From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon Dec 11 04:30:07 2006
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
X-Original-To: freebsd-ports-bugs@hub.freebsd.org
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9612D16A417
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 11 Dec 2006 04:30:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A91B543CA3
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon, 11 Dec 2006 04:28:51 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kBB4U5Ss085470
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Mon, 11 Dec 2006 04:30:05 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kBB4U5B4085469;
	Mon, 11 Dec 2006 04:30:05 GMT (envelope-from gnats)
Resent-Date: Mon, 11 Dec 2006 04:30:05 GMT
Resent-Message-Id: <200612110430.kBB4U5B4085469@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Sergey N. Voronkov" <serg@tmn.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7863F16A407
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 11 Dec 2006 04:29:25 +0000 (UTC) (envelope-from serg@tmn.ru)
Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F2F2443CA6
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 11 Dec 2006 04:28:08 +0000 (GMT) (envelope-from serg@tmn.ru)
Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [10.76.160.59])
	by sbtx.tmn.ru (8.13.6/8.13.6) with ESMTP id kBB4TJcb003889
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 11 Dec 2006 09:29:20 +0500 (YEKT) (envelope-from serg@tmn.ru)
Received: from sv.tech.sibitex.tmn.ru (localhost.tech.sibitex.tmn.ru
	[127.0.0.1])
	by sv.tech.sibitex.tmn.ru (8.13.8/8.13.8) with ESMTP id kBB4TJTO019459
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 11 Dec 2006 09:29:19 +0500 (YEKT)
	(envelope-from serg@sv.tech.sibitex.tmn.ru)
Received: (from serg@localhost)
	by sv.tech.sibitex.tmn.ru (8.13.8/8.13.8/Submit) id kBB4TJpH019458;
	Mon, 11 Dec 2006 09:29:19 +0500 (YEKT) (envelope-from serg)
Message-Id: <200612110429.kBB4TJpH019458@sv.tech.sibitex.tmn.ru>
Date: Mon, 11 Dec 2006 09:29:19 +0500 (YEKT)
From: "Sergey N. Voronkov" <serg@tmn.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: ports/106594: ftp/tnftpd - fix critical bug
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Sergey N. Voronkov" <serg@tmn.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2006 04:30:07 -0000


>Number:         106594
>Category:       ports
>Synopsis:       ftp/tnftpd - fix critical bug
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 11 04:30:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Sergey N. Voronkov
>Release:        FreeBSD 6.2-RC1 i386
>Organization:
Sibitex Ltd.
>Environment:
System: FreeBSD sv.tech.sibitex.tmn.ru 6.2-RC1 FreeBSD 6.2-RC1 #1: Fri Dec 8 12:12:23 YEKT 2006 serg@sv.tech.sibitex.tmn.ru:/usr/obj/usr/src/sys/SV i386

>Description:
	Fix a root exploit:

	http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051009.html

>How-To-Repeat:
	See above URL.
>Fix:
diff -ruN tnftpd.orig/Makefile tnftpd/Makefile
--- tnftpd.orig/Makefile        Sun May  7 17:09:21 2006
+++ tnftpd/Makefile     Mon Dec 11 09:16:48 2006
@@ -7,6 +7,7 @@
 
 PORTNAME=      tnftpd
 PORTVERSION=   20040810
+PORTREVISION=  1
 CATEGORIES=    ftp ipv6
 MASTER_SITES=  ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/
 
diff -ruN tnftpd.orig/files/patch-libnetbsd-glob.c
tnftpd/files/patch-libnetbsd-glob.c
--- tnftpd.orig/files/patch-libnetbsd-glob.c    Thu Jan  1 05:00:00 1970
+++ tnftpd/files/patch-libnetbsd-glob.c Mon Dec 11 09:16:19 2006
@@ -0,0 +1,13 @@
+--- libnetbsd/glob.c-orig      Mon Dec 11 09:13:10 2006
++++ libnetbsd/glob.c   Mon Dec 11 09:14:16 2006
+@@ -497,7 +497,9 @@
+        * we save one character so that we can use ptr >= limit,
+        * in the general case when we are appending non nul chars only.
+        */
+-      return(glob2(pathbuf, pathbuf, pathbuf + sizeof(pathbuf) - 1,
pattern,
++      return(glob2(pathbuf, pathbuf,
++                   pathbuf + (sizeof(pathbuf) / sizeof(*pathbuf)) - 1,
++                   pattern,
+           pglob, limit));
+ }
+ 
      

>Release-Note:
>Audit-Trail:
>Unformatted: