[LWN Logo]
[Timeline]
Date:         Tue, 6 Feb 2001 20:17:33 -0500
From: John Morrissey <jwm@HORDE.NET>
Subject:      Response to ProFTPD issues
To: BUGTRAQ@SECURITYFOCUS.COM

=======
Summary
=======

Three issues with the ProFTPD FTP server have been reported to BUGTRAQ in
the past month. These issues have been addressed by the ProFTPD core team.

The following vulnerabilities are addressed in this advisory:

1. "SIZE memory leak"
   http://www.securityfocus.com/archive/1/151991
   Reported by Wojciech Purczynski <wp@ELZABSOFT.PL>

2. "USER memory leak"
   http://www.securityfocus.com/archive/1/155349
   Reported by Wojciech Purczynski <wp@ELZABSOFT.PL>

3. "Minor format string vulnerabilities"
   http://www.securityfocus.com/archive/1/155428
   Reported by Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>

All three are thought to exist in all previous 1.2.0 test releases,
(1.2.0pre[1-10], 1.2.0rc[1-2]). All three now have been fixed, and patches
have been committed to the ProFTPD CVS repository. A new release, 1.2.0rc3,
containing these fixes has been made available as of 5 February and is
available from:

        http://www.proftpd.org/download.html
        ftp://ftp.proftpd.org/distrib/proftpd-1.2.0rc3.tar.gz

Instructions for accessing the CVS repository via Anonymous CVS are
available at:

        http://www.proftpd.org/docs/cvs.html


=====================
1. "SIZE memory leak"
=====================

ProFTPD may leak memory when commands are executed. However, this leak will
take place *only* if ProFTPD's scoreboard file is not writable. If ProFTPD
is installed properly and is allowed to write to the scoreboard file, no
leak will take place. The scoreboard file is created in
/usr/local/var/proftpd/ in a standard installation from source. If you did
not install ProFTPD from sources, please contact your vendor for the
intended location of your scoreboard file.

More information, including patches, can be found at
http://bugs.proftpd.net/show_bug.cgi?id=408

=====================
2. "USER memory leak"
=====================

A memory leak in the USER command was found. Issuing additional USER
commands causes the ProFTPD server to consume additional memory.

More information, including patches, can be found at
http://bugs.proftpd.net/show_bug.cgi?id=408

========================================
3. "Minor format string vulnerabilities"
========================================

Two minor format string vulnerabilities were found in ProFTPD. Due to the
nature of the data processed by the affected sections of code, these
vulnerabilities are very difficult, if not impossible, to exploit.

A full audit was done on the callers of any functions that accept
printf-like format arguments. One minor, unexploitable issue was found in a
third-party module (mod_ratio) and has been fixed. No other format string
vulnerabilites were found.

More information, including patches, can be found at
http://bugs.proftpd.net/show_bug.cgi?id=430

--
John Morrissey          _o            /\         ----  __o
jwm@horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__