pure-ftpd 1.0.39 remote denial of service in glob_()

2015.06.18

Credit: Vasyl

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Version 1.0.40 of pure-FTPd fixes a potential denial of service issue.

From the NEWS file:

 - The process handling a user session could be crashed by trying to
 match a file pattern longer than the maximum length for a path. This
 has been fixed. Upgrading is recommended.

Upstream commit that fixes this:
https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807

References:
https://bugs.gentoo.org/show_bug.cgi?id=552254
https://bugzilla.redhat.com/1233267

Fix:
 src/bsd-glob.c
@@ -151,9 +151,6 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
     Char *bufnext, *bufend, patbuf[PATH_MAX];
     struct glob_lim limit = { 0, 0, 0 };
 
-    if (strlen(pattern) >= PATH_MAX) {
-        return GLOB_NOMATCH;
-    }
     pglob->gl_maxdepth = maxdepth;
     pglob->gl_maxfiles = maxfiles;
     patnext = (unsigned char *) pattern;
@@ -174,6 +171,9 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
         pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1) {
         return GLOB_NOSPACE;
     }
+    if (strlen(pattern) >= PATH_MAX) {
+        return GLOB_NOMATCH;
+    }    
     bufnext = patbuf;
     bufend = bufnext + PATH_MAX - 1;
     if (flags & GLOB_NOESCAPE) {

References:

https://bugs.gentoo.org/show_bug.cgi?id=552254

https://bugzilla.redhat.com/1233267

https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807

http://seclists.org/oss-sec/2015/q2/753

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}