CVE-2024-48208

NameCVE-2024-48208
Descriptionpure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1086147

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pure-ftpd (PTS)jessie, jessie (lts)1.0.36-3.2+deb8u1vulnerable
stretch1.0.43-3vulnerable
buster1.0.47-3vulnerable
bullseye1.0.49-4.1vulnerable
bookworm1.0.50-2.1vulnerable
sid, trixie1.0.50-2.2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pure-ftpdsourcejessie(unfixed)end-of-life
pure-ftpdsource(unstable)(unfixed)1086147

Notes

https://github.com/jedisct1/pure-ftpd/pull/176
Fixed by: https://github.com/jedisct1/pure-ftpd/commit/350d66fbbd6634c09f146dc7d5bd57e737dfd0fb (1.0.52)
Followup: https://github.com/jedisct1/pure-ftpd/commit/2bbe0f25c6b905044803649a29df5f765f940b91
seems bogus, still unclear security impact

Search for package or bug name: Reporting problems