Several ftp parsing libraries are vulnerable to attack by simply feeding them too much data. While the library authors have taken care to be robust in parsing ftp NLST returns they don't iterate the data as they receive it but store the data until the NLST completes. In the case of rpm a user using rpm -Uvh ftp://foo.bar.com/updates/* and hitting a rogue server can be fed 1Gb of data at which point rpm does a <<2 and allocates 0 bytes of memory to copy the data into. In the case of gnome-1.x the gnome library string routines are used and these use an int for size management. Gnome 2.x fixes this problem and uses size_t so is not exploitable. Even in the non vulnerable applications there are out of memory annoyance value attacks as a result of this way of handling file lists. This attack is not actually that useful fortunately. The end user has to trigger the access, and has to accept >1Gb of data without getting suspicious. In addition the gnome-1.x variant is only exploitable on systems where sizeof(int) < sizeof(ptrdiff_t) - typically 64bit only. I have not inspected other ftp NLST parsing applications but it seems people should take a look to see who else is buffering too much data in RAM or not checking for size wraps. Gnome and RPM maintainers were informed in advance in April. Alan
