PublicDateAtUSN: 2020-02-26 16:15:00 UTC
Candidate: CVE-2020-9274
PublicDate: 2020-02-26 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9274
 https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
 https://www.pureftpd.org/project/pure-ftpd/news/
 https://ubuntu.com/security/notices/USN-4515-1
Description:
 An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer
 vulnerability has been detected in the diraliases linked list. When the
 *lookup_alias(const char alias) or print_aliases(void) function is called,
 they fail to correctly detect the end of the linked list and try to access
 a non-existent list member. This is related to init_aliases in
 diraliases.c.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952666
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_pure-ftpd:
upstream_pure-ftpd: released (1.0.49-4)
precise/esm_pure-ftpd: DNE
trusty_pure-ftpd: ignored (out of standard support)
trusty/esm_pure-ftpd: DNE
xenial_pure-ftpd: released (1.0.36-3.2+deb8u1build0.16.04.1)
bionic_pure-ftpd: needs-triage
eoan_pure-ftpd: ignored (reached end-of-life)
focal_pure-ftpd: not-affected (1.0.49-4)
groovy_pure-ftpd: not-affected (1.0.49-4)
hirsute_pure-ftpd: not-affected (1.0.49-4)
impish_pure-ftpd: not-affected (1.0.49-4)
jammy_pure-ftpd: not-affected (1.0.49-4)
devel_pure-ftpd: not-affected (1.0.49-4)