Bug 453376 (CVE-2008-2375)

Summary: CVE-2008-2375 older vsftpd authentication memory leak
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jskala, mnagy, osoukup
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 06:36:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 197141, 452630    
Bug Blocks:    

Description Mark J. Cox 2008-06-30 08:41:34 UTC 
Customers reported that the pre 2.0.5 versions of vsftpd as shipped in Red Hat
Enterprise Linux 3 and 4 when used in combination with PAM had a memory leak on
an invalid authentication attempt.  Since upstream vsftpd prior to 2.0.5 allows
any number of invalid attempts on the same connection this memory leak could
lead to an eventual DoS.  I've allocated this CVE-2008-2375.

Upstream vsftpd 2.0.5 changed its behaviour so that 3 (configurable) invalid
password attempts would close the connection (hence allowing easier detection of
brute forcing attacks etc), and this therefore also stops any memory leak from
leading to a DoS.  So we're going to add this backported patch to our older
vsftpd versions:                           
https://bugzilla.redhat.com/attachment.cgi?id=201051

No embargo on this, the CVE only applies to other distros that are supporting
vsftpd < 2.0.5 and have a memory leak.  We also didn't yet chase down the root
cause of the leak since it's mitigated by the patch.
Comment 1 Red Hat Product Security 2008-07-25 06:36:00 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0680.html
  http://rhn.redhat.com/errata/RHSA-2008-0579.html