Bug 646174 (CVE-2009-5013)

Summary: CVE-2009-5013 pyftpdlib: DoS (memory consumption) by sending a QUIT command during a data transfer
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 07:04:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 646178    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-24 19:20:23 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5013 to
the following vulnerability:

Memory leak in the on_dtp_close function in ftpserver.py in pyftpdlib
before 0.5.2 allows remote authenticated users to cause a denial of
service (memory consumption) by sending a QUIT command during a data
transfer.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5013
[2] http://code.google.com/p/pyftpdlib/issues/detail?id=119
[3] http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
[4] http://code.google.com/p/pyftpdlib/source/detail?r=615
[5] http://code.google.com/p/pyftpdlib/source/diff?spec=svn615&r=615&format=side&path=/trunk/pyftpdlib/ftpserver.py

Affected versions:
This issue affects the version of the pyftpdlib package, as shipped
with Fedora release of 12.

This issue does NOT affect the version of the pyftpdlib package, as
shipped with Fedora release of 13 (relevant code part is already
updated).
Comment 1 Jan Lieskovsky 2010-10-24 19:44:27 UTC 
Created pyftpdlib tracking bugs for this issue

Affects: fedora-12 [bug 646178]