CVE-2007-5962, made public yesterday:
Memory leak in a certain Red Hat patch, applied to vsftpd 2.0.5 on Red Hat Enterprise Linux (RHEL) 5 and Fedora 6 through 8, and on Foresight Linux and rPath appliances, allows remote attackers to cause a denial of service (memory consumption) via a large number of CWD commands, as demonstrated by an attack on a daemon with the deny_file configuration option.Rather embarrassing given vsftpd's focus on security... Of course this is nowhere near the scale of last week's OpenSSL bug, but it seems to indicate that Debian is not the only distro with insufficient review processes. (The patch was added in 2006 to fix this bug.)
5 comments:
It's just a memory leak.
Red Hat find this problem ( 2007-11-23 ):
https://bugzilla.redhat.com/show_bug.cgi?id=397011
> but it seems to indicate that Debian is not the only distro with insufficient review processes.
Yes.
The bug was opened on 2007-11-23, but made public only two days ago (see comment #9).
> The bug was opened on 2007-11-23, but made public only two days ago
It's common pratice.
> but it seems to indicate that Debian is not the only distro with insufficient review processes.
I think these kind of patches should be done upstream, not by distros themselves.
Do note that the patch RedHat/rPath/Foresight applied fixed a much more serious security error... that of deny_hosts not working properly. I'll trade an information-disclosure issue for a minor memory leak any day.
And, yes, the patch should have been pushed upstream. But sometimes upstream is slow to respond, sometimes upstream doesn't exist, and sometimes distros just forget. Managing a codebase as complex as an entire distro means that sometimes pathes intended for upstream get missed.
RedHat (the original patch author) has, or will shortly, submitted the deny_hosts fix, without the memory leak, upstream.
smithj, Foresight Security Lead
Post a Comment