CVE-2020-9274

NameCVE-2020-9274
DescriptionAn issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2123-1
Debian Bugs952666

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pure-ftpd (PTS)jessie, jessie (lts)1.0.36-3.2+deb8u1fixed
stretch1.0.43-3vulnerable
buster1.0.47-3vulnerable
bullseye1.0.49-4.1fixed
bookworm1.0.50-2.1fixed
sid, trixie1.0.50-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pure-ftpdsourcewheezy(unfixed)end-of-life
pure-ftpdsourcejessie1.0.36-3.2+deb8u1DLA-2123-1
pure-ftpdsource(unstable)1.0.49-4952666

Notes

[buster] - pure-ftpd <no-dsa> (Minor issue)
[stretch] - pure-ftpd <no-dsa> (Minor issue)
https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
though the CVE description does not specifically say, the issue seems to be an
out-of-bounds memory read which may result in information disclosure;
probably not the end of the world, but it is made worse by use of the rather
unsafe strcmp() instead of strncmp() in the vulnerable functions

Search for package or bug name: Reporting problems