Bug#760557: marked as done (pu: package proftpd-dfsg/1.3.4a-5+deb7u1)

[Debian Bug Tracking System]

Your message dated Sat, 18 Oct 2014 12:06:31 +0100
with message-id <E1XfRqB-0002Ua-BO@jacala>
and subject line Closing bugs for updates in 7.7
has caused the Debian Bug report #760557,
regarding pu: package proftpd-dfsg/1.3.4a-5+deb7u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
760557: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760557
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: wishlist
User: release.debian....@packages.debian.org
Usertags: pu
Tags: wheezy
X-Debbugs-CC: proftpd-d...@packages.debian.org

Hi,

I'd like to fix #738067 in stable, which is a crash in ProFTPD's SFTP module with larger files. The fix is trivial - two instances of memcpy become memmove (yay overlapping regions); a debdiff is attached.

We've been running packages containing the fix at $dayjob for a few months with no issues.

I've mentioned the fix to the maintainers a few times, at least once on IRC and via the BTS and @packages.d.o but not received a {,n}ack. I've X-Debbugs-CCed them in case they wish to comment.

Regards,

Adam
diff -Nru proftpd-dfsg-1.3.4a/debian/changelog proftpd-dfsg-1.3.4a/debian/changelog
--- proftpd-dfsg-1.3.4a/debian/changelog	2013-09-28 17:57:27.000000000 +0100
+++ proftpd-dfsg-1.3.4a/debian/changelog	2014-09-04 15:33:47.000000000 +0100
@@ -1,3 +1,10 @@
+proftpd-dfsg (1.3.4a-5+deb7u2) wheezy; urgency=low
+
+  * Non-maintainer upload.
+  * Fix SFTP crash with large files (Closes: #738067)
+
+ -- Adam D. Barratt <a...@adam-barratt.org.uk>  Thu, 04 Sep 2014 15:33:21 +0100
+
 proftpd-dfsg (1.3.4a-5+deb7u1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru proftpd-dfsg-1.3.4a/debian/patches/series proftpd-dfsg-1.3.4a/debian/patches/series
--- proftpd-dfsg-1.3.4a/debian/patches/series	2013-09-28 17:46:11.000000000 +0100
+++ proftpd-dfsg-1.3.4a/debian/patches/series	2014-09-04 15:34:45.000000000 +0100
@@ -12,3 +12,4 @@
 use_hypen_in_manpage
 3841
 CVE-2013-4359.patch
+sftp_crash_memmove
diff -Nru proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove
--- proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove	1970-01-01 01:00:00.000000000 +0100
+++ proftpd-dfsg-1.3.4a/debian/patches/sftp_crash_memmove	2014-09-04 15:34:03.000000000 +0100
@@ -0,0 +1,48 @@
+Index: contrib/mod_sftp/fxp.c
+===================================================================
+RCS file: /cvsroot/proftp/proftpd/contrib/mod_sftp/fxp.c,v
+retrieving revision 1.139
+diff -u -r1.139 fxp.c
+--- a/contrib/mod_sftp/fxp.c	15 Feb 2012 22:10:56 -0000	1.139
++++ b/contrib/mod_sftp/fxp.c	15 Feb 2012 22:30:19 -0000
+@@ -2511,7 +2511,18 @@
+       fxp_packet_data_allocsz += sz;
+     }
+ 
+-    memcpy(curr_buf, data, datalen);
++    /* We explicitly want to use memmove(3) here rather than memcpy(3),
++     * since it is possible (and likely) that after reading data out
++     * of this buffer, there will be leftover data which is put back into
++     * the buffer, only at a different offset.  This means that the
++     * source and destination pointers CAN overlap; using memcpy(3) would
++     * lead to subtle memory copy issue (e.g. Bug#3743).
++     *
++     * This manifested as hard-to-reproduce SFTP upload/download stalls,
++     * segfaults, etc, due to corrupted memory being read out as
++     * packet lengths and such.
++     */
++    memmove(curr_buf, data, datalen);
+     curr_buflen = datalen;
+ 
+     return;
+@@ -2556,8 +2567,18 @@
+       }
+     }
+ 
+-    /* Append the SSH2 data to the current unconsumed buffer. */
+-    memcpy(curr_buf + curr_buflen, data, datalen);
++    /* We explicitly want to use memmove(3) here rather than memcpy(3),
++     * since it is possible (and likely) that after reading data out
++     * of this buffer, there will be leftover data which is put back into
++     * the buffer, only at a different offset.  This means that the
++     * source and destination pointers CAN overlap; using memcpy(3) would
++     * lead to subtle memory copy issue (e.g. Bug#3743).
++     *
++     * This manifested as hard-to-reproduce SFTP upload/download stalls,
++     * segfaults, etc, due to corrupted memory being read out as
++     * packet lengths and such.
++     */
++    memmove(curr_buf + curr_buflen, data, datalen);
+     curr_buflen += datalen;
+   }
+ 

--- End Message ---

--- Begin Message ---

Version: 7.7

The upload discussed in this bug was included in the 7.7 point release.

Regards,

Adam

--- End Message ---