Bug 453376 - (CVE-2008-2375) CVE-2008-2375 older vsftpd authentication memory leak
CVE-2008-2375 older vsftpd authentication memory leak
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=bz,reported=20060628,impact=mo...
: Security
Depends On: 197141 452630
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-30 04:41 EDT by Mark J. Cox (Product Security)
Modified: 2016-03-04 05:43 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-25 02:36:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2008-06-30 04:41:34 EDT
Customers reported that the pre 2.0.5 versions of vsftpd as shipped in Red Hat
Enterprise Linux 3 and 4 when used in combination with PAM had a memory leak on
an invalid authentication attempt.  Since upstream vsftpd prior to 2.0.5 allows
any number of invalid attempts on the same connection this memory leak could
lead to an eventual DoS.  I've allocated this CVE-2008-2375.

Upstream vsftpd 2.0.5 changed its behaviour so that 3 (configurable) invalid
password attempts would close the connection (hence allowing easier detection of
brute forcing attacks etc), and this therefore also stops any memory leak from
leading to a DoS.  So we're going to add this backported patch to our older
vsftpd versions:                           
https://bugzilla.redhat.com/attachment.cgi?id=201051

No embargo on this, the CVE only applies to other distros that are supporting
vsftpd < 2.0.5 and have a memory leak.  We also didn't yet chase down the root
cause of the leak since it's mitigated by the patch.
Comment 1 Red Hat Product Security 2008-07-25 02:36:00 EDT
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0680.html
  http://rhn.redhat.com/errata/RHSA-2008-0579.html


Note You need to log in before you can comment on or make changes to this bug.