Accepting request 202095 from network

update to 1.3.4d, fix for bnc#843444 (CVE-2013-4359) (forwarded request 202094 from computersalat)

OBS-URL: https://build.opensuse.org/request/show/202095
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/proftpd?expand=0&rev=16

proftpd-1.3.4c.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fb80dd422969b8c900920a30a56f5e272862275d244d3857a980f5f2386ea912
-size 7689622

proftpd-1.3.4c.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iEYEABECAAYFAlE3iYYACgkQt46JP6URl2oSPgCfX4mzFaXUVYsHS8rz60GH7KzP
-9WgAniLOpNU11NPtRAdviGnsuOLDmMGW
-=Ocyb
------END PGP SIGNATURE-----

proftpd-1.3.4d.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c198b53991ce641eae6b3237e856e59f0bfe8330794145b49cae33f85b6f5370
+size 7697046

proftpd-1.3.4d.tar.gz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.9 (GNU/Linux)
+
+iEYEABECAAYFAlG7UkEACgkQt46JP6URl2rkugCg3f2dkMdkHjrplr2P4bq04pzS
+oVIAoI69AFTzGVjsAReiU1lIh8q4Qojo
+=f/F/
+-----END PGP SIGNATURE-----

proftpd-no_BuildDate.patch

@@ -76,5 +76,5 @@ Index: include/version.h
 -#include "buildstamp.h"
 -
  /* Application version (in various forms) */
- #define PROFTPD_VERSION_NUMBER		0x0001030407
- #define PROFTPD_VERSION_TEXT		"1.3.4c"
+ #define PROFTPD_VERSION_NUMBER		0x0001030408
+ #define PROFTPD_VERSION_TEXT		"1.3.4d"

proftpd-sftp-kbdint-max-responses-bug3973.patch

@@ -0,0 +1,131 @@
+Index: contrib/mod_sftp_pam.c
+===================================================================
+--- contrib/mod_sftp_pam.c.orig
++++ contrib/mod_sftp_pam.c
+@@ -197,22 +197,13 @@ static int sftppam_converse(int nmsgs, P
+     return PAM_CONV_ERR;
+   }
+ 
+-  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
+-      &recvd_responses) < 0) {
++  if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
++      &recvd_count, &recvd_responses) < 0) {
+     pr_trace_msg(trace_channel, 3,
+       "error receiving keyboard-interactive responses: %s", strerror(errno));
+     return PAM_CONV_ERR;
+   }
+ 
+-  /* Make sure that the count of responses matches the challenge count. */
+-  if (recvd_count != list->nelts) {
+-    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
+-      "sent %d %s, but received %u %s", nmsgs,
+-      list->nelts != 1 ? "challenges" : "challenge", recvd_count,
+-      recvd_count != 1 ? "responses" : "response");
+-    return PAM_CONV_ERR;
+-  }
+-
+   res = calloc(nmsgs, sizeof(struct pam_response));
+   if (res == NULL) {
+     pr_log_pri(PR_LOG_CRIT, "Out of memory!");
+Index: contrib/mod_sftp/kbdint.c
+===================================================================
+--- contrib/mod_sftp/kbdint.c.orig
++++ contrib/mod_sftp/kbdint.c
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - mod_sftp keyboard-interactive driver mgmt
+- * Copyright (c) 2008-2009 TJ Saunders
++ * Copyright (c) 2008-2013 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -31,6 +31,8 @@
+ #include "utf8.h"
+ #include "kbdint.h"
+ 
++#define SFTP_KBDINT_MAX_RESPONSES	500
++
+ struct kbdint_driver {
+   struct kbdint_driver *next, *prev;
+ 
+@@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const cha
+   return res;
+ }
+ 
+-int sftp_kbdint_recv_response(pool *p, unsigned int *count,
+-    const char ***responses) {
++int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
++    unsigned int *rcvd_count, const char ***responses) {
+   register unsigned int i;
+   char *buf;
+   cmd_rec *cmd;
+@@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool *p, u
+   int res;
+ 
+   if (p == NULL ||
+-      count == NULL ||
++      rcvd_count == NULL ||
+       responses == NULL) {
+     errno = EINVAL;
+     return -1;
+@@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool *p, u
+ 
+   resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
+ 
++  /* Ensure that the number of responses sent by the client is the same
++   * as the number of challenges sent, lest a malicious client attempt to
++   * trick us into allocating too much memory (Bug#3973).
++   */
++  if (resp_count != expected_count) {
++    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
++      "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
++      expected_count != 1 ? "challenges" : "challenge",
++      (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
++    destroy_pool(pkt->pool);
++    errno = EPERM;
++    return -1;
++  }
++
++  if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
++    (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
++      "received too many responses (%lu > max %lu), rejecting",
++      (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
++    destroy_pool(pkt->pool);
++    errno = EPERM;
++    return -1;
++  }
++
+   list = make_array(p, resp_count, sizeof(char *));
+   for (i = 0; i < resp_count; i++) {
+     char *resp;
+@@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool *p, u
+     *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
+   }
+ 
+-  *count = (unsigned int) resp_count;
++  *rcvd_count = (unsigned int) resp_count;
+   *responses = ((const char **) list->elts);
+   return 0;
+ }
+Index: contrib/mod_sftp/mod_sftp.h.in
+===================================================================
+--- contrib/mod_sftp/mod_sftp.h.in.orig
++++ contrib/mod_sftp/mod_sftp.h.in
+@@ -1,6 +1,6 @@
+ /*
+  * ProFTPD - mod_sftp
+- * Copyright (c) 2008-2011 TJ Saunders
++ * Copyright (c) 2008-2013 TJ Saunders
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const ch
+ int sftp_kbdint_unregister_driver(const char *name);
+ int sftp_kbdint_send_challenge(const char *, const char *, unsigned int,
+   sftp_kbdint_challenge_t *);
+-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***);
++int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *,
++  const char ***);
+ 
+ /* API for modules that which to register keystores, for the
+  * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.

proftpd.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Oct  3 20:48:44 UTC 2013 - chris@computersalat.de
+
+- update to 1.3.4d
+  * Fixed broken build when using --disable-ipv6 configure option
+  * Fixed mod_sql "SQLAuthType Backend" MySQL issues
+- fix for bnc#843444 (CVE-2013-4359)
+  * http://bugs.proftpd.org/show_bug.cgi?id=3973
+  * add proftpd-sftp-kbdint-max-responses-bug3973.patch
+
 -------------------------------------------------------------------
 Mon Jul 29 01:12:53 UTC 2013 - crrodriguez@opensuse.org
 

proftpd.spec

@@ -22,7 +22,7 @@ License:        GPL-2.0+
 Group:          Productivity/Networking/Ftp/Servers
 # Please save your time and do not update to "rc" versions.
 # We only accept updates for "STABLE" Versions
-Version:        1.3.4c
+Version:        1.3.4d
 Release:        0
 Url:            http://www.proftpd.org/
 Source0:        ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz
@@ -41,6 +41,8 @@ Patch102:       %{name}-ftpasswd.patch
 Patch103:       %{name}-strip.patch
 #PATCH-FIX-openSUSE: file-contains-date-and-time
 Patch104:       %{name}-no_BuildDate.patch
+# PATCH-FIX-upstream: sftp-kbdint-max-responses-bug3973
+Patch105:       %{name}-sftp-kbdint-max-responses-bug3973.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  gpg-offline
 BuildRequires:  krb5-devel
@@ -141,6 +143,7 @@ Here are Documentation for ProFTPD
 %patch102
 %patch103
 %patch104
+%patch105
 
 %build
 PROFTPD_SHARED_MODS="$(for spec_mod in $(find contrib -name mod_\*.c); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')"