An out-of-bounds (OOB) read vulnerability has been detected in the
Development version - master branch (Feb 24, 2020)
pure_memcmp functions in
utils.c are affected by out-of-bounds read vulnerabilities.
As seen in this code, if the length of
s1 is greater than
s2 then the
for loop will do
len-1 iterations, where
len-1 > strlen(s2).
As a result, OOB reads occur from memory that is outside of the boundaries of the
pure_strcmp is called from:
pw_unix_check(when shadow password support is not enabled)
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
setrlimit(RLIMIT_DATA)in order to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
# ./pure-ftpd -S pgsql:/home/antonio/Downloads/pureftdp/pureftpd-pgsql.conf -l unix
This issue may allow attackers to leak sensitive information from PureFTPd process memory or crash the PureFTPD process itself.
One way this issue may be resolved is by explicitly ensuring that
s1 is not longer than
s2 via e.g.:
(strlen(s1) < strlen(s2)) ? strlen(s1) : strlen(s2)
Patch can be found here https://github.com/jedisct1/pure-ftpd/commit/36c6d268cb190282a2c17106acfd31863121b58e
This report is subject to our coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).
You can contact the GHSL team at
email@example.com, please include the
GHSL-YEAR-ID in any communication regarding this issue.