Mageia alert MGASA-2020-0128 (pure-ftpd)

From:
             
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
             
 
updates-announce@ml.mageia.org 
Subject:
             
 
[updates-announce] MGASA-2020-0128: Updated pure-ftpd packages fix security vulnerabilities 
Date:
             
 
Fri, 6 Mar 2020 17:15:18 +0100
Message-ID:
             
 
<20200306161518.99C129F74F@duvel.mageia.org>
MGASA-2020-0128 - Updated pure-ftpd packages fix security vulnerabilities

Publication date: 06 Mar 2020
URL: https://advisories.mageia.org/MGASA-2020-0128.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-9274,
     CVE-2019-9365,
     CVE-2019-20176

Description:
Updated pure-ftpd packages fix security vulnerabilities:

An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer
vulnerability has been detected in the diraliases linked list. When the
*lookup_alias(const char alias) or print_aliases(void) function is called,
they fail to correctly detect the end of the linked list and try to access
a non-existent list member. This is related to init_aliases in diraliases.c.
(CVE-2019-9274).

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read has
been detected in the pure_strcmp function in utils.c (CVE-2019-9365).

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the listdir
function in ls.c (CVE-2019-20176).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26229
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9274
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2...

SRPMS:
- 7/core/pure-ftpd-1.0.47-7.mga7