LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: December 19th, 2014
Linux Advisory Watch: December 12th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
NetBSD-SA1999-003 wu-ftpd(8) package problems Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
NetBSD Security problems in wu-ftpd package fixed
-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1999-003
                 =================================

Topic:          Security problems in wu-ftpd package fixed
Version:        Anything before wu-ftpd-2.4.2b18.2
Severity:       Remote buffer overflows in various FTP servers leads
                to potential root compromise. 


Abstract
========

Remote buffer overflows in various FTP servers leads to potential root
compromise. 


Technical Details
=================

When processing pathnames from commands such as CWD and MKD, the FTP
server realpath module would incorrectly copy beyond the end of it's
buffer.  This could happen if passed a length greater than MAXPATHLEN
(1024), or if the full real path (outside of ~ftp) was greater than
MAXPATHLEN.  This allowed a remote attack to compromise the system by
overwriting the programs stack with their own data, possibly gaining
root access.


Solutions and Workarounds
=========================

NetBSD users should update to a pkgsrc tree newer than 19990214
and make sure the version of their wu-ftpd package is at least
wu-ftpd-2.4.2b18.2. 

Binaries for NetBSD 1.3.3 and NetBSD-current are available at

        ftp://ftp.netbsd.org/pub/NetBSD/packages/1.3/
        ftp://ftp.netbsd.org/pub/NetBSD/packages/1.3.3/

and
        ftp://ftp.netbsd.org/pub/NetBSD/packages/1.3I/

respectively.


Thanks To
=========

Thanks go to Rene Hexel  for updating the
wu-ftpd package with appropriate patches to fix all buffer overruns
and to Hubert Feyrer  for
coordinating package fixing, binary package builds and the
corresponding annoucements. 


More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1999, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA1999-003.txt,v 1.2 1999/02/28 00:08:40 mrg Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBNtiS7D5Ru2/4N2IFAQFG+gQAiGFZ4iQ2VQ70ls/UnWlG+vLovY8sDLwr
S6+bbXzmu21Oo61vMm6/aXWlDAWXzVNWkWJWam7WajShZ+N1T8KHYd9fge8Keh7y
PVd/5HHwrB1LwwjNv2i116fXyvC08hFkUsUGOi7VV+bPeGsUo1uYY2c+Xh6bIoQw
rf1Pl3Yr1D8=
=01kt
-----END PGP SIGNATURE-----
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.