[12356] in bugtraq
Re: CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD
daemon@ATHENA.MIT.EDU (Charles M. Richmond)
Wed Oct 27 14:49:28 1999
Message-Id: <199910270646.CAA26943@koibito.iisc.com>
Date: Wed, 27 Oct 1999 02:45:59 -0400
Reply-To: "Charles M. Richmond" <cmr@IISC.COM>
From: "Charles M. Richmond" <cmr@IISC.COM>
X-To: lundberg@VR.NET, r-dass@NTX1.CSO.UIUC.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Fri, 22 Oct 1999 15:24:03 EDT."
<19991022152401.H3881@vr.net>
> On Thu, Oct 21, 1999 at 03:05:22PM -0500, Rami Dass wrote:
>
> > Also, I beleive that this problem occurs only in certain OS's vulnerable
> > to the getcwd() exploit, the ERRATA file, in the 2.6.0 source tree, lists
> > them:
> >
> > "Systems needing getcwd():
...
> > OSF/1 (osf)
...
Gregory A Lundberg <lundberg@VR.NET> states:
> It's a well-known fact that getwd() is not a good choice; it overruns
> buffers. getcwd() allows bounds checking and should be used instead.
>
> The systems listed above have no getcwd() function, or at least nobody has
> reported those systems now have one, so we're still assuming they do not
> (notice we're fixing _that_ class of assumptions by switching to autoconf).
> Sun operating systems, in particular SunOS, provide the getcwd() function.
> Testing has shown the results from that function are not reliable.
Digital UNIX from 4.0b (uname -rsv - OSF1 V4.0 564) does have getcwd() as
does Solaris 7 (2.7). Furthermore even if one does use getwd(), it has
the following feature in both Solaris and in OSF/1 (DUNIX 4.0b):
OSF/1
The maximum pathname length, in characters, is set by the PATH_MAX defini-
tion, as specified in the limits.h file. If the length of the pathname of
the current directory is greater than (PATH_MAX + 1), including the null
byte, getwd() fails and returns a null pointer.
Solaris
If the length of the pathname of the current working direc-
tory is greater than ({PATH_MAX} + 1) including the null
byte, getwd() fails and returns a null pointer.
