Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:proftpd-dfsg User: [email protected] Usertags: pu
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [ Reason ] The bug is described in the description CVE-2026-42167 & CVE-2024-57392 and upstream issue #1840. https://github.com/proftpd/proftpd/issues/1840 [ Impact ] 1. Users are impacted CVE-2026-42167. https://app.opencve.io/cve/CVE-2026-42167 The CVSS score of 8.1 indicates a high severity risk. No EPSS score is available, so the current exploration probability is unknown; however, the exploit requires specific configuration conditions (mod_sql enabled, %U logging, and a permissive SQL backend). 2. Users are impacted by CVE-2024-57392. The severity of this CVE is rather low, hence it was ignored until today. The patch fixes possible crashes of the proftp server. 3. Fix for #1133677: proftpd before commit 3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6 fails to validate the RADIUS MAC signature, when talking to current FreeRADIUS (f.e. 3.2.7). [ Tests ] The proftp package has a test suite, which was executed successfully. [ Risks ] The inserted changes (maybe except that for CVE-2026-42167) are rather old and well tested. I don't expect surprises. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * Add patch from upstream to address CVE-2024-57392. * Add patch from upstream to address issues #1840 (Closes: #1133677). * Add patch for CVE-2026-42167 (Closes: #1135119).
diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/changelog proftpd-dfsg-1.3.8+dfsg/debian/changelog --- proftpd-dfsg-1.3.8+dfsg/debian/changelog 2024-11-30 23:32:48.000000000 +0100 +++ proftpd-dfsg-1.3.8+dfsg/debian/changelog 2026-05-01 22:02:15.000000000 +0200 @@ -1,3 +1,11 @@ +proftpd-dfsg (1.3.8+dfsg-4+deb12u5) bookworm; urgency=medium + + * Add patch from upstream to address CVE-2024-57392. + * Add patch from upstream to address issues #1840 (Closes: #1133677). + * Add patch for CVE-2026-42167 (Closes: #1135119). + + -- Hilmar Preuße <[email protected]> Fri, 01 May 2026 22:02:15 +0200 + proftpd-dfsg (1.3.8+dfsg-4+deb12u4) bookworm-security; urgency=high * Add my Debian E-Mail address to Field Uploaders. diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff --- proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-dfsg-1.3.8+dfsg/debian/patches/2052_pghmcfc.diff 2026-05-01 22:00:38.000000000 +0200 @@ -0,0 +1,193 @@ +From 415395b795436ae47cc25b2394e80033b80f11be Mon Sep 17 00:00:00 2001 +From: TJ Saunders <[email protected]> +Date: Mon, 27 Apr 2026 12:13:09 -0700 +Subject: [PATCH] Issue #2052: When resolving any variable whose value is + supplied by the client, make sure we **always** escape that value text. + +--- + contrib/mod_sql.c | 103 ++++++++++++++++++++++++++++------------------ + 1 file changed, 64 insertions(+), 39 deletions(-) + +--- proftpd.orig/contrib/mod_sql.c ++++ proftpd/contrib/mod_sql.c +@@ -2,7 +2,7 @@ + * ProFTPD: mod_sql -- SQL frontend + * Copyright (c) 1998-1999 Johnie Ingram. + * Copyright (c) 2001 Andrew Houghton. +- * Copyright (c) 2004-2022 TJ Saunders ++ * Copyright (c) 2004-2026 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -758,40 +758,46 @@ + } + + static int sql_resolved_append_text(pool *p, struct sql_resolved *resolved, +- const char *text, size_t text_len) { +- char *new_text; +- size_t new_textlen; ++ const char *text, size_t text_len, int already_escaped) { ++ char *new_text = NULL; ++ size_t new_textlen = 0; + + if (text == NULL || + text_len == 0) { + return 0; + } + +- /* For backward compatibility (see Issue #1149), we indulge in a little +- * heuristic here, and only escape the text if it hasn't already been +- * escaped. How to properly tell? If the first and last characters of +- * the given text are `'`, AND there are no other occurrences of that +- * character in the text, assume it has already been quoted. +- */ +- if (is_escaped_text(text, text_len) == FALSE) { +- modret_t *mr; ++ new_text = (char *) text; ++ new_textlen = text_len; + +- mr = sql_dispatch(sql_make_cmd(p, 2, resolved->conn_name, text), +- "sql_escapestring"); +- if (check_response(mr, resolved->conn_flags) < 0) { +- errno = EIO; +- return -1; +- } ++ if (already_escaped == FALSE) { ++ /* For backward compatibility (see Issue #1149), we indulge in a little ++ * heuristic here, and only escape the text if it hasn't already been ++ * escaped. How to properly tell? If the first and last characters of ++ * the given text are `'`, AND there are no other occurrences of that ++ * character in the text, assume it has already been quoted. ++ * ++ * Per Issue #2052, we refine this to use this heuristic only if we do ++ * not already know that the text has been escaped. Some callers may ++ * have already escaped the provided text for us. ++ */ ++ if (is_escaped_text(text, text_len) == FALSE) { ++ modret_t *mr; + +- new_text = (char *) mr->data; +- new_textlen = strlen(new_text); ++ mr = sql_dispatch(sql_make_cmd(p, 2, resolved->conn_name, text), ++ "sql_escapestring"); ++ if (check_response(mr, resolved->conn_flags) < 0) { ++ errno = EIO; ++ return -1; ++ } + +- } else { +- pr_trace_msg(trace_channel, 17, +- "text '%s' is already escaped, skipping escaping it again", text); ++ new_text = (char *) mr->data; ++ new_textlen = strlen(new_text); + +- new_text = (char *) text; +- new_textlen = text_len; ++ } else { ++ pr_trace_msg(trace_channel, 17, ++ "text '%s' is already escaped, skipping escaping it again", text); ++ } + } + + if (new_textlen > resolved->buflen) { +@@ -809,7 +815,7 @@ + + static int sql_resolve_on_meta(pool *p, pr_jot_ctx_t *jot_ctx, + unsigned char logfmt_id, const char *jot_hint, const void *val) { +- int res = 0; ++ int res = 0, already_escaped = FALSE; + struct sql_resolved *resolved; + + resolved = jot_ctx->log; +@@ -968,35 +974,53 @@ + break; + } + ++ /* Per Issue #2052, the following variable values can all be supplied ++ * remotely by the client. As such, they should be escaped preemptively. ++ */ + case LOGFMT_META_ANON_PASS: + case LOGFMT_META_BASENAME: +- case LOGFMT_META_CLASS: + case LOGFMT_META_CMD_PARAMS: + case LOGFMT_META_COMMAND: + case LOGFMT_META_DIR_NAME: + case LOGFMT_META_DIR_PATH: ++ case LOGFMT_META_FILENAME: ++ case LOGFMT_META_IDENT_USER: ++ case LOGFMT_META_METHOD: ++ case LOGFMT_META_ORIGINAL_USER: ++ case LOGFMT_META_RESPONSE_STR: ++ case LOGFMT_META_REMOTE_HOST: ++ case LOGFMT_META_RENAME_FROM: ++ case LOGFMT_META_USER: ++ case LOGFMT_META_XFER_PATH: { ++ modret_t *mr; ++ ++ mr = sql_dispatch(sql_make_cmd(p, 2, resolved->conn_name, ++ (const char *) val), "sql_escapestring"); ++ if (check_response(mr, resolved->conn_flags) < 0) { ++ errno = EIO; ++ return -1; ++ } ++ ++ text = (char *) mr->data; ++ text_len = strlen(text); ++ already_escaped = TRUE; ++ break; ++ } ++ ++ case LOGFMT_META_CLASS: + case LOGFMT_META_ENV_VAR: + case LOGFMT_META_EOS_REASON: +- case LOGFMT_META_FILENAME: + case LOGFMT_META_GROUP: +- case LOGFMT_META_IDENT_USER: + case LOGFMT_META_ISO8601: + case LOGFMT_META_LOCAL_FQDN: + case LOGFMT_META_LOCAL_IP: + case LOGFMT_META_LOCAL_NAME: +- case LOGFMT_META_METHOD: + case LOGFMT_META_NOTE_VAR: +- case LOGFMT_META_ORIGINAL_USER: + case LOGFMT_META_PROTOCOL: +- case LOGFMT_META_REMOTE_HOST: + case LOGFMT_META_REMOTE_IP: +- case LOGFMT_META_RENAME_FROM: +- case LOGFMT_META_RESPONSE_STR: +- case LOGFMT_META_USER: + case LOGFMT_META_VERSION: + case LOGFMT_META_VHOST_IP: + case LOGFMT_META_XFER_FAILURE: +- case LOGFMT_META_XFER_PATH: + case LOGFMT_META_XFER_STATUS: + case LOGFMT_META_XFER_TYPE: + default: +@@ -1009,7 +1033,8 @@ + text_len = strlen(text); + } + +- res = sql_resolved_append_text(p, resolved, text, text_len); ++ res = sql_resolved_append_text(p, resolved, text, text_len, ++ already_escaped); + } + + return res; +@@ -1072,7 +1097,7 @@ + break; + } + +- res = sql_resolved_append_text(p, resolved, text, text_len); ++ res = sql_resolved_append_text(p, resolved, text, text_len, FALSE); + } + + return res; +@@ -3173,7 +3198,7 @@ + } + + text_len = strlen(text); +- res = sql_resolved_append_text(p, resolved, text, text_len); ++ res = sql_resolved_append_text(p, resolved, text, text_len, FALSE); + + } else { + res = sql_resolve_on_meta(p, jot_ctx, logfmt_id, jot_hint, val); diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff --- proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-dfsg-1.3.8+dfsg/debian/patches/3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff 2026-05-01 22:00:38.000000000 +0200 @@ -0,0 +1,36 @@ +From 3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6 Mon Sep 17 00:00:00 2001 +From: TJ Saunders <[email protected]> +Date: Sat, 26 Oct 2024 12:06:00 -0700 +Subject: [PATCH] Issue #1840: Fix the computation of the RADIUS + Message-Authenticator signature to conform more properly to RFC 2869. (#1843) + +--- + contrib/mod_radius.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c +index f232e99290..057bd1a377 100644 +--- a/contrib/mod_radius.c ++++ b/contrib/mod_radius.c +@@ -1,6 +1,6 @@ + /* + * ProFTPD: mod_radius -- a module for RADIUS authentication and accounting +- * Copyright (c) 2001-2022 TJ Saunders ++ * Copyright (c) 2001-2024 TJ Saunders + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -2266,8 +2266,11 @@ static int radius_verify_auth_mac(radius_packet_t *pkt, const char *pkt_type, + memset(replied, '\0', sizeof(replied)); + memcpy(replied, attrib->data, attrib_len); + +- /* Next, zero out the value so that we can calculate it ourselves. */ +- memset(attrib->data, '\0', attrib_len); ++ /* Next, zero out the value so that we can calculate it ourselves. ++ * ++ * Note that we only want to zero out the first 16 bytes, per RFC 2869. ++ */ ++ memset(attrib->data, '\0', expected_len); + + memset(digest, '\0', sizeof(digest)); + md = EVP_md5(); diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff --- proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff 1970-01-01 01:00:00.000000000 +0100 +++ proftpd-dfsg-1.3.8+dfsg/debian/patches/9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff 2026-05-01 22:00:38.000000000 +0200 @@ -0,0 +1,44 @@ +From 9b2b4a3e32d251798bf8fa841b124ab15ba58f11 Mon Sep 17 00:00:00 2001 +From: TJ Saunders <[email protected]> +Date: Sun, 9 Feb 2025 12:13:48 -0800 +Subject: [PATCH] Manually backporting some of the null pointer guards from + Issue #1866 to the 1.3.8 branch. + +--- + modules/mod_ls.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/modules/mod_ls.c b/modules/mod_ls.c +index 5458ccc74d..980691b9d6 100644 +--- a/modules/mod_ls.c ++++ b/modules/mod_ls.c +@@ -2,7 +2,7 @@ + * ProFTPD - FTP server daemon + * Copyright (c) 1997, 1998 Public Flood Software + * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <[email protected]> +- * Copyright (c) 2001-2022 The ProFTPD Project ++ * Copyright (c) 2001-2024 The ProFTPD Project + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt, ...) { + errno != 0) { + int xerrno = errno; + +- if (session.d != NULL) { ++ if (session.d != NULL && ++ session.d->outstrm != NULL) { + xerrno = PR_NETIO_ERRNO(session.d->outstrm); + } + +@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) { + return res; + } + +- tail->down = NULL; ++ if (tail != NULL) { ++ tail->down = NULL; ++ } + tail = NULL; + colwidth = (colwidth | 7) + 1; + if (opt_l || !opt_C) { diff -Nru proftpd-dfsg-1.3.8+dfsg/debian/patches/series proftpd-dfsg-1.3.8+dfsg/debian/patches/series --- proftpd-dfsg-1.3.8+dfsg/debian/patches/series 2024-11-30 23:32:48.000000000 +0100 +++ proftpd-dfsg-1.3.8+dfsg/debian/patches/series 2026-05-01 22:00:38.000000000 +0200 @@ -21,3 +21,6 @@ bcec15efe6c53dac40420731013f1cd2fd54123b.diff 97bbe68363ccf2de0c07f67170ec64a8b4d62592.diff 5031d498a71c493b9659e2b5ccafde58b0897e30.diff +9b2b4a3e32d251798bf8fa841b124ab15ba58f11.diff +3cf5ad4b7e6df0e5a980aeab9021ef25c63dbfd6.diff +2052_pghmcfc.diff
signature.asc
Description: PGP signature
