Netkit FTP Server: Denial of Service

2008-01-29T00:00:00
ID GLSA-200801-17
Type gentoo
Reporter Gentoo Foundation
Modified 2008-01-29T00:00:00

Description

Background

net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL support.

Description

Venustech AD-LAB discovered that an FTP client connected to a vulnerable server with passive mode and SSL support can trigger an fclose() function call on an uninitialized stream in ftpd.c.

Impact

A remote attacker can send specially crafted FTP data to a server with passive mode and SSL support, causing the ftpd daemon to crash.

Workaround

Disable passive mode or SSL.

Resolution

All Netkit FTP Server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"