Package: release.debian.org Severity: wishlist User: release.debian....@packages.debian.org Usertags: pu Tags: wheezy X-Debbugs-CC: proftpd-d...@packages.debian.org
Hi,I'd like to fix #738067 in stable, which is a crash in ProFTPD's SFTP module with larger files. The fix is trivial - two instances of memcpy become memmove (yay overlapping regions); a debdiff is attached.
We've been running packages containing the fix at $dayjob for a few months with no issues.
I've mentioned the fix to the maintainers a few times, at least once on IRC and via the BTS and @packages.d.o but not received a {,n}ack. I've X-Debbugs-CCed them in case they wish to comment.
Regards, Adam
diff -Nru proftpd-dfsg-1.3.4a/debian/changelog proftpd-dfsg-1.3.4a/debian/changelog --- proftpd-dfsg-1.3.4a/debian/changelog 2013-09-28 17:57:27.000000000 +0100 +++ proftpd-dfsg-1.3.4a/debian/changelog 2014-09-04 15:33:47.000000000 +0100 @@ -1,3 +1,10 @@ +proftpd-dfsg (1.3.4a-5+deb7u2) wheezy; urgency=low + + * Non-maintainer upload. + * Fix SFTP crash with large files (Closes: #738067) + + -- Adam D. Barratt <a...@adam-barratt.org.uk> Thu, 04 Sep 2014 15:33:21 +0100 + proftpd-dfsg (1.3.4a-5+deb7u1) stable-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru proftpd-dfsg-1.3.4a/debian/patches/series proftpd-dfsg-1.3.4a/debian/patches/series --- proftpd-dfsg-1.3.4a/debian/patches/series 2013-09-28 17:46:11.000000000 +0100 +++ proftpd-dfsg-1.3.4a/debian/patches/series 2014-09-04 15:34:45.000000000 +0100 @@ -12,3 +12,4 @@ use_hypen_in_manpage 3841 CVE-2013-4359.patch +sftp_crash_memmove diff -Nru proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove --- proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove 2014-09-04 15:34:03.000000000 +0100 @@ -0,0 +1,48 @@ +Index: contrib/mod_sftp/fxp.c +=================================================================== +RCS file: /cvsroot/proftp/proftpd/contrib/mod_sftp/fxp.c,v +retrieving revision 1.139 +diff -u -r1.139 fxp.c +--- a/contrib/mod_sftp/fxp.c 15 Feb 2012 22:10:56 -0000 1.139 ++++ b/contrib/mod_sftp/fxp.c 15 Feb 2012 22:30:19 -0000 +@@ -2511,7 +2511,18 @@ + fxp_packet_data_allocsz += sz; + } + +- memcpy(curr_buf, data, datalen); ++ /* We explicitly want to use memmove(3) here rather than memcpy(3), ++ * since it is possible (and likely) that after reading data out ++ * of this buffer, there will be leftover data which is put back into ++ * the buffer, only at a different offset. This means that the ++ * source and destination pointers CAN overlap; using memcpy(3) would ++ * lead to subtle memory copy issue (e.g. Bug#3743). ++ * ++ * This manifested as hard-to-reproduce SFTP upload/download stalls, ++ * segfaults, etc, due to corrupted memory being read out as ++ * packet lengths and such. ++ */ ++ memmove(curr_buf, data, datalen); + curr_buflen = datalen; + + return; +@@ -2556,8 +2567,18 @@ + } + } + +- /* Append the SSH2 data to the current unconsumed buffer. */ +- memcpy(curr_buf + curr_buflen, data, datalen); ++ /* We explicitly want to use memmove(3) here rather than memcpy(3), ++ * since it is possible (and likely) that after reading data out ++ * of this buffer, there will be leftover data which is put back into ++ * the buffer, only at a different offset. This means that the ++ * source and destination pointers CAN overlap; using memcpy(3) would ++ * lead to subtle memory copy issue (e.g. Bug#3743). ++ * ++ * This manifested as hard-to-reproduce SFTP upload/download stalls, ++ * segfaults, etc, due to corrupted memory being read out as ++ * packet lengths and such. ++ */ ++ memmove(curr_buf + curr_buflen, data, datalen); + curr_buflen += datalen; + } +