| Message ID | 20250507125553.1421417-1-vanusuri@mvista.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,scarthgap] proftpd: Fix CVE-2024-57392 | expand |
Hi Team, Any update on this ? Thanks & Regards, Vijay On Wed, May 7, 2025 at 6:26 PM <vanusuri@mvista.com> wrote: > From: Vijay Anusuri <vanusuri@mvista.com> > > Upstream-Status: Backport from > https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d > > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > --- > .../proftpd/files/CVE-2024-57392.patch | 42 +++++++++++++++++++ > .../recipes-daemons/proftpd/proftpd_1.3.7c.bb | 1 + > 2 files changed, 43 insertions(+) > create mode 100644 > meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch > > diff --git > a/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch > b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch > new file mode 100644 > index 0000000000..0b50175a55 > --- /dev/null > +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch > @@ -0,0 +1,42 @@ > +From 981a37916fdb7b73435c6d5cdb01428b2269427d Mon Sep 17 00:00:00 2001 > +From: TJ Saunders <tj@castaglia.org> > +Date: Sun, 9 Feb 2025 12:14:25 -0800 > +Subject: [PATCH] Issue #1866: Some of the fuzzing tests submitted in the > + advisory ran into existing null pointer dereferences (not buffer > overflows); > + let's correct them. (#1867) > + > +Upstream-Status: Backport [ > https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d > ] > +CVE: CVE-2024-57392 > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> > +--- > + modules/mod_ls.c | 7 +++++-- > + 1 file changed, 5 insertions(+), 2 deletions(-) > + > +diff --git a/modules/mod_ls.c b/modules/mod_ls.c > +index 45a3187bd..f7abfe540 100644 > +--- a/modules/mod_ls.c > ++++ b/modules/mod_ls.c > +@@ -349,7 +349,8 @@ static int sendline(int flags, char *fmt, ...) { > + errno != 0) { > + int xerrno = errno; > + > +- if (session.d != NULL) { > ++ if (session.d != NULL && > ++ session.d->outstrm != NULL) { > + xerrno = PR_NETIO_ERRNO(session.d->outstrm); > + } > + > +@@ -1039,7 +1040,9 @@ static int outputfiles(cmd_rec *cmd) { > + return res; > + } > + > +- tail->down = NULL; > ++ if (tail != NULL) { > ++ tail->down = NULL; > ++ } > + tail = NULL; > + colwidth = (colwidth | 7) + 1; > + if (opt_l || !opt_C) { > +-- > +2.25.1 > + > diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb > b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb > index ecd2777247..b45cb6aaec 100644 > --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb > +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb > @@ -15,6 +15,7 @@ SRC_URI = "git:// > github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https > <http://github.com/proftpd/proftpd.git;branch=$%7BBRANCH%7D;protocol=https> > file://contrib.patch \ > file://build_fixup.patch \ > file://proftpd.service \ > + file://CVE-2024-57392.patch \ > " > > S = "${WORKDIR}/git" > -- > 2.25.1 > >
On Tue, May 20, 2025 at 11:39 PM Vijay Anusuri <vanusuri@mvista.com> wrote: > > Hi Team, > > Any update on this ? > Always check armin's stable/<branch>-nut e.g.- https://git.openembedded.org/meta-openembedded-contrib/log/?h=stable/scarthgap-nut I dont see this patch there yet for scarthgap-nut, so perhaps Armin will add it soon. > Thanks & Regards, > Vijay > > On Wed, May 7, 2025 at 6:26 PM <vanusuri@mvista.com> wrote: >> >> From: Vijay Anusuri <vanusuri@mvista.com> >> >> Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d >> >> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> >> --- >> .../proftpd/files/CVE-2024-57392.patch | 42 +++++++++++++++++++ >> .../recipes-daemons/proftpd/proftpd_1.3.7c.bb | 1 + >> 2 files changed, 43 insertions(+) >> create mode 100644 meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch >> >> diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch >> new file mode 100644 >> index 0000000000..0b50175a55 >> --- /dev/null >> +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch >> @@ -0,0 +1,42 @@ >> +From 981a37916fdb7b73435c6d5cdb01428b2269427d Mon Sep 17 00:00:00 2001 >> +From: TJ Saunders <tj@castaglia.org> >> +Date: Sun, 9 Feb 2025 12:14:25 -0800 >> +Subject: [PATCH] Issue #1866: Some of the fuzzing tests submitted in the >> + advisory ran into existing null pointer dereferences (not buffer overflows); >> + let's correct them. (#1867) >> + >> +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d] >> +CVE: CVE-2024-57392 >> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> >> +--- >> + modules/mod_ls.c | 7 +++++-- >> + 1 file changed, 5 insertions(+), 2 deletions(-) >> + >> +diff --git a/modules/mod_ls.c b/modules/mod_ls.c >> +index 45a3187bd..f7abfe540 100644 >> +--- a/modules/mod_ls.c >> ++++ b/modules/mod_ls.c >> +@@ -349,7 +349,8 @@ static int sendline(int flags, char *fmt, ...) { >> + errno != 0) { >> + int xerrno = errno; >> + >> +- if (session.d != NULL) { >> ++ if (session.d != NULL && >> ++ session.d->outstrm != NULL) { >> + xerrno = PR_NETIO_ERRNO(session.d->outstrm); >> + } >> + >> +@@ -1039,7 +1040,9 @@ static int outputfiles(cmd_rec *cmd) { >> + return res; >> + } >> + >> +- tail->down = NULL; >> ++ if (tail != NULL) { >> ++ tail->down = NULL; >> ++ } >> + tail = NULL; >> + colwidth = (colwidth | 7) + 1; >> + if (opt_l || !opt_C) { >> +-- >> +2.25.1 >> + >> diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb >> index ecd2777247..b45cb6aaec 100644 >> --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb >> +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb >> @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https >> file://contrib.patch \ >> file://build_fixup.patch \ >> file://proftpd.service \ >> + file://CVE-2024-57392.patch \ >> " >> >> S = "${WORKDIR}/git" >> -- >> 2.25.1 >>
diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch new file mode 100644 index 0000000000..0b50175a55 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2024-57392.patch @@ -0,0 +1,42 @@ +From 981a37916fdb7b73435c6d5cdb01428b2269427d Mon Sep 17 00:00:00 2001 +From: TJ Saunders <tj@castaglia.org> +Date: Sun, 9 Feb 2025 12:14:25 -0800 +Subject: [PATCH] Issue #1866: Some of the fuzzing tests submitted in the + advisory ran into existing null pointer dereferences (not buffer overflows); + let's correct them. (#1867) + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/981a37916fdb7b73435c6d5cdb01428b2269427d] +CVE: CVE-2024-57392 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + modules/mod_ls.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/mod_ls.c b/modules/mod_ls.c +index 45a3187bd..f7abfe540 100644 +--- a/modules/mod_ls.c ++++ b/modules/mod_ls.c +@@ -349,7 +349,8 @@ static int sendline(int flags, char *fmt, ...) { + errno != 0) { + int xerrno = errno; + +- if (session.d != NULL) { ++ if (session.d != NULL && ++ session.d->outstrm != NULL) { + xerrno = PR_NETIO_ERRNO(session.d->outstrm); + } + +@@ -1039,7 +1040,9 @@ static int outputfiles(cmd_rec *cmd) { + return res; + } + +- tail->down = NULL; ++ if (tail != NULL) { ++ tail->down = NULL; ++ } + tail = NULL; + colwidth = (colwidth | 7) + 1; + if (opt_l || !opt_C) { +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb index ecd2777247..b45cb6aaec 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.7c.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/proftpd/proftpd.git;branch=${BRANCH};protocol=https file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ + file://CVE-2024-57392.patch \ " S = "${WORKDIR}/git"