From 6e3512a04e7731502fc72db7e2dd2cf3025c96e2 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 29 Jul 2025 14:08:32 +0800
Subject: [PATCH] Fix CVE-2024-57392

(cherry picked from commit f6588e846301257e824748d828f39d1c5df1756d)
---
 CVE-2024-57392.patch | 48 ++++++++++++++++++++++++++++++++++++++++++++
 proftpd.spec         |  7 ++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-57392.patch

diff --git a/CVE-2024-57392.patch b/CVE-2024-57392.patch
new file mode 100644
index 0000000..bec9794
--- /dev/null
+++ b/CVE-2024-57392.patch
@@ -0,0 +1,48 @@
+From 981a37916fdb7b73435c6d5cdb01428b2269427d Mon Sep 17 00:00:00 2001
+From: TJ Saunders <tj@castaglia.org>
+Date: Sun, 9 Feb 2025 12:14:25 -0800
+Subject: [PATCH] Issue #1866: Some of the fuzzing tests submitted in the
+ advisory ran into existing null pointer dereferences (not buffer overflows);
+ let's correct them. (#1867)
+
+---
+ modules/mod_ls.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/mod_ls.c b/modules/mod_ls.c
+index 5458ccc..3a9688c 100644
+--- a/modules/mod_ls.c
++++ b/modules/mod_ls.c
+@@ -2,7 +2,7 @@
+  * ProFTPD - FTP server daemon
+  * Copyright (c) 1997, 1998 Public Flood Software
+  * Copyright (c) 1999, 2000 MacGyver aka Habeeb J. Dihu <macgyver@tos.net>
+- * Copyright (c) 2001-2022 The ProFTPD Project
++ * Copyright (c) 2001-2025 The ProFTPD Project
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -360,7 +360,8 @@ static int sendline(int flags, char *fmt, ...) {
+           errno != 0) {
+         int xerrno = errno;
+ 
+-        if (session.d != NULL) {
++        if (session.d != NULL &&
++            session.d->outstrm != NULL) {
+           xerrno = PR_NETIO_ERRNO(session.d->outstrm);
+         }
+ 
+@@ -1101,7 +1102,9 @@ static int outputfiles(cmd_rec *cmd) {
+     return res;
+   }
+ 
+-  tail->down = NULL;
++  if (tail != NULL) {
++    tail->down = NULL;
++  }
+   tail = NULL;
+   colwidth = (colwidth | 7) + 1;
+   if (opt_l || !opt_C) {
+-- 
+2.50.1
+
diff --git a/proftpd.spec b/proftpd.spec
index 3249c53..f20eb6f 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -22,7 +22,7 @@
 
 Name:			proftpd
 Version:		1.3.8b
-Release:		5
+Release:		6
 Summary:		Flexible, stable and highly-configurable FTP server
 License:		GPLv2+
 URL:			http://www.proftpd.org/
@@ -47,6 +47,7 @@ Patch6:			proftpd-1.3.7rc3-logging-not-systemd.patch
 Patch7:			proftpd-1.3.8-fix-environment-sensitive-tests-failure.patch
 Patch8: 		huawei-proftpd-service-add-restart.patch
 Patch9: 		backport-CVE-2024-48651.patch
+Patch10:		CVE-2024-57392.patch
 
 BuildRequires:		coreutils
 BuildRequires:		gcc
@@ -256,6 +257,7 @@ sed -i -e '/killall/s/test.*/systemctl reload proftpd.service/' \
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # Avoid docfile dependencies
 chmod -c -x contrib/xferstats.holger-preiss
@@ -546,6 +548,9 @@ fi
 %{_mandir}/man1/ftpwho.1*
 
 %changelog
+* Tue Jul 29 2025 yaoxin <1024769339@qq.com> - 1.3.8b-6
+- Fix CVE-2024-57392
+
 * Mon Nov Dec 2024 liningjie <liningjie@xfusion.com> - 1.3.8b-5
 - Type:CVE
 - ID:NA
-- 
Gitee