Gentoo Logo

Netkit FTP Server: Denial of Service

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200801-17 / netkit-ftpd
Release Date January 29, 2008
Latest Revision January 29, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-ftp/netkit-ftpd < 0.17-r7 >= 0.17-r7 All supported architectures

Related bugreports: #199206

Synopsis

Netkit FTP Server contains a Denial of Service vulnerability.

2.  Impact Information

Background

net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL support.

Description

Venustech AD-LAB discovered that an FTP client connected to a vulnerable server with passive mode and SSL support can trigger an fclose() function call on an uninitialized stream in ftpd.c.

Impact

A remote attacker can send specially crafted FTP data to a server with passive mode and SSL support, causing the ftpd daemon to crash.

3.  Resolution Information

Workaround

Disable passive mode or SSL.

Resolution

All Netkit FTP Server users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r7"

4.  References

Print

Updated January 29, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Support OSL
Gentoo Centric Hosting: vr.org
Tek Alchemy
SevenL.net
Global Netoptex Inc.
Bytemark
Online Kredit Index
Copyright 2001-2009 Gentoo Foundation, Inc. Questions, Comments? Contact us.