CVE-2020-1939: Apache NuttX optional/example ftpd program NULL pointer bug Severity: Important
Vendor: Apache NuttX (Incubating) Versions Affected: 6.15 to 8.2 (all pre-date NuttX joining the Apache.org Incubator) Description: The Apache NuttX (Incubating) project provides an optional separate "apps" repository which contains various optional components and example programs. One of these, ftpd, had a NULL pointer dereference bug. The NuttX RTOS itself is not affected. Users of the optional apps repository are affected only if they have enabled ftpd. Mitigation: Users of affected versions should upgrade to 9.0.0 or apply the following patch: https://patch-diff.githubusercontent.com/raw/apache/incubator-nuttx-apps/pull/10.patch Credit: This issue was discovered by Jakub Botwicz of Samsung R&D Poland. References: https://bitbucket.org/nuttx/apps-old/issues/15/null-dereference-in-ftp-size-command https://github.com/apache/incubator-nuttx-apps/pull/10 Regards, Brennan Ashton
