Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 45738 - oftpd DoS vulnerability
Summary: oftpd DoS vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Keywords: SECURITY
Depends on:
Reported: 2004-03-25 13:16 UTC by Shane Kerr
Modified: 2004-10-30 22:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
klieber: Pending-


Note You need to log in before you can comment on or make changes to this bug.
Description Shane Kerr 2004-03-25 13:16:17 UTC
Bogus command can take server off-line.

Reproducible: Always
Steps to Reproduce:
1.telnet to on port 21a nd type "port 300" and return.

Actual Results:  
FTP service goes off-line.

Expected Results:  
Not go off-line?  Hm.
Comment 1 solar (RETIRED) gentoo-dev 2004-03-25 16:53:06 UTC
Quote from URL above.
I received the following e-mail.  I was travelling at the time, but put together a patch on the flight home.  It took me a couple of weeks to release it, partially due to travel and partially due to laziness.

Shane Kerr

Date: Thu, 04 Mar 2004 22:48:49 +0100
From: Philippe Oechslin <>
Subject: DoS vulnerability in oftpd

Hello Shane,

We have found a simple denial of service vulnerability in your oftpd FTP
server (v 0.3.6).


When the server receives a port command with a number that is higher than
255 the server crashes and has to be restarted manually. The port command
can even be given before the user has given a username and a password. 

Denial of service. An ftp server can be taken offline with a simple telnet


telnet to on port 21 and type "port 300" and return. The
server crashes.

Tested on:

- oftpd server 0.3.6 on Suse Linux 8.2

Discovered by: Andreas Rueegg and Philippe Oechslin of the Security Bug
Catcher project ( The security bug
catcher is a tool to automatically find vulnerabilities. We are currently
running tests on scores of FTP servers and notifying vendors when we find


Version bumped in portage to 0.3.7

KEYWORDS="~x86 ~sparc ~ppc ~ppc64"

epm -q -l oftpd

Please test.
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2004-03-25 17:20:10 UTC
manson has not been a dev for quite a while, we need to get his email addy changed
Comment 3 Seemant Kulleen (RETIRED) gentoo-dev 2004-03-25 17:20:39 UTC
adding others who might want to take (temporary) ownership of this package
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2004-03-25 18:43:58 UTC
I'll take it temporarily... I'll verify the fix and modify the init script which is saying to set stuff in rc.conf which should be in /etc/conf.d ...
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2004-03-25 19:04:13 UTC
ok.  I fixed up the conf/init scripts a bit and marked the security fix stable in x86.
Comment 6 Jeremy Huddleston (RETIRED) gentoo-dev 2004-03-25 19:46:26 UTC
this fix needs testing on sparc, ppc, and ppc64.  Please test out on your arches.  does ppc64 have its own address or is it part of ppc?

Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-03-25 21:14:08 UTC
Stable on sparc.
Comment 8 Jeremy Huddleston (RETIRED) gentoo-dev 2004-03-26 20:42:42 UTC
ppc guys, please test this out ASAP so we can release teh GLSA.
Comment 9 Luca Barbato gentoo-dev 2004-03-27 15:28:19 UTC
Marked ppc
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2004-03-28 16:52:48 UTC
Ok, then this is ready for a GLSA...
Comment 11 Kurt Lieber (RETIRED) gentoo-dev 2004-03-29 07:25:45 UTC
GLSA 200403-08