From owner-freebsd-security Thu Jul 6 11:53:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id AD98D37B86B for ; Thu, 6 Jul 2000 11:53:39 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Thu, 6 Jul 2000 12:53:38 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma019859; Thu, 6 Jul 00 12:53:32 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id MAA29641; Thu, 6 Jul 2000 12:53:32 -0600 (MDT) Date: Thu, 6 Jul 2000 12:53:32 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() In-Reply-To: <4.3.2.7.2.20000706113724.04789470@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Jul 2000, Brett Glass wrote: > Since the 2.x and 3.x sources are now offline, and most users do not > install full source, it may be difficult to close the hole on many > users' systems if it exists in older versions of FreeBSD. Why not try browsing the CVS repository on the FreeBSD web site? The specific hole (which appears to have been in both NetBSD and OpenBSD up until just a day or two ago) is due to using: setproctitle(title); instead of: setproctitle("%s", title); The FreeBSD usage of setproctitle() in ftpd seems to have been fixed quite some time ago (in 1995), between versions 1.13 and 1.14 of ftpd.c: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/libexec/ftpd/ftpd.c.diff?r1=1.13&r2=1.14 I'd say FreeBSD has been safe since 1995. :-) Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message