Debian Bug report logs - #399070
CVE-2006-5815: remote code execution in ProFTPD

version graph

Package: proftpd; Maintainer for proftpd is (unknown);

Reported by: Modestas Vainius <geromanas@mailas.com>

Date: Fri, 17 Nov 2006 14:03:02 UTC

Severity: grave

Tags: security

Found in versions proftpd-dfsg/1.3.0-12, 1.3.0-13, 1.2.10-15sarge2

Fixed in versions proftpd-dfsg/1.3.0-13, proftpd-dfsg/1.3.0-15

Done: Francesco Paolo Lovergine <frankie@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#399070; Package proftpd. Full text and rfc822 format available.

Acknowledgement sent to Modestas Vainius <geromanas@mailas.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Modestas Vainius <geromanas@mailas.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: proftpd: ProFTPD Unspecified Vulnerability (CVE-2006-5815)
Date: Fri, 17 Nov 2006 15:50:18 +0200
Package: proftpd
Version: 1.3.0-12
Severity: grave
Tags: security
Justification: user security hole

Hello,

it seems there is a security hole in proftpd. For more information, see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
http://secunia.com/advisories/22803/

It seems that no patch is available yet. Sarge version might also be
affected.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-2-amd64
Locale: LANG=lt_LT, LC_CTYPE=lt_LT (charmap=ISO-8859-13)



Reply sent to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Modestas Vainius <geromanas@mailas.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 399070-close@bugs.debian.org (full text, mbox):

From: Francesco Paolo Lovergine <frankie@debian.org>
To: 399070-close@bugs.debian.org
Subject: Bug#399070: fixed in proftpd-dfsg 1.3.0-13
Date: Mon, 20 Nov 2006 03:32:09 -0800
Source: proftpd-dfsg
Source-Version: 1.3.0-13

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:

proftpd-dfsg_1.3.0-13.diff.gz
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-13.diff.gz
proftpd-dfsg_1.3.0-13.dsc
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-13.dsc
proftpd-doc_1.3.0-13_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-doc_1.3.0-13_all.deb
proftpd-ldap_1.3.0-13_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-13_all.deb
proftpd-mysql_1.3.0-13_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-13_all.deb
proftpd-pgsql_1.3.0-13_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-13_all.deb
proftpd_1.3.0-13_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd_1.3.0-13_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 399070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 20 Nov 2006 12:03:08 +0100
Source: proftpd-dfsg
Binary: proftpd proftpd-mysql proftpd-pgsql proftpd-ldap proftpd-doc
Architecture: source all i386
Version: 1.3.0-13
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description: 
 proftpd    - Versatile, virtual-hosting FTP daemon
 proftpd-doc - Versatile, virtual-hosting FTP daemon (Documentation)
 proftpd-ldap - Versatile, virtual-hosting FTP daemon
 proftpd-mysql - Versatile, virtual-hosting FTP daemon
 proftpd-pgsql - Versatile, virtual-hosting FTP daemon
Closes: 399070 399252
Changes: 
 proftpd-dfsg (1.3.0-13) unstable; urgency=high
 .
   * Security fix for CVE-2006-5815, DoS with low impact.
     (See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815)
     Patch cve_2006_5815 added, taken from main.c(1.292->1.294). Other
     vendors' patch (1.292->1.293) is wrong and causes segfault.
     Debian rocks as always instead ;-)
     (closes: #399070)
   * Updated german po file for debconf.
     (closes: #399252)
   * Updated italian po file for debconf.
Files: 
 541cf17d4d46a724dcba55fa0bcb2b50 926 net optional proftpd-dfsg_1.3.0-13.dsc
 588be1f023e8d9d3fb17696f33df8827 169610 net optional proftpd-dfsg_1.3.0-13.diff.gz
 a1b521bfa38bf7ee81bb472ab1fbd8ff 794676 net optional proftpd_1.3.0-13_i386.deb
 f4bc975664c256a6a80116735c70d532 492536 doc optional proftpd-doc_1.3.0-13_all.deb
 ba2187666244b2c166892c6235cee26d 161852 net optional proftpd-mysql_1.3.0-13_all.deb
 f165d9f0054ffce4957b5d992f8d67d9 161852 net optional proftpd-pgsql_1.3.0-13_all.deb
 917eb48ca739a7dda4d52110191fed81 161848 net optional proftpd-ldap_1.3.0-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFYZA1pFNRmenyx0cRAnHzAJ4qiSOYJpzRMnZwA8tzmzE7L4xOVwCghc72
q2bn6Hs0272Lur15YnNQnFY=
=OrAQ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#399070; Package proftpd. Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <arthur@west.nl>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #15 received at 399070@bugs.debian.org (full text, mbox):

From: Arthur de Jong <arthur@west.nl>
To: 399070@bugs.debian.org
Subject: sarge version probably also vulnerable
Date: Tue, 21 Nov 2006 10:06:03 +0100
>From a quick glance at the source code the version in sarge
(1.2.10-15sarge1.0.1) also appears to be vulnerable. It contains the
same code snippet that was modified from 1.292 to 1.294.

http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.294

-- 
-- arthur de jong - arthur@west.nl - west consulting b.v. --



Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#399070; Package proftpd. Full text and rfc822 format available.

Acknowledgement sent to "Francesco P. Lovergine" <frankie@debian.org>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #20 received at 399070@bugs.debian.org (full text, mbox):

From: "Francesco P. Lovergine" <frankie@debian.org>
To: Arthur de Jong <arthur@west.nl>, 399070@bugs.debian.org
Subject: Re: Bug#399070: sarge version probably also vulnerable
Date: Tue, 21 Nov 2006 16:56:24 +0100
On Tue, Nov 21, 2006 at 10:06:03AM +0100, Arthur de Jong wrote:
> 
> >From a quick glance at the source code the version in sarge
> (1.2.10-15sarge1.0.1) also appears to be vulnerable. It contains the
> same code snippet that was modified from 1.292 to 1.294.
> 
> http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.294
> 

A new security-stable version is already on-air since yesterday.

-- 
Francesco P. Lovergine



Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#399070; Package proftpd. Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <arthur@west.nl>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #25 received at 399070@bugs.debian.org (full text, mbox):

From: Arthur de Jong <arthur@west.nl>
To: 399070@bugs.debian.org
Subject: Re: Bug#399070: sarge version probably also vulnerable
Date: Wed, 22 Nov 2006 09:39:59 +0100
On Tue, 2006-11-21 at 16:56 +0100, Francesco P. Lovergine wrote:
> On Tue, Nov 21, 2006 at 10:06:03AM +0100, Arthur de Jong wrote:
> > From a quick glance at the source code the version in sarge
> > (1.2.10-15sarge1.0.1) also appears to be vulnerable. It contains the
> > same code snippet that was modified from 1.292 to 1.294.
> > 
> > http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.294
> 
> A new security-stable version is already on-air since yesterday.

Thanks for the quick response.

-- 
-- arthur de jong - arthur@west.nl - west consulting b.v. --



Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#399070; Package proftpd. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #30 received at 399070@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: control@bugs.debian.org
Cc: 399070@bugs.debian.org
Subject: Wrong issue fixed
Date: Tue, 28 Nov 2006 12:16:20 +0100 (CET)
found 399070 1.3.0-13
found 399070 1.2.10-15sarge2
retitle 399070 CVE-2006-5815: remote code execution in ProFTPD
thanks

The previous fix fixed the wrong issue. See
http://bugs.proftpd.org/show_bug.cgi?id=2858



Bug marked as found in version 1.3.0-13. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.2.10-15sarge2. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Stefan Fritsch <sf@sfritsch.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Modestas Vainius <geromanas@mailas.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #41 received at 399070-close@bugs.debian.org (full text, mbox):

From: Francesco Paolo Lovergine <frankie@debian.org>
To: 399070-close@bugs.debian.org
Subject: Bug#399070: fixed in proftpd-dfsg 1.3.0-15
Date: Tue, 28 Nov 2006 12:47:06 +0000
Source: proftpd-dfsg
Source-Version: 1.3.0-15

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:

proftpd-dfsg_1.3.0-15.diff.gz
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-15.diff.gz
proftpd-dfsg_1.3.0-15.dsc
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-15.dsc
proftpd-doc_1.3.0-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-doc_1.3.0-15_all.deb
proftpd-ldap_1.3.0-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-15_all.deb
proftpd-mysql_1.3.0-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-15_all.deb
proftpd-pgsql_1.3.0-15_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-15_all.deb
proftpd_1.3.0-15_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd_1.3.0-15_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 399070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 28 Nov 2006 13:29:58 +0100
Source: proftpd-dfsg
Binary: proftpd proftpd-mysql proftpd-pgsql proftpd-ldap proftpd-doc
Architecture: source all i386
Version: 1.3.0-15
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description: 
 proftpd    - Versatile, virtual-hosting FTP daemon
 proftpd-doc - Versatile, virtual-hosting FTP daemon (Documentation)
 proftpd-ldap - Versatile, virtual-hosting FTP daemon
 proftpd-mysql - Versatile, virtual-hosting FTP daemon
 proftpd-pgsql - Versatile, virtual-hosting FTP daemon
Closes: 399070
Changes: 
 proftpd-dfsg (1.3.0-15) unstable; urgency=high
 .
   * Sigh, a new patch fixes for sure security bug CVE-2006-5815.
     See cve_2006_5815_2 patch added to the previous one which was anyway
     correct on the basis of current CVS.
     See http://bugs.proftpd.org/show_bug.cgi?id=2858 for details.
     (closes: #399070)
Files: 
 e42774c472d48c16d5bd277e78f6481a 926 net optional proftpd-dfsg_1.3.0-15.dsc
 aad0ddecadd0624ef6180318a82f2bab 175467 net optional proftpd-dfsg_1.3.0-15.diff.gz
 787c979d83f7f55dca0caa6022a4b1cd 796736 net optional proftpd_1.3.0-15_i386.deb
 85ef1f2ccc6429ec3f6f39879f45dda6 492842 doc optional proftpd-doc_1.3.0-15_all.deb
 b25af221b4feea45466028c1140b3f7a 162116 net optional proftpd-mysql_1.3.0-15_all.deb
 7d6d47431ee7379beb23969ad4880376 162114 net optional proftpd-pgsql_1.3.0-15_all.deb
 5ef30e7e0b10654db1df9e8706216895 162112 net optional proftpd-ldap_1.3.0-15_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFbC6qpFNRmenyx0cRAvREAKC/KaHo4+KZR2quqQKYE8H9sw2dqwCfWTEY
KQvVik2uCyo2+lrzskoMMMA=
=Ffds
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 10:35:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:14:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.