oss-sec mailing list archives

Several out of bounds reads in ProFTPD

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 11 Mar 2016 17:25:15 +0100

https://blog.fuzzing-project.org/40-Several-out-of-bounds-reads-in-ProFTPD.html

The latest releases of ProFTPD 1.3.5a and 1.3.6rc2 fix several out of
bounds read issues. I discovered these issues by running the test suite
with Address Sanitizer enabled.

An invalid off by one read can happen in the function pr_fs_dircat().
This affects both 1.3.5a and 1.3.6rc1 and earlier.
http://bugs.proftpd.org/show_bug.cgi?id=4194
Upstream bug report
https://github.com/proftpd/proftpd/commit/f99ef850a05f46c56be8deae97e59efa50575e69
Git commit / fix

An invalid off by one read can happen in the string handling function
pr_ascii_ftp_to_crlf(). This code is not present in the stable 1.3.5
release series and only affects 1.3.6 release candidates before rc2.
http://bugs.proftpd.org/show_bug.cgi?id=4195
Upstream bug report
https://github.com/proftpd/proftpd/pull/145
Git commit / fix

A missing null termination of a string causes an out of bounds memory
read in a test. This does not affect the ProFTPD code itself, it's just
an issue in the test suite.
http://bugs.proftpd.org/show_bug.cgi?id=4193
Upstream bug report
https://github.com/proftpd/proftpd/commit/d9f9d469ce1da09c7935f509797d488fa2d08697
Git commit / fix

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature

Current thread:

Several out of bounds reads in ProFTPD Hanno Böck (Mar 11)
- Re: Several out of bounds reads in ProFTPD Moritz Mühlenhoff (Mar 11)