CVE-2019-11366

Priority
Description
An issue was discovered in atftpd in atftp 0.7.1. It does not lock the
thread_list_mutex mutex before assigning the current thread data structure.
As a result, the daemon is vulnerable to a denial of service attack due to
a NULL pointer dereference. If thread_data is NULL when assigned to
current, and modified by another thread before a certain tftpd_list.c
check, there is a crash when dereferencing current->next.
Notes
Package
Source: atftp (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (0.7.20120829-3.1~0.18.04.1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (0.7.git20120829-3.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (0.7.git20120829-3.1)
More Information

Updated: 2020-09-25 00:24:55 UTC (commit 3c0ef214749d368dfef2a59d15a1acf57498fd3a)