Ubuntu
proftpd-dfsg package

proftpd sql injection

Bug #508738 reported by Jan Hagemeyer
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
proftpd-dfsg (Ubuntu)
Fix Released
High
Unassigned
Jaunty
Fix Released
High
Unassigned
Lucid
Fix Released
High
Unassigned

Bug Description

Binary package hint: proftpd

Description: Ubuntu 9.04
Release: 9.04

affected package:
proftpd 1.3.1-17ubuntu1

If you are using mysql based authentication ( proftpd-mod-mysql ) it is possible to login with any of the virtual users without knowing the password.

I will report detailed information to the security team if it's needed.

It seems that this issue has already been fixed in debian 1.3.1-17lenny4.

Jan Hagemeyer (janhg)
summary: - sql injection
+ proftpd sql injection
Jan Hagemeyer (janhg)
affects: proftpd (Ubuntu) → proftpd-dfsg (Ubuntu)
Jan Hagemeyer (janhg)
Changed in proftpd-dfsg (Ubuntu):
status: New → In Progress
assignee: nobody → Jan Hagemeyer (janhg)
Revision history for this message
Jan Hagemeyer (janhg) wrote :
Changed in proftpd-dfsg (Ubuntu):
status: In Progress → Confirmed
assignee: Jan Hagemeyer (janhg) → nobody
Jamie Strandboge (jdstrand)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff! Unfortunately the patch does not follow the procedure listed in https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update, specifically https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.

A quick glance at the debdiff shows that:
1. the pocket is not set to jaunty-security
2. the version used is incorrect
3. the changelog does not contain enough information
4. the patches don't follow https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

Marking as Incomplete, assigning the submitter and unsubscribing ubuntu-security-sponsors. Jan, can you review the packaging procedures and update your debdiff accordingly? When you attach your new debdiff, please resubscribe ubuntu-security-sponsors. Thanks!

Changed in proftpd-dfsg (Ubuntu):
assignee: nobody → Jan Hagemeyer (janhg)
importance: Undecided → High
status: Confirmed → Incomplete
Revision history for this message
Jan Hagemeyer (janhg) wrote : Re: [Bug 508738] Re: proftpd sql injection

Jamie Strandboge wrote:
> Jan, can you review the packaging procedures and
> update your debdiff accordingly?

Ok I will try.
Thx for the clues.

Jan

Revision history for this message
Jan Hagemeyer (janhg) wrote :
Revision history for this message
Jan Hagemeyer (janhg) wrote :

Hi,

> A quick glance at the debdiff shows that:
> 1. the pocket is not set to jaunty-security

 done.

> 2. the version used is incorrect

hoping 1.3.1-17ubuntu1.1 is correct.

> 3. the changelog does not contain enough information

added some more.

> 4. the patches don't follow https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

tried to make them deb-3 conform.

Jan

Revision history for this message
Jan Hagemeyer (janhg) wrote :

And also I removed all non-security patches, that I've added in the previous version.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Jan, thanks for the updates. This is much better. A couple of things to note:
1. in Ubuntu to reference a bug you should use 'LP: #......' instead of 'closes #......'
2. it is always best to give the URL to the commit that contains the patch. You presumably know where it is but without the URL the sponsor must hunt for it. If using DEP-3 in the patch, use the 'Upstream: <url>' tag, otherwise add the URL to the changelog
3. The changelog text is too wide (it should by 80 characters max) and the format of the changelog does not conform to the procedures detailed in SecurityTeam/UpdateProcedures

I verified these patches with Debian, so I'll fix the above up and upload.

Changed in proftpd-dfsg (Ubuntu):
assignee: Jan Hagemeyer (janhg) → nobody
status: Incomplete → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Lucid (1.3.2c-1) is not affected by these.

Changed in proftpd-dfsg (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Jaunty ACK'd

Changed in proftpd-dfsg (Ubuntu Jaunty):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to security PPA.

Changed in proftpd-dfsg (Ubuntu Jaunty):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package proftpd-dfsg - 1.3.1-17ubuntu1.1

---------------
proftpd-dfsg (1.3.1-17ubuntu1.1) jaunty-security; urgency=low

  * Security: added 3124.dpatch patch to manage another SQL injection due to %
    variable substitution in user/group names. This is fixed in 1.3.2. This is
    CVE-2009-0542. (LP: #508738)

  * Security: added 3173fix.dpatch to use PQescapeStringConn() instead of the
    deprecated PQescapeString(), which does not honour the encoding.
    This is referred to the previous fix of #3173 aka CVE-2009-0543.

  * Security: added 3275.dpatch as taken from 1.3.2b branch to fix
    CVE-2009-3639.
 -- Jan Hagemeyer <email address hidden> Tue, 19 Jan 2010 19:14:30 +0100

Changed in proftpd-dfsg (Ubuntu Jaunty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.