Accepting request 1247355 from network

fix for boo#1236889 (CVE-2024-57392) (forwarded request 1247354 from computersalat) OBS-URL: https://build.opensuse.org/request/show/1247355 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/proftpd?expand=0&rev=53
2025-02-20 15:41:58 +00:00 · 2025-02-20 15:41:58 +00:00 · d5c653264f
commit d5c653264f
parent 3b34634f85 d4d1e490d9
3 changed files with 48 additions and 0 deletions
--- a/proftpd-null_pointer.patch
+++ b/proftpd-null_pointer.patch
@ -0,0 +1,37 @@
+# Mitigation CVE-2024-57392 / GHSA-cf42-x7h8-3v3q #1866
+# #1866: Some of the fuzzing tests submitted in the advisory ran into existing
+# null pointer dereferences (not buffer overflows); let's correct them.
+Index: modules/mod_ls.c
+===================================================================
+--- modules/mod_ls.c.orig
+++ modules/mod_ls.c
+@@ -2,7 +2,7 @@
+  * ProFTPD - FTP server daemon
+  * Copyright (c) 1997, 1998 Public Flood Software
+  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
+- * Copyright (c) 2001-2022 The ProFTPD Project
+ * Copyright (c) 2001-2025 The ProFTPD Project
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt
+           errno != 0) {
+         int xerrno = errno;
+ 
+-        if (session.d != NULL) {
+        if (session.d != NULL &&
+            session.d->outstrm != NULL) {
+           xerrno = PR_NETIO_ERRNO(session.d->outstrm);
+         }
+ 
+@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) {
+     return res;
+   }
+ 
+-  tail->down = NULL;
+  if (tail != NULL) {  
+    tail->down = NULL;
+  }
+   tail = NULL;
+   colwidth = (colwidth | 7) + 1;
+   if (opt_l || !opt_C) {
--- a/proftpd.changes
+++ b/proftpd.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Feb 20 09:05:57 UTC 2025 - chris@computersalat.de
+
+- fix for boo#1236889 (CVE-2024-57392)
+  https://github.com/proftpd/proftpd/issues/1866
+  Some of the fuzzing tests submitted in the advisory ran into existing null
+  pointer dereferences (not buffer overflows); let's correct them.
+- Add proftpd-null_pointer.patch
+
 -------------------------------------------------------------------
 Thu Jan  9 17:25:19 UTC 2025 - chris@computersalat.de

--- a/proftpd.spec
+++ b/proftpd.spec
@ -60,6 +60,8 @@ Patch104:       %{name}-no_BuildDate.patch
 Patch105:       %{name}_env-script-interpreter.patch
 #openSUSE:Security_Features#Systemd_hardening_effort
 Patch106:       harden_proftpd.service.patch
+#PATCH-FIX-Upstream: Mitigation CVE-2024-57392 / GHSA-cf42-x7h8-3v3q #1866
+Patch200:       %{name}-null_pointer.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildRequires:  gpg-offline
 BuildRequires:  cyrus-sasl-devel