CVE-2020-9274: 
Pure-FTPd vulnerability analysis and mitigation

An uninitialized pointer vulnerability was discovered in Pure-FTPd version 1.0.49. The vulnerability affects the diraliases linked list implementation, where the *lookupalias(const char alias) or printaliases(void) functions fail to correctly detect the end of the linked list and attempt to access non-existent list members. This issue is related to the init_aliases function in diraliases.c (GitHub Security Lab, NVD).

The vulnerability stems from a failure to properly initialize the linked list tail pointer in the init_aliases function within diraliases.c. Specifically, the next member of the last item in the linked list is not set to NULL, causing subsequent operations to attempt accessing invalid memory locations. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could result in out-of-bounds (OOB) reads and potential information disclosure. When exploited, it may allow attackers to access sensitive information and potentially trigger a Denial of Service condition against the PureFTPD server (GitHub Security Lab, Gentoo Security).

The vulnerability was fixed by adding tail->next = NULL for the last item of the linked list. The fix was implemented in version 1.0.49-r2 and later releases. Various distributions have released security updates, including Ubuntu 16.04 ESM (version 1.0.36-3.2+deb8u1build0.16.04.1) and Debian 8 Jessie (version 1.0.36-3.2+deb8u1). Users are recommended to upgrade to the patched versions (Ubuntu Security, Debian LTS).