MNBSD-2021-10: Out-of-bounds read in libfetch passive FTP response parsing

Severity: Unknown

Affected Package: libfetch

Summary: Out-of-bounds read in libfetch passive FTP response parsing

Description

When using passive mode FTP, libfetch used strtol() to parse the numbers of the server's response into address bytes without checking whether the line ended prematurely. This off-by-one in the loop condition could cause an out-of-bounds read, and a malicious FTP server could exploit it to leak sensitive information from the client's memory.

Affected Versions

libfetch

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2021-36159

Published: August 24, 2021
Last Modified: August 24, 2021