Bug#946345: proftpd-dfsg: CVE-2019-19269

Hilmar Preuße Sun, 08 Dec 2019 15:01:20 -0800

Am 07.12.2019 um 16:42 teilte Salvatore Bonaccorso mit:

Hi,


> The following vulnerability was published for proftpd-dfsg.
> 
The uploads to unstable are made.

Please find attached the debdiff patches for buster and stretch. I did
not test the code at all (except that build runs OK), but the change
seems to be rather trivial to me.

Hilmar
-- 
sigfault
#206401 http://counter.li.org

diff -Nru proftpd-dfsg-1.3.6/debian/changelog 
proftpd-dfsg-1.3.6/debian/changelog
--- proftpd-dfsg-1.3.6/debian/changelog 2019-10-23 16:22:38.000000000 +0200
+++ proftpd-dfsg-1.3.6/debian/changelog 2019-12-08 16:19:57.000000000 +0100
@@ -1,3 +1,12 @@
+proftpd-dfsg (1.3.6-4+deb10u3) buster-security; urgency=medium
+
+  * Cherry pick patch from upstream:
+     - for upstream 861 (CVE-2019-19269) (Closes: #946345)
+     - for upstream 859 (CVE-2019-19270) (Closes: #946346)
+     upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
+
+ -- Hilmar Preusse <hill...@web.de>  Sun, 08 Dec 2019 16:19:57 +0100
+
 proftpd-dfsg (1.3.6-4+deb10u2) buster-security; urgency=medium
 
   * Add patch from upstream to address CVE-2019-18217.
diff -Nru proftpd-dfsg-1.3.6/debian/patches/series 
proftpd-dfsg-1.3.6/debian/patches/series
--- proftpd-dfsg-1.3.6/debian/patches/series    2019-10-23 16:22:38.000000000 
+0200
+++ proftpd-dfsg-1.3.6/debian/patches/series    2019-12-08 16:19:14.000000000 
+0100
@@ -19,3 +19,4 @@
 github_pr_594
 CVE-2019-12815.patch
 bug_846_CVE-2019-18217.patch
+upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
diff -Nru 
proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
 
proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
--- 
proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
       1970-01-01 01:00:00.000000000 +0100
+++ 
proftpd-dfsg-1.3.6/debian/patches/upstream_pull_859_861_CVE-2019-19270_CVE-2019-19269
       2019-12-08 16:19:26.000000000 +0100
@@ -0,0 +1,35 @@
+From 81cc5dce4fc0285629a1b08a07a109af10c208dd Mon Sep 17 00:00:00 2001
+From: TJ Saunders <t...@castaglia.org>
+Date: Sun, 24 Nov 2019 14:03:54 -0800
+Subject: [PATCH] Issue #859, #861: Fix handling of CRL lookups by properly
+ using issuer for lookups, and guarding against null pointers.
+
+---
+ contrib/mod_tls.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- proftpd-dfsg.orig/contrib/mod_tls.c
++++ proftpd-dfsg/contrib/mod_tls.c
+@@ -8968,10 +8968,10 @@
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+     !defined(HAVE_LIBRESSL)
+-  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
++  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+       !defined(HAVE_LIBRESSL)
+-  crls = X509_STORE_get1_crls(store_ctx, subject);
++  crls = X509_STORE_get1_crls(store_ctx, issuer);
+ #else
+   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
+   crls = NULL;
+@@ -8990,6 +8990,9 @@
+         ASN1_INTEGER *sn;
+ 
+         revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
++        if (revoked == NULL) {
++          continue;
++        }
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+     !defined(HAVE_LIBRESSL)
+         sn = X509_REVOKED_get0_serialNumber(revoked);

diff -Nru proftpd-dfsg-1.3.5b/debian/changelog 
proftpd-dfsg-1.3.5b/debian/changelog
--- proftpd-dfsg-1.3.5b/debian/changelog        2019-10-23 23:34:50.000000000 
+0200
+++ proftpd-dfsg-1.3.5b/debian/changelog        2019-12-08 16:52:34.000000000 
+0100
@@ -1,3 +1,11 @@
+proftpd-dfsg (1.3.5b-4+deb9u3) stretch-security; urgency=medium
+
+  *  Cherry pick patch from upstream:
+     - for upstream 861 (CVE-2019-19269) (Closes: #946345)
+     upstream_pull_861_CVE-2019-19269
+
+ -- Hilmar Preusse <hill...@web.de>  Sun, 08 Dec 2019 16:52:34 +0100
+
 proftpd-dfsg (1.3.5b-4+deb9u2) stretch-security; urgency=high
 
   * Add patch from upstream to address CVE-2019-18217.
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/series 
proftpd-dfsg-1.3.5b/debian/patches/series
--- proftpd-dfsg-1.3.5b/debian/patches/series   2019-10-23 23:24:27.000000000 
+0200
+++ proftpd-dfsg-1.3.5b/debian/patches/series   2019-12-08 16:52:34.000000000 
+0100
@@ -17,3 +17,4 @@
 CVE-2017-7418
 proftpd-1.3.5e-CVE-2019-12815.patch
 bug_846_CVE-2019-18217.patch
+upstream_861_CVE-2019-19269
diff -Nru proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269 
proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269
--- proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269      
1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.5b/debian/patches/upstream_861_CVE-2019-19269      
2019-12-08 16:52:34.000000000 +0100
@@ -0,0 +1,12 @@
+--- proftpd-dfsg.orig/contrib/mod_tls.c
++++ proftpd-dfsg/contrib/mod_tls.c
+@@ -5862,6 +5862,9 @@
+       ASN1_INTEGER *sn;
+ 
+       revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
++      if (revoked == NULL) {
++          continue;
++      }
+       sn = revoked->serialNumber;
+ 
+       if (ASN1_INTEGER_cmp(sn, X509_get_serialNumber(xs)) == 0) {

signature.asc
Description: OpenPGP digital signature

Bug#946345: proftpd-dfsg: CVE-2019-19269

Reply via email to