oss-sec mailing list archives
Re: CVE request: pure-ftpd denial of service in glob_()
From: Vasyl Kaigorodov <vkaigoro () redhat com>
Date: Thu, 9 Jul 2015 10:31:13 +0200
On Thu, 18 Jun 2015, cve-assign () mitre org wrote:
https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807Can you clarify the security impact? We have not looked into the code paths or the overall product design. Is this a process that is specific to one FTP client? Is the problem that the gl_errfunc assignment doesn't occur and there is always a dereference of a NULL function pointer? Is there a commonly relevant consequence other than the ability of an FTP client to conduct a DoS attack against its own session?
As per [1]: It won't crash the whole service, only the user session. It is not going to block and dump a core file either, except if compiled in DEBUG mode. It appears that there's no security impact here, please disregard this CVE request. [1]: https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807#commitcomment-11764342 -- Vasyl Kaigorodov | Red Hat Product Security PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
Attachment:
_bin
Description:
Current thread:
- Re: CVE request: pure-ftpd denial of service in glob_() Vasyl Kaigorodov (Jul 09)