From owner-freebsd-isp Sat Jan 11 18:51:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id SAA26518 for isp-outgoing; Sat, 11 Jan 1997 18:51:55 -0800 (PST) Received: from root.com (implode.root.com [198.145.90.17]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id SAA26513 for ; Sat, 11 Jan 1997 18:51:53 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by root.com (8.7.6/8.6.5) with SMTP id SAA23491; Sat, 11 Jan 1997 18:50:20 -0800 (PST) Message-Id: <199701120250.SAA23491@root.com> X-Authentication-Warning: implode.root.com: Host localhost [127.0.0.1] didn't use HELO protocol To: Steve Reid cc: freebsd-isp@freebsd.org Subject: Re: serious security bug in wu-ftpd v2.4 (fwd) In-reply-to: Your message of "Wed, 08 Jan 1997 15:10:55 PST." From: David Greenman Reply-To: dg@root.com Date: Sat, 11 Jan 1997 18:50:20 -0800 Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Since David Greenman's patch was posted here, I figure this should be >posted here as well... > >---------- Forwarded message ---------- >Date: Tue, 7 Jan 1997 23:02:51 -0500 (EST) >From: Wietse Venema >Reply-To: best-of-security@suburbia.net >To: best-of-security@suburbia.net >Cc: wu-ftpd-bugs@academ.com, best-of-security@suburbia.net >Subject: BoS: serious security bug in wu-ftpd v2.4 >Resent-Date: Wed, 8 Jan 1997 18:44:21 +1100 (EST) >Resent-From: best-of-security@suburbia.net > >Two brief comments on the patches that were suggested sofar. > >- The patch proposed by David Greenman (clear the transflag variable >in function dologout()) makes the window of opportunity much smaller, >but does not close it. The hole still exists. It's just smaller. I disagree with Wietse's assertion that my patch is insufficient and I don't think that all of the extra signal blocking code is necessary. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project