CVE-2023-51713

Name	CVE-2023-51713
Description	make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3975-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
proftpd-dfsg (PTS)	bullseye	1.3.7a+dfsg-12+deb11u2	vulnerable
	bullseye (security)	1.3.7a+dfsg-12+deb11u5	fixed
	bookworm, bookworm (security)	1.3.8+dfsg-4+deb12u4	fixed
	trixie	1.3.8.c+dfsg-4	fixed
	forky, sid	1.3.9~dfsg-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
proftpd-dfsg	source	bullseye	1.3.7a+dfsg-12+deb11u3	DLA-3975-1
proftpd-dfsg	source	bookworm	1.3.8+dfsg-4+deb12u3
proftpd-dfsg	source	(unstable)	1.3.8.a+dfsg-1

Notes

[buster] - proftpd-dfsg <no-dsa> (Minor issue)
https://github.com/proftpd/proftpd/issues/1683
https://github.com/proftpd/proftpd/commit/1376d8ccc0966d1ce9a1c76b32c6a9ca61bbe67f (v1.3.9rc1)
https://github.com/proftpd/proftpd/commit/97bbe68363ccf2de0c07f67170ec64a8b4d62592 (v1.3.8a)