Bug 149720 - CAN-2005-0256 DoS in wu-ftpd
CAN-2005-0256 DoS in wu-ftpd
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: wu-ftpd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-02-25 13:51 EST by Josh Bressers
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-16 08:01:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2005-02-25 13:51:24 EST
iDEFENSE reported a DoS in wu-ftpd

After a user logs into the ftpd, an attacker can send a simple command
which will cause high CPU utilization.

To exploit this vulnerability, a simple ftp client is sufficient. Once
logged  in, either anonymously or as an authenticated user, issuing the
following command will cause the machine to become less responsive.

ftp> dir ***************************************************************
Comment 1 Mark J. Cox (Product Security) 2005-04-28 06:01:40 EDT
Debian fixed this and say

+  * Applied patch by Chris Butler to fix denial of service in the NLST         
+    command [src/ftpd.c, CAN-2005-0256]   

But the patch isn't broken out in their update.  It's probably the hunk:

<mjcox> @@ -7487,6 +7517,9 @@
<mjcox>         }                                                              
<mjcox>         else {                                                         
<mjcox>             do                                                         
<mjcox> +              if ((in[0] == '*') && (in[1] == '*'))                   
<mjcox> +                in++;                                                 
<mjcox> +              else                                                    
<mjcox>                 *out++ = *in++;                                        
<mjcox>             while ((*in != '\0') && (*in != '/'));                     
<mjcox>             if (*in == '/')   
<mjcox> looks like that collapses multiple *
Comment 2 Mark J. Cox (Product Security) 2005-04-28 06:33:44 EDT
wu_fnmatch.c looks to contain code that is meant to collapse multiple *; 

            while (c == '*')
                c = *++pattern;

But this code is there in 2.6.1 which the report says is vulnerable.  I couldn't
reproduce this issue at all on my 2.6.2 wu-ftpd.
Comment 3 Peter Vrabec 2005-04-28 08:54:11 EDT
I can't reproduce it either.
Comment 4 Josh Bressers 2005-05-13 17:06:23 EDT
Mark, Peter,

Any complaints if we close this?  Nobody seems to think we're vulnerable.
Comment 5 Peter Vrabec 2005-05-16 07:11:33 EDT
Not at all.
Comment 6 Josh Bressers 2005-05-16 08:01:01 EDT
I'm closing this since we can't reproduce it.

Note You need to log in before you can comment on or make changes to this bug.