Date: Wed, 28 Nov 2001 12:25:52 +0900 (JST) From: Koga Youichirou <y-koga@jp.FreeBSD.org> To: mike@sentex.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? Message-ID: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> In-Reply-To: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa <mike@sentex.net>: > I guess the post below is relates to what was on bugtraq last week about > the mysterious new wu-ftpd vulnerability. I still dont see anything on > wu-ftpd's site about it. Is this something specific to LINUX then ? Anyone > have any info ? Following is RedHat's patch: --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001 +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001 @@ -309,7 +309,7 @@ if (lm >= restbufend) return (0); } - for (pe = ++p; *pe; pe++) + for (pe = ++p; *pe; pe++) { switch (*pe) { case '{': @@ -325,11 +325,19 @@ case '[': for (pe++; *pe && *pe != ']'; pe++) continue; + if (!*pe) { + globerr = "Missing ]"; + return (0); + } continue; } + } pend: - brclev = 0; - for (pl = pm = p; pm <= pe; pm++) + if (brclev || !*pe) { + globerr = "Missing }"; + return (0); + } + for (pl = pm = p; pm <= pe; pm++) { switch (*pm & (QUOTE | TRIM)) { case '{': @@ -365,19 +373,18 @@ return (1); sort(); pl = pm + 1; - if (brclev) - return (0); continue; case '[': for (pm++; *pm && *pm != ']'; pm++) continue; - if (!*pm) - pm--; + if (!*pm) { + globerr = "Missing ]"; + return (0); + } continue; } - if (brclev) - goto doit; + } return (0); } @@ -429,11 +436,10 @@ else if (scc == (lc = cc)) ok++; } - if (cc == 0) - if (ok) - p--; - else - return 0; + if (cc == 0) { + globerr = "Missing ]"; + return (0); + } continue; case '*': @@ -486,67 +492,6 @@ } } -/* This function appears to be unused, so why waste time and space on it? */ -#if 0 == 1 -static int Gmatch(register char *s, register char *p) -{ - register int scc; - int ok, lc; - int c, cc; - - for (;;) { - scc = *s++ & TRIM; - switch (c = *p++) { - - case '[': - ok = 0; - lc = 077777; - while (cc = *p++) { - if (cc == ']') { - if (ok) - break; - return (0); - } - if (cc == '-') { - if (lc <= scc && scc <= *p++) - ok++; - } - else if (scc == (lc = cc)) - ok++; - } - if (cc == 0) - if (ok) - p--; - else - return 0; - continue; - - case '*': - if (!*p) - return (1); - for (s--; *s; s++) - if (Gmatch(s, p)) - return (1); - return (0); - - case 0: - return (scc == 0); - - default: - if ((c & TRIM) != scc) - return (0); - continue; - - case '?': - if (scc == 0) - return (0); - continue; - - } - } -} -#endif /* Gmatch exclusion */ - static void Gcat(register char *s1, register char *s2) { register size_t len = strlen(s1) + strlen(s2) + 1; -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128.122552.45455442.y-koga>