Date: Sat, 24 Jun 2000 10:32:21 +0900 From: Koga Youichirou <y-koga@jp.FreeBSD.org> To: wollman@khavrinen.lcs.mit.edu Cc: silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Message-ID: <20000624013253.13481.qmail@smtp.246.ne.jp> In-Reply-To: <200006231713.NAA49665@khavrinen.lcs.mit.edu> References: <4.2.2.20000622201823.0479a690@mail.sentex.net> <Pine.BSF.4.21.0006222230390.65791-100000@achilles.silby.com> <200006231713.NAA49665@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman <wollman@khavrinen.lcs.mit.edu>: > Here's a patch (mangled by cut&paste) which hacks around the problem. Debian team has already released a fixed package. A patch is available from: http://security.debian.org/dists/potato/updates/main/source/wu-ftpd_2.6.0-5.1.diff.gz Then I checked it and I found that there are some other undesirable codes in ftpd.c. Probably these codes do not lead to security flaw, but I think that they should be corrected. Following patch corrects them (incl. a part of debian's patch), and I have sent it to wu-ftpd development team. Index: ftpcmd.y =================================================================== RCS file: /usr/cvs/src/wu-ftpd/src/ftpcmd.y,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 ftpcmd.y --- ftpcmd.y 1999/10/21 11:50:51 1.1.1.1 +++ ftpcmd.y 2000/06/23 08:19:30 @@ -1926,13 +1926,13 @@ } if (!maxfound) maxlines = defmaxlines; - lreply(200, cmd); + lreply(200, "%s", cmd); while (fgets(buf, sizeof buf, cmdf)) { size_t len = strlen(buf); if (len > 0 && buf[len - 1] == '\n') buf[--len] = '\0'; - lreply(200, buf); + lreply(200, "%s", buf); if (maxlines <= 0) ++lines; else if (++lines >= maxlines) { Index: ftpd.c =================================================================== RCS file: /usr/cvs/src/wu-ftpd/src/ftpd.c,v retrieving revision 1.1.1.1.2.10 diff -u -r1.1.1.1.2.10 ftpd.c --- ftpd.c 2000/03/17 02:01:57 1.1.1.1.2.10 +++ ftpd.c 2000/06/23 08:47:21 @@ -2012,9 +2012,9 @@ s = strsep(&cp, "\n"); if (cp == NULL || *cp == '\0') break; - lreply(331, s); + lreply(331, "%s", s); } - reply(331, s); + reply(331, "%s", s); } else { #endif @@ -2495,7 +2495,7 @@ #ifdef BSD_AUTH if (ext_auth) { if ((salt = check_auth(the_user, passwd))) { - reply(530, salt); + reply(530, "%s", salt); #ifdef LOG_FAILED /* 27-Apr-93 EHK/BM */ syslog(LOG_INFO, "failed login from %s", remoteident); @@ -3160,7 +3160,7 @@ reply(230, "User %s logged in.%s", pw->pw_name, guest ? " Access restrictions apply." : ""); sprintf(proctitle, "%s: %s", remotehost, pw->pw_name); - setproctitle(proctitle); + setproctitle("%s", proctitle); if (logging) syslog(LOG_INFO, "FTP LOGIN FROM %s, %s", remoteident, pw->pw_name); /* H* mod: if non-anonymous user, copy it to "authuser" so everyone can @@ -5908,7 +5908,7 @@ remotehost[sizeof(remotehost) - 1] = '\0'; sprintf(proctitle, "%s: connected", remotehost); - setproctitle(proctitle); + setproctitle("%s", proctitle); wu_authenticate(); /* Create a composite source identification string, to improve the logging @@ -6318,7 +6318,7 @@ dirlist = ftpglob(whichfiles); sdirlist = dirlist; /* save to free later */ if (globerr != NULL) { - reply(550, globerr); + reply(550, "%s", globerr); goto globfree; } else if (dirlist == NULL) { Regards, -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000624013253.13481.qmail>