Date: Thu, 06 Jul 2000 11:49:06 -0600 From: Brett Glass <brett@lariat.org> To: security@FreeBSD.ORG Subject: Re: ftpd and setproctitle() Message-ID: <4.3.2.7.2.20000706113724.04789470@localhost> In-Reply-To: <200007060905.e6695iF29634@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:05 AM 7/6/2000, Theo de Raadt wrote [on Bugtraq]: >Well, while everyone is talking about setproctitle affecting wuftpd, >I should probably note that it even affects the OpenBSD ftpd. In fact, >looking around, it looks like it might affect everyone's ftpd. > >Our patch is at > > http://www.openbsd.org/errata.html#ftpd > >We're currently going through our tree looking for *printf(), err*(), >warn*(), syslog(), setproctitle(), and even curses *print*() functions >that might have issues like this. We did this before for the *printf >family, perhaps 3 years ago, but even now we are discovering a few that >we have missed. > >It's scary, and quite a bit of work to check every such call. They >happen a lot.. FreeBSD-current's ftpd already seems to have the correct arguments for setproctitle. But do earlier versions require patching? (Alas, the sources for earlier versions do not appear to be on any of Walnut Creek's servers, so I can't tell.) Could folks who have sources for 2.2.8, 3.4, 3.5, and 4.0 handy check this? (I usually do not install full sources, and so am missing some of these.) Since the 2.x and 3.x sources are now offline, and most users do not install full source, it may be difficult to close the hole on many users' systems if it exists in older versions of FreeBSD. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20000706113724.04789470>