Hilmar Preuße · Hilmar Preuße · Hilmar Preuße · 73f5d48f · 73f5d48f · 73f5d48f
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,10 @@
  where `N' is the issue number.
 -----------------------------------------------------------------------------

+1.3.6b - Released 19-Oct-2019
+--------------------------------
+- Issue 846 - Remote denial-of-service due to issue in network IO handling.
+
 1.3.6a - Released 12-Oct-2019
 --------------------------------
 - Bug 4304 - Configure script wrongly detects AIX lastlog functions.

--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -6,6 +6,11 @@ This file contains a description of the major changes to ProFTPD for the
 releases.  More information on these changes can be found in the NEWS and
 ChangeLog files.

+1.3.6b
+---------
+  + Fixed pre-authentication remote denial-of-service issue (Issue #846).
+  + Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).
+
 1.3.6a
 ---------
  + Fixed symlink navigation (Bug#4332).

--- a/contrib/dist/rpm/proftpd.spec
+++ b/contrib/dist/rpm/proftpd.spec
@@ -60,7 +60,7 @@

 # release_version should be incremented for each maint release, and reset back
 # to 1 BEFORE starting new release cycle.
-%global release_version			2
+%global release_version			3

 %if %(echo %{proftpd_version} | grep rc >/dev/null 2>&1 && echo 1 || echo 0)
 %global rpm_version %(echo %{proftpd_version} | sed -e 's/rc.*//')

--- a/contrib/mod_sql_mysql.c
+++ b/contrib/mod_sql_mysql.c
@@ -132,6 +132,7 @@
 #include "../contrib/mod_sql.h"

 #include <mysql.h>
+#include <stdbool.h>

 /* The my_make_scrambled_password{,_323} functions are not part of the public
 * MySQL API and are not declared in any of the MySQL header files. But the
@@ -496,7 +497,11 @@ MODRET cmd_open(cmd_rec *cmd) {
   *  http://dev.mysql.com/doc/refman/5.0/en/auto-reconnect.html
   */
  if (!(pr_sql_opts & SQL_OPT_NO_RECONNECT)) {
+#if MYSQL_VERSION_ID >= 80000
+    bool reconnect = true;
+#else
    my_bool reconnect = TRUE;
+#endif
    mysql_options(conn->mysql, MYSQL_OPT_RECONNECT, &reconnect);
  }
 #endif

--- a/debian/changelog
+++ b/debian/changelog
+proftpd-dfsg (1.3.6b-1) UNRELEASED; urgency=medium
+
+  * New upstream release.
+    Obsoletes patch issue_846_CVE-2019-18217.diff.
+
+ -- Hilmar Preusse <hille42@web.de>  Mon, 04 Nov 2019 21:51:09 +0100
+
 proftpd-dfsg (1.3.6a-2) unstable; urgency=high

  * Add patch for upstream bug #846 (CVE-2019-18217).

--- a/debian/control
+++ b/debian/control
@@ -42,7 +42,7 @@ Depends: adduser,
 Conflicts: ftp-server
 Breaks: proftpd (<< 1.3.2)
 Replaces: proftpd (<< 1.3.2)
-Provides: ftp-server, proftpd, proftpd-abi-1.3.6a
+Provides: ftp-server, proftpd, proftpd-abi-1.3.6b
 Suggests: openbsd-inetd | inet-superserver,
          openssl,
          proftpd-mod-ldap,

--- a/debian/patches/mod_sql_mysql.c
+++ b/debian/patches/mod_sql_mysql.c
-Description: Use mysql/mysql.h instead of mysql.h
-Author: Francesco Paolo Lovergine <frankie@debian.org>
-Forwarded: not needed
-
-Index: proftpd-dfsg/contrib/mod_sql_mysql.c
-===================================================================
--- proftpd-dfsg.orig/contrib/mod_sql_mysql.c	2018-01-14 23:18:00.000000000 +0100
-+++ proftpd-dfsg/contrib/mod_sql_mysql.c	2018-01-14 23:18:00.000000000 +0100
+--- proftpd-dfsg-1.3.6b.orig/contrib/mod_sql_mysql.c
+++ proftpd-dfsg-1.3.6b/contrib/mod_sql_mysql.c
 @@ -131,7 +131,7 @@
 #include "conf.h"
 #include "../contrib/mod_sql.h"
 
 -#include <mysql.h>
 +#include <mysql/mysql.h>
+ #include <stdbool.h>
 
 /* The my_make_scrambled_password{,_323} functions are not part of the public
-  * MySQL API and are not declared in any of the MySQL header files. But the
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,4 +19,4 @@ wrong-path-for-interpreter_perl.diff
 # github_pr_594
 # upstream_pull_567
 # upstream_4372_CVE-2019-12815.diff
-issue_846_CVE-2019-18217.diff
+# issue_846_CVE-2019-18217.diff
--- a/debian/proftpd-substvars
+++ b/debian/proftpd-substvars
-proftpd:Depends=proftpd-abi-1.3.6a 
+proftpd:Depends=proftpd-abi-1.3.6b 
--- a/include/version.h
+++ b/include/version.h
 #include "buildstamp.h"

 /* Application version (in various forms) */
-#define PROFTPD_VERSION_NUMBER		0x0001030606
-#define PROFTPD_VERSION_TEXT		"1.3.6a"
+#define PROFTPD_VERSION_NUMBER		0x0001030607
+#define PROFTPD_VERSION_TEXT		"1.3.6b"

 /* Module API version */
 #define PR_MODULE_API_VERSION		0x20

--- a/src/main.c
+++ b/src/main.c
@@ -462,6 +462,7 @@ int pr_cmd_read(cmd_rec **res) {
  static long cmd_bufsz = -1;
  static char *cmd_buf = NULL;
  int cmd_buflen;
+  unsigned int too_large_count = 0;
  char *ptr;

  if (res == NULL) {
@@ -487,8 +488,15 @@ int pr_cmd_read(cmd_rec **res) {
    if (cmd_buflen < 0) {
      if (errno == E2BIG) {
        /* The client sent a too-long command which was ignored; give
-         * them another chance?
+         * them a few more chances, with minor delays?
         */
+        too_large_count++;
+        pr_timer_usleep(250 * 1000);
+
+        if (too_large_count > 3) {
+          return -1;
+        }
+
        continue;
      }


--- a/src/netio.c
+++ b/src/netio.c
 /*
 * ProFTPD - FTP server daemon
- * Copyright (c) 2001-2016 The ProFTPD Project team
+ * Copyright (c) 2001-2019 The ProFTPD Project team
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -1446,6 +1446,7 @@ int pr_netio_read(pr_netio_stream_t *nstrm, char *buf, size_t buflen,
      }

      nstrm->strm_errno = 0;
+      errno = EOF;
      break;
    }