DescriptionAn issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) function is called, they fail to correctly detect the end of the linked list and try to access a non-existent list member. This is related to init_aliases in diraliases.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs952666

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pure-ftpd (PTS)buster1.0.47-3vulnerable
sid, trixie1.0.50-2.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - pure-ftpd <no-dsa> (Minor issue)
[stretch] - pure-ftpd <no-dsa> (Minor issue)
though the CVE description does not specifically say, the issue seems to be an
out-of-bounds memory read which may result in information disclosure;
probably not the end of the world, but it is made worse by use of the rather
unsafe strcmp() instead of strncmp() in the vulnerable functions

Search for package or bug name: Reporting problems