"An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c." Affected versions: 1.0.49, unclear if others affected. Patch: https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
Second vulnerability (CVE-2020-9365): MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9365 Description: "An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c." Same affected versions as above. Patch: https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4501b5f9f001794ca87849f240d4af149b6f1b15 commit 4501b5f9f001794ca87849f240d4af149b6f1b15 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-03-02 13:59:31 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-03-02 13:59:46 +0000 net-ftp/pure-ftpd: Security revbump for CVE-2020-9365 Bug: https://bugs.gentoo.org/711124 Package-Manager: Portage-2.3.91, Repoman-2.3.20 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> ...d-1.0.49-diraliases_uninitialized_pointer.patch | 31 +++++ .../pure-ftpd-1.0.49-pure_strcmp_OOB_read.patch | 27 ++++ net-ftp/pure-ftpd/pure-ftpd-1.0.49-r2.ebuild | 152 +++++++++++++++++++++ 3 files changed, 210 insertions(+)
x86 stable
amd64 stable
sparc stable
arm stable
ppc stable
ppc64 stable
ia64 stable
@maintainer(s): ok to cleanup?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21b5c196ee853f0900754eab49fee2906747f567 commit 21b5c196ee853f0900754eab49fee2906747f567 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-25 18:43:39 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-25 18:44:01 +0000 net-ftp/pure-ftpd: security cleanup (bug #711124) Bug: https://bugs.gentoo.org/711124 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-ftp/pure-ftpd/Manifest | 1 - .../files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch | 22 --- .../pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch | 46 ------- .../files/pure-ftpd-1.0.47-disable-TLSv1.1.patch | 22 --- .../files/pure-ftpd-1.0.47-disable-TLSv1.3.patch | 21 --- net-ftp/pure-ftpd/metadata.xml | 1 - net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild | 144 -------------------- net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild | 148 --------------------- 8 files changed, 405 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-54 at https://security.gentoo.org/glsa/202003-54 by GLSA coordinator Thomas Deutschmann (whissi).