Bug 843444 (CVE-2013-4359)

Summary: VUL-0: CVE-2013-4359: proftpd: remote denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: chris, meissner, security-team, vpereira
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2013-10-01 08:53:51 UTC
public via cve db


Integer overflow in kbdint.c in mod_sftp in ProFTPD 1.3.4d and 1.3.5r3 allows remote attackers to cause a denial of service (memory consumption) via a large response count value in an authe
ntication request, which triggers a large memory allocation.

Reference: MLIST: http://www.openwall.com/lists/oss-security/2013/09/17/6
Reference: MISC: http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/
Reference: CONFIRM: http://bugs.proftpd.org/show_bug.cgi?id=3973
Comment 1 Swamp Workflow Management 2013-10-01 22:00:33 UTC
bugbot adjusting priority
Comment 2 Christian Wittmer 2013-10-03 20:17:52 UTC
ongoing work
Comment 3 Christian Wittmer 2013-10-03 21:01:44 UTC
created request id 202094 for network/proftpd
Comment 4 Christian Wittmer 2013-10-03 21:20:36 UTC
Request 202094 accepted and forwarded to openSUSE:Factory / proftpd (request 202095)

Created maintenance release request for 12.2, 12.3
Comment 5 Bernhard Wiedemann 2013-10-03 22:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (843444) was mentioned in
https://build.opensuse.org/request/show/202095 Factory / proftpd
https://build.opensuse.org/request/show/202096 12.2+12.3 / proftpd
Comment 6 Marcus Meissner 2013-10-04 12:17:18 UTC
christian, I do not think the systemd changes done for factory and 12.3 will work in 12.2. :/

I can of course accept the update and we will check, but its unlikely.

How do you want to proceed?
Comment 7 Christian Wittmer 2013-10-04 14:47:02 UTC
hmm, not really familiar with systemd. Can you check it ?
I do not have a 12.2 system. I need to setup one first to check it.
Comment 8 Marcus Meissner 2013-10-13 08:22:13 UTC
seems to work on my 12.2 / systemd... lets try
Comment 10 Victor Pereira 2013-10-22 08:25:24 UTC
Comment 11 Swamp Workflow Management 2013-10-22 09:05:22 UTC
openSUSE-SU-2013:1563-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 787884,811793,843444
CVE References: CVE-2013-4359
Sources used:
openSUSE 12.3 (src):    proftpd-1.3.4d-4.4.5
openSUSE 12.2 (src):    proftpd-1.3.4d-2.5.1