FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- libfetch out of bounds read

Affected packages
13.0 <= FreeBSD < 13.0_4
12.2 <= FreeBSD < 12.2_10
11.4 <= FreeBSD < 11.4_13

Details

VuXML ID d22b336d-0567-11ec-b69d-4062311215d5
Discovery 2021-08-24
Entry 2021-08-25

Problem Description:

The passive mode in FTP communication allows an out of boundary read while libfetch uses strtol to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for *p == '\0' one byte too late because p++ was already performed.

Impact:

The connection buffer size can be controlled by a malicious FTP server because the size is increased until a newline is encountered (or no more characters are read). This also allows to move the buffer into more interesting areas within the address space, potentially parsing relevant numbers for the attacker. Since these bytes become available to the server in form of a new TCP connection to a constructed port number or even part of the IPv6 address this is a potential information leak.

References

CVE Name CVE-2021-36159
FreeBSD Advisory SA-21:15.libfetch