NetBSD-SA1999-003 wu-ftpd(8) package problems - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

What is the most important Linux security technology?

	SELinux
	grsecurity
	CIS Benchmark
	Bastille Linux
	iptables
	LIDS

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

All About Linux

DanWalsh LiveJournal

Securitydistro

Latest Newsletters

Linux Advisory Watch: June 14th, 2013

Linux Security Week: June 4th, 2013

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

NetBSD-SA1999-003 wu-ftpd(8) package problems

User Rating:

How can I rate this item?

Posted by LinuxSecurity.com Team

Security problems in wu-ftpd package fixed

-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1999-003
                 =================================

Topic:          Security problems in wu-ftpd package fixed
Version:        Anything before wu-ftpd-2.4.2b18.2
Severity:       Remote buffer overflows in various FTP servers leads
                to potential root compromise. 


Abstract
========

Remote buffer overflows in various FTP servers leads to potential root
compromise. 


Technical Details
=================

When processing pathnames from commands such as CWD and MKD, the FTP
server realpath module would incorrectly copy beyond the end of it's
buffer.  This could happen if passed a length greater than MAXPATHLEN
(1024), or if the full real path (outside of ~ftp) was greater than
MAXPATHLEN.  This allowed a remote attack to compromise the system by
overwriting the programs stack with their own data, possibly gaining
root access.


Solutions and Workarounds
=========================

NetBSD users should update to a pkgsrc tree newer than 19990214
and make sure the version of their wu-ftpd package is at least
wu-ftpd-2.4.2b18.2. 

Binaries for NetBSD 1.3.3 and NetBSD-current are available at

        ftp://ftp.netbsd.org/pub/NetBSD/packages/1.3/
        ftp://ftp.netbsd.org/pub/NetBSD/packages/1.3.3/

and
        ftp://ftp.netbsd.org/pub/NetBSD/packages/1.3I/

respectively.


Thanks To
=========

Thanks go to Rene Hexel  for updating the
wu-ftpd package with appropriate patches to fix all buffer overruns
and to Hubert Feyrer  for
coordinating package fixing, binary package builds and the
corresponding annoucements. 


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1999, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA1999-003.txt,v 1.2 1999/02/28 00:08:40 mrg Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNtiS7D5Ru2/4N2IFAQFG+gQAiGFZ4iQ2VQ70ls/UnWlG+vLovY8sDLwr
S6+bbXzmu21Oo61vMm6/aXWlDAWXzVNWkWJWam7WajShZ+N1T8KHYd9fge8Keh7y
PVd/5HHwrB1LwwjNv2i116fXyvC08hFkUsUGOi7VV+bPeGsUo1uYY2c+Xh6bIoQw
rf1Pl3Yr1D8=
=01kt
-----END PGP SIGNATURE-----