[9528] in bugtraq
Re: SECURITY: new wu-ftpd packages available (fwd)
daemon@ATHENA.MIT.EDU (Henrik Storner)
Fri Feb 12 20:08:23 1999
Date: Fri, 12 Feb 1999 10:25:42 +0100
Reply-To: Henrik Storner <storner@N-M.COM>
From: Henrik Storner <storner@N-M.COM>
To: BUGTRAQ@NETSPACE.ORG
Ronald Wahl wrote:
>
> On Tue, 9 Feb 1999, RHS Linux User wrote:
> > A security vulnerability has been identified in all versions of the wu-ftpd
> > server binary shipped with Red Hat Linux.
>
> Is it possible that the bug is not fixed yet?
>
> mkdir <verylongname> let the deamon do funny things. Can someone reproduce
> this?
I looked into the patch that Red Hat included with the new wu-ftpd
package.
It does implement some checking of the parameters given to the ftp
daemon's realpath() routine; however, at the very top of this routine
there
is an unguarded "strcpy(currpath, pathname)" - the currpath buffer is
declared
locally of size MAXPATHLEN (4K on Linux, it seems).
It looks as if it is still vulnerable.
