Date: Thu, 9 Jul 2015 10:31:13 +0200 From: Vasyl Kaigorodov <vkaigoro@...hat.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE request: pure-ftpd denial of service in glob_() On Thu, 18 Jun 2015, cve-assign@...re.org wrote: > > > https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807 > > Can you clarify the security impact? We have not looked into the code > paths or the overall product design. Is this a process that is > specific to one FTP client? Is the problem that the gl_errfunc > assignment doesn't occur and there is always a dereference of a NULL > function pointer? Is there a commonly relevant consequence other than > the ability of an FTP client to conduct a DoS attack against its own > session? As per : It won't crash the whole service, only the user session. It is not going to block and dump a core file either, except if compiled in DEBUG mode. It appears that there's no security impact here, please disregard this CVE request. : https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807#commitcomment-11764342 -- Vasyl Kaigorodov | Red Hat Product Security PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ