--------------------------------------------------------------------------
Debian Security Advisory DSA 377-1                     security@debian.org 
Debian -- Security Information                              Matt Zimmerman
September 4th, 2003                      Debian -- Debian security FAQ 
--------------------------------------------------------------------------

Package        : wu-ftpd
Vulnerability  : insecure program execution
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CVE-1999-0997

wu-ftpd, an FTP server, implements a feature whereby multiple files
can be fetched in the form of a dynamically constructed archive file,
such as a tar archive.  The names of the files to be included are
passed as command line arguments to tar, without protection against
them being interpreted as command-line options.  GNU tar supports
several command line options which can be abused, by means of this
vulnerability, to execute arbitrary programs with the privileges of
the wu-ftpd process.

Georgi Guninski pointed out that this vulnerability exists in Debian
woody.

For the stable distribution (woody) this problem has been fixed in
version 2.6.2-3woody2.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you update your wu-ftpd package.

Upgrade Instructions
--------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
--------------------------------

  Source archives:

      
      Size/MD5 checksum:      607 b557af23920403ce4be64670a873a1dd
      
      Size/MD5 checksum:   100389 c2e481768ed3a0d97a110bc3cd4aefa2
      
      Size/MD5 checksum:   354784 b3c271f02aadf663b8811d1bff9da3f6

  Architecture independent components:

      
      Size/MD5 checksum:     3474 ae0a727f52cf8f1488222ce2b414a29a

  Alpha architecture:

      
      Size/MD5 checksum:   291710 d9725bc2a271f151fc42605edd6394c6

  ARM architecture:

      
      Size/MD5 checksum:   265366 d435ee1977a93705462528b23b8c9550

  Intel IA-32 architecture:

      
      Size/MD5 checksum:   257060 ed807ebe3275f76a13eed4fbb2d8a7fa

  Intel IA-64 architecture:

      
      Size/MD5 checksum:   321256 beaa9b061436052fddf3f47e2932360a

  HP Precision architecture:

      
      Size/MD5 checksum:   275896 c1bea3e7f0cdbab6c7240d5b08b4b9d1

  Motorola 680x0 architecture:

      
      Size/MD5 checksum:   249368 32f06b3bbe19265f749670950691c7ff

  Big endian MIPS architecture:

      
      Size/MD5 checksum:   272978 1ec11e5a9b53925b02fb7cfbbc3df56b

  Little endian MIPS architecture:

      
      Size/MD5 checksum:   273058 37140e512eaa62cfa0b99b9983e89b6f

  PowerPC architecture:

      
      Size/MD5 checksum:   268354 4da902291bc8bb6c5c652dfd9f7ba729

  IBM S/390 architecture:

      
      Size/MD5 checksum:   263100 a89f0be201d65cff953bc496a6391af4

  Sun Sparc architecture:

      
      Size/MD5 checksum:   270448 088bb0a66ee5b74ec59baff506a2be2a

  These files will probably be moved into the stable distribution on
  its next revision.

---------------------------------------------------------------------------------
For apt-get: deb  Debian -- Security Information  stable/updates main
For dpkg-ftp:    dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and  http://packages.debian.org/

Debian: 'wu-ftpd' insecure program execution

September 5, 2003
wu-ftpd, an FTP server, implements a feature whereby multiple filescan be fetched in the form of a dynamically constructed archive file,such as a tar archive

Summary

wu-ftpd, an FTP server, implements a feature whereby multiple files
can be fetched in the form of a dynamically constructed archive file,
such as a tar archive. The names of the files to be included are
passed as command line arguments to tar, without protection against
them being interpreted as command-line options. GNU tar supports
several command line options which can be abused, by means of this
vulnerability, to execute arbitrary programs with the privileges of
the wu-ftpd process.

Georgi Guninski pointed out that this vulnerability exists in Debian
woody.

For the stable distribution (woody) this problem has been fixed in
version 2.6.2-3woody2.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you update your wu-ftpd package.

Upgrade Instructions
--------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
--------------------------------

Source archives:


Size/MD5 checksum: 607 b557af23920403ce4be64670a873a1dd

Size/MD5 checksum: 100389 c2e481768ed3a0d97a110bc3cd4aefa2

Size/MD5 checksum: 354784 b3c271f02aadf663b8811d1bff9da3f6

Architecture independent components:


Size/MD5 checksum: 3474 ae0a727f52cf8f1488222ce2b414a29a

Alpha architecture:


Size/MD5 checksum: 291710 d9725bc2a271f151fc42605edd6394c6

ARM architecture:


Size/MD5 checksum: 265366 d435ee1977a93705462528b23b8c9550

Intel IA-32 architecture:


Size/MD5 checksum: 257060 ed807ebe3275f76a13eed4fbb2d8a7fa

Intel IA-64 architecture:


Size/MD5 checksum: 321256 beaa9b061436052fddf3f47e2932360a

HP Precision architecture:


Size/MD5 checksum: 275896 c1bea3e7f0cdbab6c7240d5b08b4b9d1

Motorola 680x0 architecture:


Size/MD5 checksum: 249368 32f06b3bbe19265f749670950691c7ff

Big endian MIPS architecture:


Size/MD5 checksum: 272978 1ec11e5a9b53925b02fb7cfbbc3df56b

Little endian MIPS architecture:


Size/MD5 checksum: 273058 37140e512eaa62cfa0b99b9983e89b6f

PowerPC architecture:


Size/MD5 checksum: 268354 4da902291bc8bb6c5c652dfd9f7ba729

IBM S/390 architecture:


Size/MD5 checksum: 263100 a89f0be201d65cff953bc496a6391af4

Sun Sparc architecture:


Size/MD5 checksum: 270448 088bb0a66ee5b74ec59baff506a2be2a

These files will probably be moved into the stable distribution on
its next revision.

Severity
Package : wu-ftpd
Vulnerability : insecure program execution
Problem-Type : remote
Debian-specific: no
CVE Ids : CVE-1999-0997

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved