pure-ftpd 1.0.39 remote denial of service in glob_()

2015.06.18
Credit: Vasyl
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Version 1.0.40 of pure-FTPd fixes a potential denial of service issue. From the NEWS file: - The process handling a user session could be crashed by trying to match a file pattern longer than the maximum length for a path. This has been fixed. Upgrading is recommended. Upstream commit that fixes this: https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807 References: https://bugs.gentoo.org/show_bug.cgi?id=552254 https://bugzilla.redhat.com/1233267 Fix: src/bsd-glob.c @@ -151,9 +151,6 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int), Char *bufnext, *bufend, patbuf[PATH_MAX]; struct glob_lim limit = { 0, 0, 0 }; - if (strlen(pattern) >= PATH_MAX) { - return GLOB_NOMATCH; - } pglob->gl_maxdepth = maxdepth; pglob->gl_maxfiles = maxfiles; patnext = (unsigned char *) pattern; @@ -174,6 +171,9 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int), pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1) { return GLOB_NOSPACE; } + if (strlen(pattern) >= PATH_MAX) { + return GLOB_NOMATCH; + } bufnext = patbuf; bufend = bufnext + PATH_MAX - 1; if (flags & GLOB_NOESCAPE) {

References:

https://bugs.gentoo.org/show_bug.cgi?id=552254
https://bugzilla.redhat.com/1233267
https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807
http://seclists.org/oss-sec/2015/q2/753


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top