Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152918 - CAN-2005-0256 wu-ftpd DoS
Summary: CAN-2005-0256 wu-ftpd DoS
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: wu-ftpd
Version: rhl7.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: LEGACY, rh73
Depends On:
TreeView+ depends on / blocked
Reported: 2005-03-10 20:52 UTC by Marc Deslauriers
Modified: 2007-03-27 04:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-06-11 23:19:29 UTC

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:32:05 UTC
Remote exploitation of an input validation vulnerability in version
2.6.2 of WU-FPTD could allow for a denial of service of the system by
resource exhaustion.

The vulnerability specifically exists in the wu_fnmatch() function in
wu_fnmatch.c. When a pattern containing a '*' character is supplied as
input, the function calls itself recursively on a smaller substring. By
supplying a string which contains a large number of '*' characters, the
system will take a long time to return the results, during which time it
will be using a large amount of CPU time.

------- Bug moved to this database by 2005-03-30 18:32 -------

This bug previously known as bug 2449 at
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 mschout 2005-05-11 17:21:46 UTC
wu-ftpd in current updates appears not to be vulnerable to this.

wu_fnmatch() has this code:

        case '*':
            c = *pattern;
            while (c == '*')
                c = *++pattern;

What that is doing is collapsing/skipping over multiple '*' characters in a row
 .  This is happening BEFORE the recursive call to wu_fnmatch()

This is mentioned in:

And 2 people have reported that they are not able to reproduce the problem.

I wrote a Net::FTP script in perl that logged in to a wu-ftpd server on a RHL
7.3 machine, and I had it do:


as was suggested in the advisory.  I had the script run this in a loop 1000
times.  During that time, the system remained over 90% idle, and most of the
load was due to OTHER things happening on that machine.  in.ftpd hovered around
1% CPU usage according to "top".

Given the above code, and backed up by the fact that people have reported that
they can not reproduce the problem, and the fact that I am unable to reproduce
it, I do not see how we are vulnerable to this one.  Should we close this?

Comment 2 Marc Deslauriers 2005-06-11 23:19:29 UTC
I'm closing this. It doesn't seem to apply.

Note You need to log in before you can comment on or make changes to this bug.