From owner-freebsd-security  Thu Jul  6 10:49:22 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id 3252837B9F2
	for <security@FreeBSD.ORG>; Thu,  6 Jul 2000 10:49:18 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id LAA26610
	for <security@FreeBSD.ORG>; Thu, 6 Jul 2000 11:49:13 -0600 (MDT)
Message-Id: <4.3.2.7.2.20000706113724.04789470@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Thu, 06 Jul 2000 11:49:06 -0600
To: security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: ftpd and setproctitle()
In-Reply-To: <200007060905.e6695iF29634@cvs.openbsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 03:05 AM 7/6/2000, Theo de Raadt wrote [on Bugtraq]:
  
>Well, while everyone is talking about setproctitle affecting wuftpd,
>I should probably note that it even affects the OpenBSD ftpd.  In fact,
>looking around, it looks like it might affect everyone's ftpd.
>
>Our patch is at
>
>        http://www.openbsd.org/errata.html#ftpd
>
>We're currently going through our tree looking for *printf(), err*(),
>warn*(), syslog(), setproctitle(), and even curses *print*() functions
>that might have issues like this.  We did this before for the *printf
>family, perhaps 3 years ago, but even now we are discovering a few that
>we have missed.
>
>It's scary, and quite a bit of work to check every such call.  They
>happen a lot..

FreeBSD-current's ftpd already seems to have the correct arguments for 
setproctitle. But do earlier versions require patching? (Alas, the
sources for earlier versions do not appear to be on any of Walnut
Creek's servers, so I can't tell.) Could folks who have sources for 
2.2.8, 3.4, 3.5, and 4.0 handy check this? (I usually do not
install full sources, and so am missing some of these.)

Since the 2.x and 3.x sources are now offline, and most users do not 
install full source, it may be difficult to close the hole on many
users' systems if it exists in older versions of FreeBSD.

--Brett




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message