Bug 119136 - CAN-2004-2259 vsftpd is very secure but not very stable
Summary: CAN-2004-2259 vsftpd is very secure but not very stable
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Mike McLean
Depends On:
TreeView+ depends on / blocked
Reported: 2004-03-25 13:57 UTC by Olivier Baudron
Modified: 2014-03-17 02:43 UTC (History)
1 user (show)

Fixed In Version: 1.2.1-4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-29 03:03:36 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix block/unblock signal bug (1.54 KB, text/plain)
2004-03-25 13:59 UTC, Olivier Baudron
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:164 normal SHIPPED_LIVE Updated vsftpd package fixes signal handling bug 2004-05-11 04:00:00 UTC

Description Olivier Baudron 2004-03-25 13:57:22 UTC
There is a signal handle problem in vsftpd-1.2.1-2.

The SIGCHLD handle is a complexe function with malloc()s and free()s
inside. Neither malloc() nor free() is re-entrant, so the SIGCHLD
signal must be caught only at safe locations.

This is not the case:

// Pseudo-code
    socket = my_accept(...)

    my_accept(...) {
        malloc(...)   // BUG: may be interrupted!
        free(...)     // BUG: may be interrupted!
// End

The unblock/block mecanism must be used more strictly around the
blocking systems calls. A patch follows. Hopefully, it will fix
bug 109933.

Comment 1 Olivier Baudron 2004-03-25 13:59:47 UTC
Created attachment 98850 [details]
Fix block/unblock signal bug

Comment 2 Olivier Baudron 2004-04-28 08:46:53 UTC
I reported the problem to the author and the issue has been fixed in
the new upstream release 1.2.2. The patch is a bit different of mine.
Some structures have been rewritten so that malloc() and free() are
not used  in the "accept" routine.

Comment 3 Bill Nottingham 2004-04-29 03:03:36 UTC
This is patched in 1.2.1-4.

Comment 4 John Flanagan 2004-05-12 03:20:40 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.