Bug 405841 (CVE-2007-5769)

Summary: CVE-2007-5769 ftp: netkit ftp - use of uninitialized variable
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mmaslano
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-03 16:11:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Original advisory text none

Description Tomas Hoger 2007-11-30 13:21:29 UTC
Several problems with use of uninitialized variables were reported by VenusTech
for netkit ftpd (server) and ftp (client).  Those problem can cause ftpd or ftp
to crash.

References:
http://bugs.gentoo.org/show_bug.cgi?id=199206

Comment 1 Tomas Hoger 2007-11-30 13:21:29 UTC
Created attachment 273771 [details]
Original advisory text

Comment 4 Tomas Hoger 2007-12-03 16:09:24 UTC
Only netkit ftp client is shipped with Red Hat Enterprise Linux and Fedora.

Problematic code possibly causing ftp client crash was introduced in the fix for
bug #122295, which fixes other possible client crashes.  This patch is included
in ftp packages as shipped with Red Hat Enterprise Linux 4 and 5.

In Fedora, this problem was already fixed thanks to bug #251074.


Comment 5 Tomas Hoger 2007-12-03 16:11:06 UTC
Red Hat does not consider a user assisted client crash such as this to be a
security flaw.

Comment 6 Tomas Hoger 2007-12-06 16:51:30 UTC
Separate CVE ids were assigned by Mitre to ftp (client) and ftpd (server) issues:

CVE-2007-5769
Double-free vulnerability in the getreply function in ftp.c in netkit
ftp (netkit-ftp) 0.17 20040614 and later allows remote FTP servers to
cause a denial of service (application crash) and possibly have
unspecified other impact via some types of FTP protocol behavior.
NOTE: the netkit-ftpd issue is covered by CVE-2007-6263.

CVE-2007-6263
The dataconn function in ftpd.c in netkit ftpd (netkit-ftpd) 0.17,
when certain modifications to support SSL have been introduced, calls
fclose on an uninitialized file stream, which allows remote attackers
to cause a denial of service (daemon crash) and possibly have
unspecified other impact via some types of FTP over SSL protocol
behavior, as demonstrated by breaking a passive FTP DATA connection in
a way that triggers an error in the server's SSL_accept function.
NOTE: the netkit ftp issue is covered by CVE-2007-5769.


netkit ftpd is not shipped with Red Hat Enterprise Linux or Fedora.