====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN263
_____________________________________________________________________

DATE                : 13/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache NuttX versions prior to
                                         9.0.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/nuttx-dev/202005.mbox/%3c8c00e514bbe475d51a3b3827e31dc84eade0ea9c.camel@apache.org%3e
_____________________________________________________________________

CVE-2020-1939: Apache NuttX optional/example ftpd program NULL pointer
bug

Severity: Important

Vendor:
Apache NuttX (Incubating)

Versions Affected:
6.15 to 8.2 (all pre-date NuttX joining the Apache.org Incubator)

Description:
The Apache NuttX (Incubating) project provides an optional separate
"apps" repository which contains various optional components and
example programs. One of these, ftpd, had a NULL pointer dereference
bug. The NuttX RTOS itself is not affected. Users of the optional apps
repository are affected only if they have enabled ftpd.

Mitigation:
Users of affected versions should upgrade to 9.0.0 or apply the
following patch:
https://patch-diff.githubusercontent.com/raw/apache/incubator-nuttx-apps/pull/10.patch

Credit:
This issue was discovered by Jakub Botwicz of Samsung R&D Poland.

References:
https://bitbucket.org/nuttx/apps-old/issues/15/null-dereference-in-ftp-size-command
https://github.com/apache/incubator-nuttx-apps/pull/10

Regards,
Brennan Ashton

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================