Date: Thu, 6 Jul 2000 12:53:32 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Brett Glass <brett@lariat.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() Message-ID: <Pine.BSF.4.21.0007061243450.28924-100000@anchovy.orem.iserver.com> In-Reply-To: <4.3.2.7.2.20000706113724.04789470@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 6 Jul 2000, Brett Glass wrote:
> Since the 2.x and 3.x sources are now offline, and most users do not
> install full source, it may be difficult to close the hole on many
> users' systems if it exists in older versions of FreeBSD.
Why not try browsing the CVS repository on the FreeBSD web site? The
specific hole (which appears to have been in both NetBSD and OpenBSD up
until just a day or two ago) is due to using:
setproctitle(title);
instead of:
setproctitle("%s", title);
The FreeBSD usage of setproctitle() in ftpd seems to have been fixed quite
some time ago (in 1995), between versions 1.13 and 1.14 of ftpd.c:
http://www.FreeBSD.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14
I'd say FreeBSD has been safe since 1995. :-)
Paul Hart
--
Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc.
hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007061243450.28924-100000>