[VIM] ProFTPD issues clarification
Steven M. Christey
coley at linus.mitre.org
Thu Nov 30 09:42:06 EST 2006
The recent ProFTPD disclosures have introduced a number of errors or
inconsistencies from different sources, but it looks like ProFTPD and the
distros have sorted it out. See below; I consulted with vendor-sec and
ProFTPD to clear this up. Note that mod_tls is a third party module.
- Steve
======================================================
Name: CVE-2006-5815
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5815
Reference: MISC:http://gleg.net/vulndisco_meta.shtml
Reference: CONFIRM:http://bugs.proftpd.org/show_bug.cgi?id=2858
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
Reference: DEBIAN:DSA-1218
Reference: URL:http://www.debian.org/security/2006/dsa-1218
Reference: MANDRIVA:MDKSA-2006:217
Reference: URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2006:217
Reference: OPENPKG:OpenPKG-SA-2006.035
Reference: URL:http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.035-proftpd.html
Reference: BID:20992
Reference: URL:http://www.securityfocus.com/bid/20992
Reference: FRSIRT:ADV-2006-4451
Reference: URL:http://www.frsirt.com/english/advisories/2006/4451
Reference: SECTRACK:1017167
Reference: URL:http://securitytracker.com/id?1017167
Reference: SECUNIA:22803
Reference: URL:http://secunia.com/advisories/22803
Reference: SECUNIA:22821
Reference: URL:http://secunia.com/advisories/22821
Reference: SECUNIA:23000
Reference: URL:http://secunia.com/advisories/23000
Reference: SECUNIA:23069
Reference: URL:http://secunia.com/advisories/23069
Reference: XF:proftpd-code-execution(30147)
Reference: URL:http://xforce.iss.net/xforce/xfdb/30147
Stack-based buffer overflow in the sreplace function in ProFTPD 1.3.0
and earlier, allows remote attackers to cause a denial of service, as
demonstrated by vd_proftpd.pm, a "ProFTPD remote exploit."
======================================================
Name: CVE-2006-6170
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6170
Reference: BUGTRAQ:20061121 Re: [ MDKSA-2006:217 ] - Updated proftpd packages fix vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/452228/100/100/threaded
Reference: BUGTRAQ:20061128 ProFTPD mod_tls pre-authentication buffer overflow
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/452872/100/0/threaded
Reference: FULLDISC:20061128 ProFTPD mod_tls pre-authentication buffer overflow
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-November/050935.html
Reference: MISC:http://elegerov.blogspot.com/2006/10/do-you-remember-2-years-old-overflow.html
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
Reference: FRSIRT:ADV-2006-4745
Reference: URL:http://www.frsirt.com/english/advisories/2006/4745
Reference: SECUNIA:23141
Reference: URL:http://secunia.com/advisories/23141
Buffer overflow in the tls_x509_name_oneline function in the mod_tls
module, as used in ProFTPD 1.3.0a and earlier, and possibly other
products, allows remote attackers to execute arbitrary code via a
large data length argument, a different vulnerability than
CVE-2006-5815.
======================================================
Name: CVE-2006-6171
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6171
Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
Reference: MISC:http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?r1=1.292&r2=1.293&sortby=date
** DISPUTED **
ProFTPD 1.3.0a and earlier does not properly set the buffer size limit
when CommandBufferSize is specified in the configuration file, which
leads to an off-by-two buffer underflow. NOTE: in November 2006, the
role of CommandBufferSize was originally associated with
CVE-2006-5815, but this was an error stemming from an initial vague
disclosure. NOTE: ProFTPD developers dispute this issue, saying that
the relevant memory location is overwritten by assignment before
further use within the affected function, so this is not a
vulnerability.
More information about the VIM
mailing list