Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Nov 2001 12:25:52 +0900 (JST)
From:      Koga Youichirou <y-koga@jp.FreeBSD.org>
To:        mike@sentex.net
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: wu-ftpd ?
Message-ID:  <20011128.122552.45455442.y-koga@jp.FreeBSD.org>
In-Reply-To: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12>
References:  <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12>

next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa <mike@sentex.net>:
> I guess the post below is relates to what was on bugtraq last week about 
> the mysterious new wu-ftpd vulnerability. I still dont see anything on 
> wu-ftpd's site about it.  Is this something specific to LINUX then ? Anyone 
> have any info ?

Following is RedHat's patch:

--- wu-ftpd/src/glob.c.sec	Thu May 31 09:30:36 2001
+++ wu-ftpd/src/glob.c	Wed Nov 21 18:22:17 2001
@@ -309,7 +309,7 @@
 	if (lm >= restbufend)
 	    return (0);
     }
-    for (pe = ++p; *pe; pe++)
+    for (pe = ++p; *pe; pe++) {
 	switch (*pe) {
 
 	case '{':
@@ -325,11 +325,19 @@
 	case '[':
 	    for (pe++; *pe && *pe != ']'; pe++)
 		continue;
+	    if (!*pe) {
+		globerr = "Missing ]";
+		return (0);
+	    }
 	    continue;
 	}
+    }
   pend:
-    brclev = 0;
-    for (pl = pm = p; pm <= pe; pm++)
+    if (brclev || !*pe) {
+	globerr = "Missing }";
+	return (0);
+    }
+    for (pl = pm = p; pm <= pe; pm++) {
 	switch (*pm & (QUOTE | TRIM)) {
 
 	case '{':
@@ -365,19 +373,18 @@
 		return (1);
 	    sort();
 	    pl = pm + 1;
-	    if (brclev)
-		return (0);
 	    continue;
 
 	case '[':
 	    for (pm++; *pm && *pm != ']'; pm++)
 		continue;
-	    if (!*pm)
-		pm--;
+	    if (!*pm) {
+		globerr = "Missing ]";
+		return (0);
+	    }
 	    continue;
 	}
-    if (brclev)
-	goto doit;
+    }
     return (0);
 }
 
@@ -429,11 +436,10 @@
 		else if (scc == (lc = cc))
 		    ok++;
 	    }
-	    if (cc == 0)
-		if (ok)
-		    p--;
-		else
-		    return 0;
+	    if (cc == 0) {
+		globerr = "Missing ]";
+		return (0);
+	    }
 	    continue;
 
 	case '*':
@@ -486,67 +492,6 @@
     }
 }
 
-/* This function appears to be unused, so why waste time and space on it? */
-#if 0 == 1
-static int Gmatch(register char *s, register char *p)
-{
-    register int scc;
-    int ok, lc;
-    int c, cc;
-
-    for (;;) {
-	scc = *s++ & TRIM;
-	switch (c = *p++) {
-
-	case '[':
-	    ok = 0;
-	    lc = 077777;
-	    while (cc = *p++) {
-		if (cc == ']') {
-		    if (ok)
-			break;
-		    return (0);
-		}
-		if (cc == '-') {
-		    if (lc <= scc && scc <= *p++)
-			ok++;
-		}
-		else if (scc == (lc = cc))
-		    ok++;
-	    }
-	    if (cc == 0)
-		if (ok)
-		    p--;
-		else
-		    return 0;
-	    continue;
-
-	case '*':
-	    if (!*p)
-		return (1);
-	    for (s--; *s; s++)
-		if (Gmatch(s, p))
-		    return (1);
-	    return (0);
-
-	case 0:
-	    return (scc == 0);
-
-	default:
-	    if ((c & TRIM) != scc)
-		return (0);
-	    continue;
-
-	case '?':
-	    if (scc == 0)
-		return (0);
-	    continue;
-
-	}
-    }
-}
-#endif /* Gmatch exclusion */
-
 static void Gcat(register char *s1, register char *s2)
 {
     register size_t len = strlen(s1) + strlen(s2) + 1;


-- Koga, Youichirou

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128.122552.45455442.y-koga>