Discussion:
[ProFTPD-committers] [Bug 3614] Malicious module can use sreplace() function to overflow buffer
(too old to reply)
b***@horde.net
2011-03-09 21:34:11 UTC
Permalink
http://bugs.proftpd.org/show_bug.cgi?id=3614

TJ Saunders <***@castaglia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords| |Backport
Priority|P2 |P4
Status|NEW |ASSIGNED
CC| |***@debian.org,
| |***@city-fan.org,
| |***@castaglia.org
Version|CVS |1.3.3
Summary|possible buffer overrun |Malicious module can use
| |sreplace() function to
| |overflow buffer

--- Comment #1 from TJ Saunders <***@castaglia.org> 2011-03-09 16:34:10 EST ---
The sreplace() function attempts to put a limit on the number of
matches/replacements which it will perform on the given string. As correctly
pointed out, code which provides a string which leads to more than 131 matches
will overflow a buffer.

This is not a remote vulnerability; a module would have to been written which
executed this kind of sreplace() call intentionally.
--
Configure bugmail: http://bugs.proftpd.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
b***@horde.net
2011-03-09 21:35:39 UTC
Permalink
http://bugs.proftpd.org/show_bug.cgi?id=3614

--- Comment #2 from TJ Saunders <***@castaglia.org> 2011-03-09 16:35:39 EST ---
Created attachment 3572
--> http://bugs.proftpd.org/attachment.cgi?id=3572
Fixes problem

This patch fixes the bug by a) adding an explicit maximum number of matches,
and b) making sure that sreplace uses this limit, rather than sizeof() on a
buffer, to determine when that limit has been reached.
--
Configure bugmail: http://bugs.proftpd.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
b***@horde.net
2011-03-09 22:17:25 UTC
Permalink
http://bugs.proftpd.org/show_bug.cgi?id=3614

TJ Saunders <***@castaglia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED

--- Comment #3 from TJ Saunders <***@castaglia.org> 2011-03-09 17:17:24 EST ---
Patch committed to CVS with accompanying unit test, and backported to the 1.3.3
branch.
--
Configure bugmail: http://bugs.proftpd.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
b***@horde.net
2011-04-06 07:50:48 UTC
Permalink
http://bugs.proftpd.org/show_bug.cgi?id=3614

TJ Saunders <***@castaglia.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED

--- Comment #4 from TJ Saunders <***@castaglia.org> 2011-04-06 03:50:47 EDT ---
Resolved in 1.3.4rc2.
--
Configure bugmail: http://bugs.proftpd.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Loading...