CVE-2020-9365: 
Pure-FTPd vulnerability analysis and mitigation

An out-of-bounds (OOB) read vulnerability was discovered in Pure-FTPd version 1.0.49, specifically in the pure_strcmp function within utils.c. The vulnerability was identified on February 24, 2020, and was assigned CVE-2020-9365. The issue affects Pure-FTPd installations on multiple platforms including Fedora 30, 31, 32, and various other Linux distributions (NVD).

The vulnerability is characterized by an out-of-bounds read condition in the pure_strcmp function located in utils.c. The issue occurs because the original implementation did not properly handle cases where the length of the second string (s2) could be greater than the length of the first string (s1). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it is network-accessible, requires low attack complexity, and needs no privileges or user interaction (NVD).

The vulnerability could potentially lead to information disclosure through the out-of-bounds read operation. According to the CVSS metrics, while the vulnerability has high impact on confidentiality, it does not affect system integrity or availability (NVD).

The vulnerability has been patched in subsequent versions of Pure-FTPd. The fix involves properly comparing string lengths before performing the comparison operation, as implemented in the GitHub commits. Users are advised to upgrade to version 1.0.49-r2 or later. For Gentoo users, the recommended action is to execute 'emerge --sync' followed by 'emerge --ask --oneshot --verbose ">=net-ftp/pure-ftpd-1.0.49-r2"' (Gentoo Advisory).