Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199206 (CVE-2007-5769) - net-ftp/netkit-ftpd < 0.17-r7 fclose() on uninitialized streams (CVE-2007-{5769,6263})
Summary: net-ftp/netkit-ftpd < 0.17-r7 fclose() on uninitialized streams (CVE-2007-{57...
Alias: CVE-2007-5769
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Blocks: 201675
  Show dependency tree
Reported: 2007-11-15 08:19 UTC by airsupply
Modified: 2008-03-24 19:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description airsupply 2007-11-15 08:19:54 UTC
netkit-ftpd/ftp uninitialized vulnerability

[Security Advisory]

Advisory: [AD_LAB-07009] netkit-ftpd/ftp uninitialized vulnerability

Class: Design Error






A vulnerability has been discovered in netkit-ftpd/ftp.




netkit-ftpd is the Linux Netkit FTP server with optional SSL support.
netkit-ftp is the client for the ftp protocol.


	There is a uninitialized  vulnerability in function dataconn() in ftpd.c.
 	static FILE * dataconn(const char *name, off_t size, const char *mode)
 		char sizebuf[32];
 		FILE *file;  <-uninit variable.

			 if (SSL_accept(ssl_data_con)<=0) {
1459 				static char errbuf[1024];
1461 				snprintf(errbuf, sizeof(errbuf), "ftpd: SSL_accept DATA error %s\n",
1462 					    ERR_error_string(ERR_get_error(),NULL));
1463 				perror_reply(425, errbuf);
1464 				/* abort time methinks ... */
1465 				fclose(file); <-- close an uninit value.
1466 				return NULL;

Program received signal SIGSEGV, Segmentation fault.
0x6fca33fd in fclose () from /lib/
(gdb) bt
#0  0x6fca33fd in fclose () from /lib/
#1  0x0804c601 in dataconn (name=0x77add110 "/bin/ls", size=<value optimized out>, mode=0x8053f4f "w") at ftpd.c:1465
#2  0x0804d3f8 in retrieve (cmd=0x80550c7 "/bin/ls -lgA", name=0x77add110 "/bin/ls") at ftpd.c:1197
#3  0x0805193a in yyparse () at ftpcmd.y:378
) at ftpd.c:685

in order to trigger this bug, the client should use the passive mode to transfer data.
and  the SSL_accept should  failed at line ftpd.c:1458. the client broke the connection 
will cause the SSL_accept failed. 

same problem occur in netkit-ftp's getreply() too.
467     int
468     getreply(int expecteof)
469     {
520                                             (void) signal(SIGINT,oldintr);
521                                             code = 221;
522                                             return (0);
523                                     }
524                                     lostpeer(0);
525                                     fclose(cout);

Program received signal SIGSEGV, Segmentation fault.
0x6fcb73fd in fclose () from /lib/
(gdb) bt
#0  0x6fcb73fd in fclose () from /lib/
#1  0x0804fb9c in getreply (expecteof=0) at ftp.c:525
#2  0x0804fe49 in abort_remote (din=0x8099a20) at ftp.c:2117
#3  0x08052400 in recvrequest (cmd=0x80567f1 "LIST", local=0x8059400 "-", remote=0x0, lmode=0x8056b44 "w", printnames=0) at ftp.c:1288
#4  0x0804bcb5 in ls (argc=1, argv=0x80650e0) at cmds.c:1429
#5  0x08055382 in main (argc=-817625725, argv=0xc3010805) at main.c:484

Reading uninitialized variables can result in unpredictable behavior, crashes, or security holes.



    Venustech AD-LAB discovery this vuln. Thank to all Venustech AD-Lab guys.



The information in this bulletin is provided "AS IS" without warranty of any

kind. In no event shall we be liable for any damages whatsoever including direct,

indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 



Trusted {Solution} Provider


Reproducible: Always
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-16 22:39:36 UTC
Is there a fix available somewhere?
Comment 2 Tomas Hoger 2007-11-30 13:09:50 UTC
As for ftp (client):

Fedora / RHEL packages include one patch (netkit-ftp-0.17-segv.patch) which seems to address this issue.  Patch was written by Alan Cox and is included in our ftp packages as of June 2004.


VenusTech, can you please provide more information of how to reproduce ftp client crash so we can verify whether this problem is properly addressed by this patch?  Thanks!
Comment 3 Tomas Hoger 2007-11-30 14:15:49 UTC
(In reply to comment #2)
> Fedora / RHEL packages include one patch (netkit-ftp-0.17-segv.patch) which
> seems to address this issue.  Patch was written by Alan Cox and is included in
> our ftp packages as of June 2004.

Oh well, that patch is included in ftp ebuilds and it actually seems to introduce the problem.

Following patch was added few months ago:
Comment 4 airsupply 2007-12-03 03:44:20 UTC
yep,this ftp client crash addressed by this patch.
Comment 5 airsupply 2007-12-08 00:25:59 UTC
we public the adv in fd.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 00:42:21 UTC
The ftpd issue was assigned CVE-2007-6263 and it is still unfixed.
The ftp issue is CVE-2007-5769 and a patch can be found in comment 3.

Rerating B3 as this is only confirmed as DoS.

base-system, can you apply the one patch and prepare a similar one for ftpd? Initializing and checking for NULL should do the trick. Thanks.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-01-06 00:19:30 UTC
(In reply to comment #6)
> The ftpd issue was assigned CVE-2007-6263 and it is still unfixed.

Patch is here:

Base-system, please bump.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-01-09 10:44:02 UTC
base-system, are there plans on fixing these two issues?

If not, we'll have a look.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 23:52:18 UTC
*netkit-ftpd-0.17-r7 (10 Jan 2008)

  10 Jan 2008; Robert Buchholz <>
  -netkit-ftpd-0.17-r6.ebuild, +netkit-ftpd-0.17-r7.ebuild:
  Security: Fix a double-fclose vulnerability in the dataconn function
  (CVE-2007-6263, #199206)

*ftp-0.17-r7 (10 Jan 2008)

  10 Jan 2008; Robert Buchholz <>
  +files/netkit-ftp-0.17-sigseg.patch, +ftp-0.17-r7.ebuild:
  Security: Fix a double-fclose() vulnerability in the getreply function
  (CVE-2007-5769, #199206)
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 23:56:41 UTC
Arches, please test and mark stable net-ftp/netkit-ftpd-0.17-r7.
Target keywords : "alpha amd64 arm ia64 ppc s390 sh sparc x86"

The issue in ftp (not ftpd) is not considered to be a security vulnerability, as it only allows to crash a client program. It is fixed in net-ftp/ftp-0.17-r7, arches are free to stable that version as they prefer.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2008-01-11 00:59:20 UTC
ppc and ~ppc64
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-11 07:55:13 UTC
* Applying netkit-ftpd-0.17-fclose-CVE-2007-6263.patch ...

 * Failed Patch: netkit-ftpd-0.17-fclose-CVE-2007-6263.patch !
 *  ( /usr/portage/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-fclose-CVE-2007-6263.patch )

If USE=ssl is NOT set.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 11:26:46 UTC
Sorry, my fault.

I fixed that in-place and dropped ppc. Brent, please keyword again.
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-11 12:42:14 UTC
x86 stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2008-01-11 13:57:44 UTC
Nothing to do here!?
Comment 16 Brent Baude (RETIRED) gentoo-dev 2008-01-11 14:38:26 UTC
Comment 17 Peter Weller (RETIRED) gentoo-dev 2008-01-11 17:42:17 UTC
amd64 done.
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2008-01-14 19:41:31 UTC
alpha/ia64/sparc stable

mips doesn't have it keyworded
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-01-15 15:19:14 UTC
GLSA vote. I'm in for a YES.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-15 20:10:39 UTC
I tend to vote YES.
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2008-01-27 19:17:53 UTC
Since no one voted NO, this is a yes then :-)
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 19:51:57 UTC
GLSA 200801-17