[11609] in bugtraq
Re: ... / wu-ftpd <=2.5 / ...
daemon@ATHENA.MIT.EDU (Gregory A Lundberg)
Mon Aug 30 17:53:44 1999
Mail-Followup-To: Volker Borchert <bt@TEKNON.DE>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990829013004.G19924@vr.net>
Date: Sun, 29 Aug 1999 01:30:05 -0400
Reply-To: Gregory A Lundberg <lundberg@VR.NET>
From: Gregory A Lundberg <lundberg@VR.NET>
X-To: Volker Borchert <bt@TEKNON.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908250948.LAA16517@Uranos.teknon.de>; from Volker Borchert on
Wed, Aug 25, 1999 at 11:48:18AM +0200
On Wed, Aug 25, 1999 at 11:48:18AM +0200, Volker Borchert wrote:
> |> ----------------------------
> |> wu-ftpd 2.5, VR and BeroFTPD
> |> ----------------------------
>
> *** ftpd.c Sun Jun 6 15:20:21 1999
> --- ftpd_patched.c Sun Jun 6 15:15:03 1999
> ***************
> *** 1245,1251 ****
> /* append the dir part with a leading / unless at root */
> if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
> strcat( mapped_path, "/" );
> ! strcat( mapped_path, dir );
> }
>
> int
> --- 1245,1254 ----
> /* append the dir part with a leading / unless at root */
> if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
> strcat( mapped_path, "/" );
> ! if ( strlen(mapped_path) + strlen (dir) < 4095 )
> ! strcat( mapped_path, dir );
> ! else
> ! syslog(LOG_ERR, "FTP mapped_path attack ");
> }
>
> int
>
> This patch has a serious flaw - like making the wolf your shepherd:
> the hard coded "4095" buffer size. See line 1200:
>
> char mapped_path[ MAXPATHLEN ] = "/";
>
> For example, on this here machine running SunOS 5.6, MAXPATHLEN is
> 1024. Use "sizeof(mapped_path)" instead.
>
> (BTW, your diff contains DOS style "cr/lf" sequences, so anyone
> willing to apply it should pipe it into "patch" via "dos2unix".)
>
> vb
Which is WHY you should report bugs to the developers first. We know
enough about the code to build a correct patch. We'll probably even test
it against a couple machines before releasing it. Heck, we might even fix
more than the narrow case you saw.
In this case the patch fixes the problem he _saw_ (but not the one he
missed), and ONLY on his Linux box (not on lots of other systems). If he'd
have bothered to simply ask the developers of ANY of the packages he
discussed, he'd have gotten a review/correction of SOME of his patches. He
didn't. So his patches are wrong. Such is the quality of _patches_ on
Bugtraq. Let's face it people: if you take a patch from just anyone you
deserve what you get.
--
Gregory A Lundberg Senior Partner, VRnet Company
1441 Elmdale Drive lundberg@vr.net
Kettering, OH 45409-1615 USA 1-800-809-2195
