Bug 149720

Summary: CAN-2005-0256 DoS in wu-ftpd
Product: Red Hat Enterprise Linux 2.1 Reporter: Josh Bressers <bressers>
Component: wu-ftpdAssignee: Peter Vrabec <pvrabec>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20050225,source=bugtraq,reported=20050225
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-16 12:01:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-02-25 18:51:24 UTC 
iDEFENSE reported a DoS in wu-ftpd
http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities




After a user logs into the ftpd, an attacker can send a simple command
which will cause high CPU utilization.

To exploit this vulnerability, a simple ftp client is sufficient. Once
logged  in, either anonymously or as an authenticated user, issuing the
following command will cause the machine to become less responsive.

ftp> dir ***************************************************************
         ***************************************************************
         ***************************************************************
         **.*
Comment 1 Mark J. Cox 2005-04-28 10:01:40 UTC 
Debian fixed this and say

+  * Applied patch by Chris Butler to fix denial of service in the NLST         
+    command [src/ftpd.c, CAN-2005-0256]   

But the patch isn't broken out in their update.  It's probably the hunk:

<mjcox> @@ -7487,6 +7517,9 @@
<mjcox>         }                                                              
        
<mjcox>         else {                                                         
        
<mjcox>             do                                                         
        
<mjcox> +              if ((in[0] == '*') && (in[1] == '*'))                   
        
<mjcox> +                in++;                                                 
        
<mjcox> +              else                                                    
        
<mjcox>                 *out++ = *in++;                                        
        
<mjcox>             while ((*in != '\0') && (*in != '/'));                     
        
<mjcox>             if (*in == '/')   
<mjcox> looks like that collapses multiple *
Comment 2 Mark J. Cox 2005-04-28 10:33:44 UTC 
wu_fnmatch.c looks to contain code that is meant to collapse multiple *; 

            while (c == '*')
                c = *++pattern;

But this code is there in 2.6.1 which the report says is vulnerable.  I couldn't
reproduce this issue at all on my 2.6.2 wu-ftpd.
Comment 3 Peter Vrabec 2005-04-28 12:54:11 UTC 
I can't reproduce it either.
Comment 4 Josh Bressers 2005-05-13 21:06:23 UTC 
Mark, Peter,

Any complaints if we close this?  Nobody seems to think we're vulnerable.
Comment 5 Peter Vrabec 2005-05-16 11:11:33 UTC 
Not at all.
Comment 6 Josh Bressers 2005-05-16 12:01:01 UTC 
I'm closing this since we can't reproduce it.