From owner-freebsd-security  Tue Feb  9 15:44:37 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA27610
          for freebsd-security-outgoing; Tue, 9 Feb 1999 15:44:37 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA27600
          for <security@FreeBSD.ORG>; Tue, 9 Feb 1999 15:44:35 -0800 (PST)
          (envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.2/8.9.1) id PAA61825;
	Tue, 9 Feb 1999 15:29:32 -0800 (PST)
	(envelope-from dillon)
Date: Tue, 9 Feb 1999 15:29:32 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199902092329.PAA61825@apollo.backplane.com>
To: Igor Roshchin <igor@physics.uiuc.edu>
Cc: security@FreeBSD.ORG
Subject: Re: Netect Advisory: palmetto.ftpd - remote root overflow (fwd)
References:  <199902092244.QAA27931@alecto.physics.uiuc.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

    Here is an excerpt from the VR10 patch:

+ A recent discussion on BUGTRAQ pointed out a buffer-overrun in the realpath
+ function.  Bernard imported the FreeBSD realpath() function to correct this
+ error.  This closes Stan's TODO item 1.

    This infers that FreeBSD's realpath() function does not have a buffer
    overflow problem.  I've looked at the code, and it appears to not have
    a buffer overflow problem.

    					-Matt


:This advisory posted to the BUGTRAQ does not mention FreeBSD.
:
:I wonder if the FreeBSD's patches fix this vulnerability,
:and if so, what was the "turn point" date.
:
:Thanks,
:
:Igor
:...
:
:% wu-ftpd
:
:  Current version: 2.4.2 (beta 18), unknown release date.
:  All versions through 2.4.2 (beta 18): vulnerability dependant upon
:..
:
:  % wu-ftpd VR series
:
:    Current version: 2.4.2 (beta 18) VR12, released January 1, 1999.
:    All versions prior to 2.4.2 (beta 18) VR10: vulnerable.
:    Fix: incorporated into VR10, released November 1, 1998.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message