Am 07.12.2019 um 16:42 teilte Salvatore Bonaccorso mit: Hi,
> The following vulnerability was published for proftpd-dfsg. > The uploads to unstable are made. Please find attached the debdiff patches for buster and stretch. I did not test the code at all (except that build runs OK), but the change seems to be rather trivial to me. Hilmar -- sigfault #206401 http://counter.li.org
diff -Nru proftpd-dfsg-1.3.6/debian/changelog proftpd-dfsg-1.3.6/debian/changelog --- proftpd-dfsg-1.3.6/debian/changelog 2019-10-23 16:22:38.000000000 +0200 +++ proftpd-dfsg-1.3.6/debian/changelog 2019-12-08 16:19:57.000000000 +0100 @@ -1,3 +1,12 @@ +proftpd-dfsg (1.3.6-4+deb10u3) buster-security; urgency=medium + + * Cherry pick patch from upstream: + - for upstream 861 (CVE-2019-19269) (Closes: #946345) + - for upstream 859 (CVE-2019-19270) (Closes: #946346) + upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 + + -- Hilmar Preusse <hill...@web.de> Sun, 08 Dec 2019 16:19:57 +0100 + proftpd-dfsg (1.3.6-4+deb10u2) buster-security; urgency=medium * Add patch from upstream to address CVE-2019-18217. diff -Nru proftpd-dfsg-1.3.6/debian/patches/series proftpd-dfsg-1.3.6/debian/patches/series --- proftpd-dfsg-1.3.6/debian/patches/series 2019-10-23 16:22:38.000000000 +0200 +++ proftpd-dfsg-1.3.6/debian/patches/series 2019-12-08 16:19:14.000000000 +0100 @@ -19,3 +19,4 @@ github_pr_594 CVE-2019-12815.patch bug_846_CVE-2019-18217.patch +upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 diff -Nru proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 --- proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269 2019-12-08 16:19:26.000000000 +0100 @@ -0,0 +1,35 @@ +From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001 +From: TJ Saunders <t...@castaglia.org> +Date: Sun, 24 Nov 2019 14:03:54 -0800 +Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly + using issuer for lookups, and guarding against null pointers. + +--- + contrib/mod_tls.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- proftpd-dfsg.orig/contrib/mod_tls.c ++++ proftpd-dfsg/contrib/mod_tls.c +@@ -8968,10 +8968,10 @@ + + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ + !defined(HAVE_LIBRESSL) +- crls = X509_STORE_CTX_get1_crls(store_ctx, subject); ++ crls = X509_STORE_CTX_get1_crls(store_ctx, issuer); + #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \ + !defined(HAVE_LIBRESSL) +- crls = X509_STORE_get1_crls(store_ctx, subject); ++ crls = X509_STORE_get1_crls(store_ctx, issuer); + #else + /* Your OpenSSL is before 1.0.0. You really need to upgrade. */ + crls = NULL; +@@ -8990,6 +8990,9 @@ + ASN1_INTEGER *sn; + + revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j); ++ if (revoked == NULL) { ++ continue; ++ } + #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ + !defined(HAVE_LIBRESSL) + sn = X509_REVOKED_get0_serialNumber(revoked);
diff -Nru proftpd-dfsg-1.3.5b/debian/changelog proftpd-dfsg-1.3.5b/debian/changelog --- proftpd-dfsg-1.3.5b/debian/changelog 2019-10-23 23:34:50.000000000 +0200 +++ proftpd-dfsg-1.3.5b/debian/changelog 2019-12-08 16:52:34.000000000 +0100 @@ -1,3 +1,11 @@ +proftpd-dfsg (1.3.5b-4+deb9u3) stretch-security; urgency=medium + + * Cherry pick patch from upstream: + - for upstream 861 (CVE-2019-19269) (Closes: #946345) + upstream_pull_861_CVE-2019-19269 + + -- Hilmar Preusse <hill...@web.de> Sun, 08 Dec 2019 16:52:34 +0100 + proftpd-dfsg (1.3.5b-4+deb9u2) stretch-security; urgency=high * Add patch from upstream to address CVE-2019-18217. diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series proftpd-dfsg-1.3.5b/debian/patches/series --- proftpd-dfsg-1.3.5b/debian/patches/series 2019-10-23 23:24:27.000000000 +0200 +++ proftpd-dfsg-1.3.5b/debian/patches/series 2019-12-08 16:52:34.000000000 +0100 @@ -17,3 +17,4 @@ CVE-2017-7418 proftpd-1.3.5e-CVE-2019-12815.patch bug_846_CVE-2019-18217.patch +upstream_861_CVE-2019-19269 diff -Nru proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269 proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269 --- proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269 2019-12-08 16:52:34.000000000 +0100 @@ -0,0 +1,12 @@ +--- proftpd-dfsg.orig/contrib/mod_tls.c ++++ proftpd-dfsg/contrib/mod_tls.c +@@ -5862,6 +5862,9 @@ + ASN1_INTEGER *sn; + + revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); ++ if (revoked == NULL) { ++ continue; ++ } + sn = revoked->serialNumber; + + if (ASN1_INTEGER_cmp(sn, X509_get_serialNumber(xs)) == 0) {
signature.asc
Description: OpenPGP digital signature