Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711124 (CVE-2020-9274, CVE-2020-9365) - <net-ftp/pure-ftpd-1.0.49-r2: Multiple vulnerabilities (CVE-2020-{9274,9365})
Summary: <net-ftp/pure-ftpd-1.0.49-r2: Multiple vulnerabilities (CVE-2020-{9274,9365})
Status: RESOLVED FIXED
Alias: CVE-2020-9274, CVE-2020-9365
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 01:12 UTC by Sam James
Modified: 2020-03-25 19:01 UTC (History)
1 user (show)

See Also:
Package list:
net-ftp/pure-ftpd-1.0.49-r2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 01:12:58 UTC
"An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c."

Affected versions: 1.0.49, unclear if others affected.

Patch: https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-01 01:45:05 UTC
Second vulnerability (CVE-2020-9365):
MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9365

Description:
"An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has been detected in the pure_strcmp function in utils.c."

Same affected versions as above.

Patch: https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e
Comment 2 Larry the Git Cow gentoo-dev 2020-03-02 13:59:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4501b5f9f001794ca87849f240d4af149b6f1b15

commit 4501b5f9f001794ca87849f240d4af149b6f1b15
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-03-02 13:59:31 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-03-02 13:59:46 +0000

    net-ftp/pure-ftpd: Security revbump for CVE-2020-9365
    
    Bug: https://bugs.gentoo.org/711124
    Package-Manager: Portage-2.3.91, Repoman-2.3.20
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 ...d-1.0.49-diraliases_uninitialized_pointer.patch |  31 +++++
 .../pure-ftpd-1.0.49-pure_strcmp_OOB_read.patch    |  27 ++++
 net-ftp/pure-ftpd/pure-ftpd-1.0.49-r2.ebuild       | 152 +++++++++++++++++++++
 3 files changed, 210 insertions(+)
Comment 3 Thomas Deutschmann gentoo-dev 2020-03-09 14:16:10 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-03-10 08:40:58 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-10 08:52:32 UTC
sparc stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-10 08:53:12 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-10 08:55:31 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-10 08:56:30 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-14 22:20:27 UTC
ia64 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-14 22:29:12 UTC
@maintainer(s): ok to cleanup?
Comment 11 Larry the Git Cow gentoo-dev 2020-03-25 18:44:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21b5c196ee853f0900754eab49fee2906747f567

commit 21b5c196ee853f0900754eab49fee2906747f567
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-25 18:43:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-25 18:44:01 +0000

    net-ftp/pure-ftpd: security cleanup (bug #711124)
    
    Bug: https://bugs.gentoo.org/711124
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 net-ftp/pure-ftpd/Manifest                         |   1 -
 .../files/pure-ftpd-1.0.47-MAX_DATA_SIZE.patch     |  22 ---
 .../pure-ftpd/files/pure-ftpd-1.0.47-TLSv1.3.patch |  46 -------
 .../files/pure-ftpd-1.0.47-disable-TLSv1.1.patch   |  22 ---
 .../files/pure-ftpd-1.0.47-disable-TLSv1.3.patch   |  21 ---
 net-ftp/pure-ftpd/metadata.xml                     |   1 -
 net-ftp/pure-ftpd/pure-ftpd-1.0.47-r4.ebuild       | 144 --------------------
 net-ftp/pure-ftpd/pure-ftpd-1.0.49-r1.ebuild       | 148 ---------------------
 8 files changed, 405 deletions(-)
Comment 12 Thomas Deutschmann gentoo-dev 2020-03-25 18:47:33 UTC
New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 19:01:09 UTC
This issue was resolved and addressed in
 GLSA 202003-54 at https://security.gentoo.org/glsa/202003-54
by GLSA coordinator Thomas Deutschmann (whissi).