* [Buildroot] [PATCH v2,1/1] package/pure-ftpd: fix CVE-2021-40524
@ 2021-11-23 22:36 Fabrice Fontaine
2021-11-28 13:37 ` [Buildroot] [PATCH v2, 1/1] " Peter Korsgaard
2021-12-11 22:41 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2021-11-23 22:36 UTC (permalink / raw)
To: buildroot; +Cc: Bernd Kuhls, Fabrice Fontaine
In Pure-FTPd 1.0.49, an incorrect max_filesize quota mechanism in the
server allows attackers to upload files of unbounded size, which may
lead to denial of service or a server hang. This occurs because a
certain greater-than-zero test does not anticipate an initial -1 value.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
- Add PURE_FTPD_IGNORE_CVES entry
...ad-file-size-when-quotas-are-enabled.patch | 33 +++++++++++++++++++
package/pure-ftpd/pure-ftpd.mk | 3 ++
2 files changed, 36 insertions(+)
create mode 100644 package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
diff --git a/package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch b/package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
new file mode 100644
index 0000000000..b269e6cfe7
--- /dev/null
+++ b/package/pure-ftpd/0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
@@ -0,0 +1,33 @@
+From 37ad222868e52271905b94afea4fc780d83294b4 Mon Sep 17 00:00:00 2001
+From: Frank Denis <github@pureftpd.org>
+Date: Tue, 23 Nov 2021 18:53:34 +0100
+Subject: [PATCH] Initialize the max upload file size when quotas are enabled
+
+Due to an unwanted check, files causing the quota to be exceeded
+were deleted after the upload, but not during the upload.
+
+The bug was introduced in 2009 in version 1.0.23
+
+Spotted by @DroidTest, thanks!
+
+[Retrieved from:
+https://github.com/jedisct1/pure-ftpd/commit/37ad222868e52271905b94afea4fc780d83294b4]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/ftpd.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/ftpd.c b/src/ftpd.c
+index d856839..be2fd78 100644
+--- a/src/ftpd.c
++++ b/src/ftpd.c
+@@ -4247,8 +4247,7 @@ void dostor(char *name, const int append, const int autorename)
+ if (quota_update("a, 0LL, 0LL, &overflow) == 0 &&
+ (overflow > 0 || quota.files >= user_quota_files ||
+ quota.size > user_quota_size ||
+- (max_filesize >= (off_t) 0 &&
+- (max_filesize = user_quota_size - quota.size) < (off_t) 0))) {
++ (max_filesize = user_quota_size - quota.size) < (off_t) 0)) {
+ overflow = 1;
+ (void) close(f);
+ goto afterquota;
diff --git a/package/pure-ftpd/pure-ftpd.mk b/package/pure-ftpd/pure-ftpd.mk
index 7e3d18b433..35a1aac917 100644
--- a/package/pure-ftpd/pure-ftpd.mk
+++ b/package/pure-ftpd/pure-ftpd.mk
@@ -21,6 +21,9 @@ PURE_FTPD_IGNORE_CVES += CVE-2020-9365
# 0003-diraliases-always-set-the-tail-of-the-list-to-NULL.patch
PURE_FTPD_IGNORE_CVES += CVE-2020-9274
+# 0004-Initialize-the-max-upload-file-size-when-quotas-are-enabled.patch
+PURE_FTPD_IGNORE_CVES += CVE-2021-40524
+
PURE_FTPD_CONF_OPTS = \
--with-altlog \
--with-puredb
--
2.33.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH v2, 1/1] package/pure-ftpd: fix CVE-2021-40524
2021-11-23 22:36 [Buildroot] [PATCH v2,1/1] package/pure-ftpd: fix CVE-2021-40524 Fabrice Fontaine
@ 2021-11-28 13:37 ` Peter Korsgaard
2021-12-11 22:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-11-28 13:37 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In Pure-FTPd 1.0.49, an incorrect max_filesize quota mechanism in the
> server allows attackers to upload files of unbounded size, which may
> lead to denial of service or a server hang. This occurs because a
> certain greater-than-zero test does not anticipate an initial -1 value.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Add PURE_FTPD_IGNORE_CVES entry
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH v2, 1/1] package/pure-ftpd: fix CVE-2021-40524
2021-11-23 22:36 [Buildroot] [PATCH v2,1/1] package/pure-ftpd: fix CVE-2021-40524 Fabrice Fontaine
2021-11-28 13:37 ` [Buildroot] [PATCH v2, 1/1] " Peter Korsgaard
@ 2021-12-11 22:41 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-12-11 22:41 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Bernd Kuhls, buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> In Pure-FTPd 1.0.49, an incorrect max_filesize quota mechanism in the
> server allows attackers to upload files of unbounded size, which may
> lead to denial of service or a server hang. This occurs because a
> certain greater-than-zero test does not anticipate an initial -1 value.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Add PURE_FTPD_IGNORE_CVES entry
Committed to 2021.02.x and 2021.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-12-11 22:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-23 22:36 [Buildroot] [PATCH v2,1/1] package/pure-ftpd: fix CVE-2021-40524 Fabrice Fontaine
2021-11-28 13:37 ` [Buildroot] [PATCH v2, 1/1] " Peter Korsgaard
2021-12-11 22:41 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.