CVE-2020-9273: 
ProFTPd vulnerability analysis and mitigation

CVE-2020-9273 is a use-after-free vulnerability discovered in ProFTPD 1.3.7, reported on February 20, 2020. The vulnerability occurs when interrupting the data transfer channel, which can corrupt the memory pool and trigger a use-after-free condition in alloc_pool in pool.c, potentially leading to remote code execution (GitHub Issue, NVD).

The vulnerability stems from a memory corruption issue in ProFTPD's memory pool allocator. When a data transfer is interrupted, it can lead to a dangling pointer due to an use-after-free vulnerability in the alloc_pool function. The issue occurs specifically when the function executes the instruction first_avail = blok->h.first_avail with a corrupted pool. The source of the problem originates from a pcalloc call in netio.c:1066, which ultimately results in a corrupted memory reference (GitHub Issue).

The vulnerability can allow a remote attacker to execute arbitrary code on the affected system with the privileges of the process. Additionally, it can lead to denial of service conditions. The issue affects both authenticated users and potentially anonymous FTP users (Debian Security, GitHub Issue).

The vulnerability has been fixed in various distribution releases including Debian 8 'Jessie' (version 1.3.5e+r1.3.5-2+deb8u6), Debian 9 'Stretch' (version 1.3.5b-4+deb9u4), and Debian 10 'Buster' (version 1.3.6-4+deb10u4). Users are recommended to upgrade their proftpd-dfsg packages to the latest version (Debian LTS, Debian Security).