CVE-2020-1939: Apache NuttX optional/example ftpd program NULL pointer
bug

Severity: Important

Vendor:
Apache NuttX (Incubating)

Versions Affected:
6.15 to 8.2 (all pre-date NuttX joining the Apache.org Incubator)

Description:
The Apache NuttX (Incubating) project provides an optional separate
"apps" repository which contains various optional components and
example programs. One of these, ftpd, had a NULL pointer dereference
bug. The NuttX RTOS itself is not affected. Users of the optional apps
repository are affected only if they have enabled ftpd.

Mitigation:
Users of affected versions should upgrade to 9.0.0 or apply the
following patch:
https://patch-diff.githubusercontent.com/raw/apache/incubator-nuttx-apps/pull/10.patch

Credit:
This issue was discovered by Jakub Botwicz of Samsung R&D Poland.

References:
https://bitbucket.org/nuttx/apps-old/issues/15/null-dereference-in-ftp-size-command
https://github.com/apache/incubator-nuttx-apps/pull/10

Regards,
Brennan Ashton


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org
For additional commands, e-mail: general-h...@incubator.apache.org

Reply via email to