oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2020-1939] Apache NuttX optional/example ftpd program NULL pointer bug

From: Brennan Ashton <btashton () apache org>
Date: Mon, 11 May 2020 14:28:56 -0700
CVE-2020-1939: Apache NuttX optional/example ftpd program NULL pointer
bug

Severity: Important

Vendor:
Apache NuttX (Incubating)

Versions Affected:
6.15 to 8.2 (all pre-date NuttX joining the Apache.org Incubator)

Description:
The Apache NuttX (Incubating) project provides an optional separate
"apps" repository which contains various optional components and
example programs. One of these, ftpd, had a NULL pointer dereference
bug. The NuttX RTOS itself is not affected. Users of the optional apps
repository are affected only if they have enabled ftpd.

Mitigation:
Users of affected versions should upgrade to 9.0.0 or apply the
following patch:
https://patch-diff.githubusercontent.com/raw/apache/incubator-nuttx-apps/pull/10.patch

Credit:
This issue was discovered by Jakub Botwicz of Samsung R&D Poland.

References:
https://bitbucket.org/nuttx/apps-old/issues/15/null-dereference-in-ftp-size-command
https://github.com/apache/incubator-nuttx-apps/pull/10

Regards,
Brennan Ashton
Previous By Date Next
Previous By Thread Next

Current thread: