns_name, conn->remote_name); ++ /* Check for subjectAltName values which contain embedded ++ * NULs. This can cause verification problems (spoofing), ++ * e.g. if the string is "www.goodguy.com\0www.badguy.com"; the ++ * use of strcmp() only checks "www.goodguy.com". ++ */ ++ ++ if ((size_t) name->d.ia5->length != strlen(cert_dns_name)) { ++ tls_log("%s", "client cert dNSName contains embedded NULs, " ++ "rejecting as possible spoof attempt"); + + GENERAL_NAME_free(name); + sk_GENERAL_NAME_free(sk_alt_names); + X509_free(cert); ++ ok = FALSE; + return FALSE; ++ ++ } else { ++ if (strcmp(cert_dns_name, conn->remote_name) != 0) { ++ tls_log("client cert dNSName value '%s' != client FQDN '%s'", ++ cert_dns_name, conn->remote_name); ++ ++ GENERAL_NAME_free(name); ++ sk_GENERAL_NAME_free(sk_alt_names); ++ X509_free(cert); ++ ok = FALSE; ++ return FALSE; ++ } + } + + tls_log("%s", "client cert dNSName matches client FQDN"); +@@ -1778,8 +1797,9 @@ + /* Now we can go on with our post-handshake, application level + * requirement checks. + */ +- if (!tls_check_client_cert(ssl, conn)) ++ if (!tls_check_client_cert(ssl, conn)) { + return -1; ++ } + } + + /* Setup the TLS environment variables, if requested. */ +@@ -3579,8 +3599,10 @@ + if (tls_accept(session.c, FALSE) < 0) { + tls_log("%s", "TLS/TLS-C negotiation failed on control channel"); + +- if (tls_required_on_ctrl) ++ if (tls_required_on_ctrl) { ++ pr_response_send(R_550, "TLS handshake failed"); + end_login(1); ++ } + + /* If we reach this point, the debug logging may show gibberish + * commands from the client. In reality, this gibberish is probably +@@ -3607,8 +3629,10 @@ + if (tls_accept(session.c, FALSE) < 0) { + tls_log("%s", "SSL/TLS-P negotiation failed on control channel"); + +- if (tls_required_on_ctrl) ++ if (tls_required_on_ctrl) { ++ pr_response_send(R_550, "TLS handshake failed"); + end_login(1); ++ } + + /* If we reach this point, the debug logging may show gibberish + * commands from the client. In reality, this gibberish is probably