Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 726308 (CVE-2020-14149) - <net-ftp/uftpd-2.12: Invalid directory with CWD allows denial of service (CVE-2020-14149)
Summary: <net-ftp/uftpd-2.12: Invalid directory with CWD allows denial of service (CVE...
Status: RESOLVED FIXED
Alias: CVE-2020-14149
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/troglobit/uftpd/is...
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-30 14:24 UTC by Sam James
Modified: 2020-06-15 18:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-05-30 14:24:05 UTC
Description:
"When entering an invalid directory with the FTP command CWD,
a NULL ptr was deref. in a DBG() message even though the log level is
set to a value lower than LOG_DEBUG. This caused uftpd to crash
and cause denial of service. Depending on the init/inetd system used
this could be permanent."
Comment 1 OzTiram 2020-05-31 04:21:53 UTC
This is fixed in PR:
https://github.com/gentoo/gentoo/pull/16013
Comment 2 Larry the Git Cow gentoo-dev 2020-06-04 08:14:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2854cf0711cd2100c28f9c99ba400387620232dd

commit 2854cf0711cd2100c28f9c99ba400387620232dd
Author:     Oz Tiram <oz.tiram@gmail.com>
AuthorDate: 2020-05-30 15:40:24 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-06-04 07:59:58 +0000

    net-ftp/uftpd: drop old version
    
    Bug: https://bugs.gentoo.org/726308
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Oz Tiram <oz.tiram@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/16013
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-ftp/uftpd/Manifest          |  1 -
 net-ftp/uftpd/uftpd-2.11.ebuild | 22 ----------------------
 2 files changed, 23 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03a717502ca1088472637a0412d3fa32ae2566ae

commit 03a717502ca1088472637a0412d3fa32ae2566ae
Author:     Oz Tiram <oz.tiram@gmail.com>
AuthorDate: 2020-05-30 13:55:19 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-06-04 07:59:58 +0000

    net-ftp/uftpd: bump version to 2.12
    
    Bug: https://bugs.gentoo.org/726308
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Oz Tiram <oz.tiram@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-ftp/uftpd/Manifest          |  1 +
 net-ftp/uftpd/uftpd-2.12.ebuild | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-06-04 09:56:38 UTC
All done. Thank you!