From owner-freebsd-security Tue Dec 4 16:58: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id D47DA37B417; Tue, 4 Dec 2001 16:57:52 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id fB50vh419563; Tue, 4 Dec 2001 19:57:43 -0500 (EST) (envelope-from str) Date: Tue, 4 Dec 2001 19:57:43 -0500 (EST) From: Igor Roshchin Message-Id: <200112050057.fB50vh419563@giganda.komkon.org> To: security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Ports Security Advisory FreeBSD-SA-01:64.wu-ftpd Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It appears that between the time the initial patch was inplemented, and the time this advisory has been released, a different set of patches was made, which appeares to be based on the patches released by the WU-FTPD team (Nov. 29 or 30). This patch brought the patch level to 8 (2.6.1_8). So by the time the advisory was released, it had information that is somewhat out-of-date. Probably, it need correction. Also, ftp.freebsd.org still has old, vulnerable, versions of the packages: -rw-r--r-- 1 1006 1006 107717 Nov 28 09:23 wu-ftpd-2.6.1_6.tgz in /pub/FreeBSD/ports/i386/packages-4-stable/All and -rw-r--r-- 1 1006 1006 107869 Nov 22 09:59 wu-ftpd-2.6.1_6.tgz in /pub/FreeBSD/ports/i386/packages-5-current/All Regards, Igor Igor Roshchin KomKon Sites > From owner-freebsd-security@FreeBSD.ORG Tue Dec 4 14:02:15 2001 > Date: Tue, 4 Dec 2001 10:54:18 -0800 (PST) > From: FreeBSD Security Advisories > To: FreeBSD Security Advisories > Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:64.wu-ftpd > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:64 Security Advisory > FreeBSD, Inc. > > Topic: wu-ftpd port contains remote root compromise > > Category: ports > Module: wu-ftpd > Announced: 2001-12-04 > Credits: CORE Security Technologies > Contact: Ivan Arce (iarce@corest.com) > Affects: Ports collection prior to the correction date > Corrected: 2001-11-28 10:52:26 UTC > FreeBSD only: NO > > I. Background > > wu-ftpd is a popular full-featured FTP server. > > II. Problem Description > > The wu-ftpd port, versions prior to wu-ftpd-2.6.1_7, contains a > vulnerability which allows FTP users, both anonymous FTP users and > those with valid accounts, to execute arbitrary code as root on > the local machine. This may be accomplished by inserting invalid > globbing parameters which are incorrectly parsed by the FTP server > into command input. > > The wu-ftpd port is not installed by default, nor is it "part of > FreeBSD" as such: it is part of the FreeBSD ports collection, which > contains over 6000 third-party applications in a ready-to-install > format. The ports collection shipped with FreeBSD 4.4 contains this > problem since it was discovered after the release. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > FTP users, including anonymous FTP users, can cause arbitrary commands > to be executed as root on the local machine. > > If you have not chosen to install the wu-ftpd port/package, then your > system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the wu-ftpd port/package, if you have installed it. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the wu-ftpd port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.1_7.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.1_7.tgz > > [alpha] > Packages are not automatically generated for the alpha architecture at > this time due to lack of build resources > > NOTE: It may be several days before updated packages are available. Be > sure to check the file creation date on the package, because the > version number of the software has not changed. > > 3) download a new port skeleton for the wu-ftpd port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in the FreeBSD ports collection. > > Path Revision > - ------------------------------------------------------------------------- > ports/ftp/wu-ftpd/Makefile 1.41 > ports/ftp/wu-ftpd/files/patch-ap 1.2 > - ------------------------------------------------------------------------- > > VII. References > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBPA0CA1UuHi5z0oilAQENSQP9HaHiACNyiHZtV8ILnUZWb+D01qf0wTy2 > gbZJGfKL/JTP41KLR4EpUitF5SZ+3Zjm8Ebv8XXCjCFWgIBU1xhZaXgi2U9PRLlG > XxHKzvpGnTuBj3uJiLs2UvAbQ9Jz5Wp02u6fJV75dcbnXTPLSGRvxJZwOb2FHxnE > MBUlG+QDpPw= > =sp+c > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message