Bug 152918

Summary: CAN-2005-0256 wu-ftpd DoS
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: wu-ftpdAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: rhl7.3CC: mschout
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0256
Whiteboard: LEGACY, rh73
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-11 23:19:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:32:05 UTC 
Remote exploitation of an input validation vulnerability in version
2.6.2 of WU-FPTD could allow for a denial of service of the system by
resource exhaustion.

The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as
input, the function calls itself recursively on a smaller substring. By
supplying a string which contains a large number of '*' characters, the
system will take a long time to return the results, during which time it
will be using a large amount of CPU time.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0256
http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities
https://bugzilla.redhat.com/beta/show_bug.cgi?id=149720



------- Bug moved to this database by dkl 2005-03-30 18:32 -------

This bug previously known as bug 2449 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2449
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 mschout 2005-05-11 17:21:46 UTC 
wu-ftpd in current updates appears not to be vulnerable to this.

wu_fnmatch() has this code:

        case '*':
            c = *pattern;
            while (c == '*')
                c = *++pattern;

What that is doing is collapsing/skipping over multiple '*' characters in a row
 .  This is happening BEFORE the recursive call to wu_fnmatch()

This is mentioned in:

https://bugzilla.redhat.com/beta/show_bug.cgi?id=149720

And 2 people have reported that they are not able to reproduce the problem.

I wrote a Net::FTP script in perl that logged in to a wu-ftpd server on a RHL
7.3 machine, and I had it do:

$ftp->dir('***********************************************************************************************************************************************************************************************.*');

as was suggested in the advisory.  I had the script run this in a loop 1000
times.  During that time, the system remained over 90% idle, and most of the
load was due to OTHER things happening on that machine.  in.ftpd hovered around
1% CPU usage according to "top".

Given the above code, and backed up by the fact that people have reported that
they can not reproduce the problem, and the fact that I am unable to reproduce
it, I do not see how we are vulnerable to this one.  Should we close this?
Comment 2 Marc Deslauriers 2005-06-11 23:19:29 UTC 
I'm closing this. It doesn't seem to apply.