Package: pure-ftpd Version: 1.0.36-3.3 Severity: important Tags: security confirmed patch upstream fixed-upstream
Hi This vulnerability has been found in pure-ftpd: https://security-tracker.debian.org/tracker/TEMP-0000000-5314C6 https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807 I think it's a minor issue and don't deserve a DSA by itself, but it's up to you and the security team to decide, of course. Cheers, Santiago P.S. Patch attached
diff --git a/src/bsd-glob.c b/src/bsd-glob.c
index 27da8c8..5983465 100644
--- a/src/bsd-glob.c
+++ b/src/bsd-glob.c
@@ -151,9 +151,6 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
printf ("pattern: %s\n", pattern);
- if (strlen(pattern) >= PATH_MAX) {
- return GLOB_NOMATCH;
- }
pglob->gl_maxdepth = maxdepth;
pglob->gl_maxfiles = maxfiles;
patnext = (unsigned char *) pattern;
@@ -174,6 +171,9 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1) {
return GLOB_NOSPACE;
}
+ if (strlen(pattern) >= PATH_MAX) {
+ return GLOB_NOMATCH;
+ }
bufnext = patbuf;
bufend = bufnext + MAXPATHLEN - 1;
if (flags & GLOB_NOESCAPE) {
signature.asc
Description: Digital signature
