An uninitialized pointer vulnerability has been detected in PureFTPd which results in out-of-bounds (OOB) reads. It could also allow an attacker to trigger a Denial of Service against PureFTPD.
Development version - master branch (Feb 7, 2020)
A vulnerability has been detected in the way PureFTPD processes its
The source of the problem comes from the
init_aliases function in
diraliases.c See the code. In this function, the
next member of the last item in the linked list is not set to
As a result, when the
lookup_alias(const char *alias) or
print_aliases(void) functions are called, they fail to correctly detect the end of the linked-list and try to access a non-existent list member.
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
setrlimit(RLIMIT_DATA)to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
This issue may lead to an OOB read and post-auth DoS.
tail->next = NULL for the last item of the linked list. Patch information can be found here https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
This report is subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
email@example.com, please include the
GHSL-YEAR-ID in any communication regarding this issue.