Bug 152918 - CAN-2005-0256 wu-ftpd DoS
CAN-2005-0256 wu-ftpd DoS
Status: CLOSED NOTABUG
Product: Fedora Legacy
Classification: Retired
Component: wu-ftpd (Show other bugs)
rhl7.3
All Linux
low Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://cve.mitre.org/cgi-bin/cvename....
LEGACY, rh73
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-10 15:52 EST by Marc Deslauriers
Modified: 2007-03-27 00:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-11 19:19:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:32:05 EST
Remote exploitation of an input validation vulnerability in version
2.6.2 of WU-FPTD could allow for a denial of service of the system by
resource exhaustion.

The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as
input, the function calls itself recursively on a smaller substring. By
supplying a string which contains a large number of '*' characters, the
system will take a long time to return the results, during which time it
will be using a large amount of CPU time.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0256
http://www.idefense.com/application/poi/display?id=207&type=vulnerabilities
https://bugzilla.redhat.com/beta/show_bug.cgi?id=149720



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:32 -------

This bug previously known as bug 2449 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2449
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 mschout 2005-05-11 13:21:46 EDT
wu-ftpd in current updates appears not to be vulnerable to this.

wu_fnmatch() has this code:

        case '*':
            c = *pattern;
            while (c == '*')
                c = *++pattern;

What that is doing is collapsing/skipping over multiple '*' characters in a row
 .  This is happening BEFORE the recursive call to wu_fnmatch()

This is mentioned in:

https://bugzilla.redhat.com/beta/show_bug.cgi?id=149720

And 2 people have reported that they are not able to reproduce the problem.

I wrote a Net::FTP script in perl that logged in to a wu-ftpd server on a RHL
7.3 machine, and I had it do:

$ftp->dir('***********************************************************************************************************************************************************************************************.*');

as was suggested in the advisory.  I had the script run this in a loop 1000
times.  During that time, the system remained over 90% idle, and most of the
load was due to OTHER things happening on that machine.  in.ftpd hovered around
1% CPU usage according to "top".

Given the above code, and backed up by the fact that people have reported that
they can not reproduce the problem, and the fact that I am unable to reproduce
it, I do not see how we are vulnerable to this one.  Should we close this?
Comment 2 Marc Deslauriers 2005-06-11 19:19:29 EDT
I'm closing this. It doesn't seem to apply.

Note You need to log in before you can comment on or make changes to this bug.