397011 – (CVE-2007-5962) CVE-2007-5962 vsftpd: memory leak when deny_file option is set

Bug 397011 (CVE-2007-5962) - CVE-2007-5962 vsftpd: memory leak when deny_file option is set

Summary: CVE-2007-5962 vsftpd: memory leak when deny_file option is set

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-5962
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Martin Nagy
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	423001
Blocks:
TreeView+	depends on / blocked

Reported:	2007-11-23 15:51 UTC by Martin Nagy
Modified:	2019-09-29 12:22 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-21 09:40:00 UTC
Embargoed:

Attachments	(Terms of Use)
fix the vsftpd-2.0.4-filter.patch (382 bytes, patch) 2007-11-23 15:51 UTC, Martin Nagy	no flags	Details \| Diff
Just a cosmetic change. (369 bytes, patch) 2007-11-26 11:28 UTC, Martin Nagy	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0295	0	normal	SHIPPED_LIVE	Low: vsftpd security and bug fix update	2008-05-21 14:16:37 UTC

Description Martin Nagy 2007-11-23 15:51:42 UTC

Description of problem:
There is a memory leak that causes memory to be allocated but not freed.
When the deny_file option is set, it is possible to easily exploit this.
This is a regression caused by applied patch in bz174764. Problem also
exists in FC-6, F-7, F-8 and fedora/devel. Attached is a patch to solve
the problem.

Version-Release number of selected component (if applicable):
vsftpd-2.0.5-10.el5

How reproducible:
always

Steps to Reproduce:
# echo deny_file=foo >> /etc/vsftpd/vsftpd.conf
# service vsftpd restart

$ cat > memtest.sh << EOF
#!/bin/bash
echo USER anonymous
echo PASS foo

while [ 1 ]; do
        echo CWD pub
        echo CWD ..
done
EOF

$ chmod 700 memtest.sh
$ ./memtest.sh | telnet localhost 21 > /dev/null

Actual results:
vsftpd starts to allocate memory that will never be freed.

Expected results:


Additional info:
It is possible that the memory leak can be exploited by other means, or
with other vsftpd.conf options. This was not investigated into more depth.

Comment 1 Martin Nagy 2007-11-23 15:51:42 UTC

Created attachment 267651 [details]
fix the vsftpd-2.0.4-filter.patch

Comment 2 RHEL Program Management 2007-11-23 16:05:19 UTC

This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.

Comment 3 Martin Nagy 2007-11-26 11:28:37 UTC

Created attachment 268841 [details]
Just a cosmetic change.

Comment 4 Mark J. Cox 2007-11-27 11:36:33 UTC

moving to security response product so we can do tracking bugs for the affected
rhel streams we decide are vulnerable and need to be fixed.

Comment 9 Mark J. Cox 2008-05-21 12:51:50 UTC

removing embargo ready for 5.2 release.

Comment 10 Fedora Update System 2008-05-21 14:04:19 UTC

vsftpd-2.0.6-4.fc9 has been submitted as an update for Fedora 9

Comment 11 Fedora Update System 2008-05-21 14:05:20 UTC

vsftpd-2.0.5-20.fc8 has been submitted as an update for Fedora 8

Comment 12 Fedora Update System 2008-05-21 14:05:56 UTC

vsftpd-2.0.5-17.fc7 has been submitted as an update for Fedora 7

Comment 13 Fedora Update System 2008-05-22 20:37:20 UTC

vsftpd-2.0.5-20.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2008-05-22 20:37:59 UTC

vsftpd-2.0.6-4.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-05-22 20:38:18 UTC

vsftpd-2.0.5-17.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Red Hat Product Security 2008-07-21 09:40:00 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0295.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4347
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4362

Note You need to log in before you can comment on or make changes to this bug.