pure-ftpd 1.0.39 remote denial of service in glob_()

2015.06.18

Credit: Vasyl

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Version 1.0.40 of pure-FTPd fixes a potential denial of service issue.
From the NEWS file:
- The process handling a user session could be crashed by trying to
match a file pattern longer than the maximum length for a path. This
has been fixed. Upgrading is recommended.
Upstream commit that fixes this:
https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807
References:
https://bugs.gentoo.org/show_bug.cgi?id=552254
https://bugzilla.redhat.com/1233267
Fix:
src/bsd-glob.c
@@ -151,9 +151,6 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
Char *bufnext, *bufend, patbuf[PATH_MAX];
struct glob_lim limit = { 0, 0, 0 };
- if (strlen(pattern) >= PATH_MAX) {
- return GLOB_NOMATCH;
- }
pglob->gl_maxdepth = maxdepth;
pglob->gl_maxfiles = maxfiles;
patnext = (unsigned char *) pattern;
@@ -174,6 +171,9 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1) {
return GLOB_NOSPACE;
}
+ if (strlen(pattern) >= PATH_MAX) {
+ return GLOB_NOMATCH;
+ }
bufnext = patbuf;
bufend = bufnext + PATH_MAX - 1;
if (flags & GLOB_NOESCAPE) {

References:

https://bugs.gentoo.org/show_bug.cgi?id=552254

https://bugzilla.redhat.com/1233267

https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807

http://seclists.org/oss-sec/2015/q2/753

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}