Bug 397011 (CVE-2007-5962)

Summary: CVE-2007-5962 vsftpd: memory leak when deny_file option is set
Product: [Other] Security Response Reporter: Martin Nagy <mnagy>
Component: vulnerabilityAssignee: Martin Nagy <mnagy>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hripps, kreilly, security-response-team
Target Milestone: ---Keywords: Patch, Regression, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-21 09:40:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 423001    
Bug Blocks:    
Attachments:
Description Flags
fix the vsftpd-2.0.4-filter.patch
none
Just a cosmetic change. none

Description Martin Nagy 2007-11-23 15:51:42 UTC 
Description of problem:
There is a memory leak that causes memory to be allocated but not freed.
When the deny_file option is set, it is possible to easily exploit this.
This is a regression caused by applied patch in bz174764. Problem also
exists in FC-6, F-7, F-8 and fedora/devel. Attached is a patch to solve
the problem.

Version-Release number of selected component (if applicable):
vsftpd-2.0.5-10.el5

How reproducible:
always

Steps to Reproduce:
# echo deny_file=foo >> /etc/vsftpd/vsftpd.conf
# service vsftpd restart

$ cat > memtest.sh << EOF
#!/bin/bash
echo USER anonymous
echo PASS foo

while [ 1 ]; do
        echo CWD pub
        echo CWD ..
done
EOF

$ chmod 700 memtest.sh
$ ./memtest.sh | telnet localhost 21 > /dev/null

Actual results:
vsftpd starts to allocate memory that will never be freed.

Expected results:


Additional info:
It is possible that the memory leak can be exploited by other means, or
with other vsftpd.conf options. This was not investigated into more depth.
Comment 1 Martin Nagy 2007-11-23 15:51:42 UTC 
Created attachment 267651 [details]
fix the vsftpd-2.0.4-filter.patch
Comment 2 RHEL Program Management 2007-11-23 16:05:19 UTC 
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.
Comment 3 Martin Nagy 2007-11-26 11:28:37 UTC 
Created attachment 268841 [details]
Just a cosmetic change.
Comment 4 Mark J. Cox 2007-11-27 11:36:33 UTC 
moving to security response product so we can do tracking bugs for the affected
rhel streams we decide are vulnerable and need to be fixed.
Comment 9 Mark J. Cox 2008-05-21 12:51:50 UTC 
removing embargo ready for 5.2 release.
Comment 10 Fedora Update System 2008-05-21 14:04:19 UTC 
vsftpd-2.0.6-4.fc9 has been submitted as an update for Fedora 9
Comment 11 Fedora Update System 2008-05-21 14:05:20 UTC 
vsftpd-2.0.5-20.fc8 has been submitted as an update for Fedora 8
Comment 12 Fedora Update System 2008-05-21 14:05:56 UTC 
vsftpd-2.0.5-17.fc7 has been submitted as an update for Fedora 7
Comment 13 Fedora Update System 2008-05-22 20:37:20 UTC 
vsftpd-2.0.5-20.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2008-05-22 20:37:59 UTC 
vsftpd-2.0.6-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2008-05-22 20:38:18 UTC 
vsftpd-2.0.5-17.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Red Hat Product Security 2008-07-21 09:40:00 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0295.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4347
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4362