skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 12, 2020

GHSL-2020-032: out-of-bounds (OOB) read vulnerability in PureFTPd

Antonio Morales


An out-of-bounds (OOB) read vulnerability has been detected in the pure_strcmp function.



Tested Version

Development version - master branch (Feb 24, 2020)


OOB read in pure_strcmp (CVE-2020-9365)

The pure_strcmp and pure_memcmp functions in utils.c are affected by out-of-bounds read vulnerabilities.

As seen in this code, if the length of s1 is greater than s2 then the for loop will do len-1 iterations, where len-1 > strlen(s2).

As a result, OOB reads occur from memory that is outside of the boundaries of the s2 array.

Note that pure_strcmp is called from:

PureFTPD ASAN build instructions

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
make -j4

Steps to reproduce:

  1. Compile PureFTPD using ASAN as mentioned above. Note that you need to comment setrlimit(RLIMIT_DATA) in order to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
  2. Create a new user fuzzing with password fuzzing.
  3. Run PureFTPd server as root, enabling one of the affected login modules. For example # ./pure-ftpd -S pgsql:/home/antonio/Downloads/pureftdp/pureftpd-pgsql.conf -l unix
  4. Connect to the FTP server and log in with user fuzzing and password fuzzing
  5. PureFTPD should crash showing the ASAN trace.


This issue may allow attackers to leak sensitive information from PureFTPd process memory or crash the PureFTPD process itself.


One way this issue may be resolved is by explicitly ensuring that s1 is not longer than s2 via e.g.:

(strlen(s1) < strlen(s2)) ? strlen(s1) : strlen(s2)

Patch can be found here

Coordinated Disclosure Timeline

This report is subject to our coordinated disclosure policy.

Supporting Resources


This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at, please include the GHSL-YEAR-ID in any communication regarding this issue.