[9628] in bugtraq
Re: SECURITY: new wu-ftpd packages available (fwd)
daemon@ATHENA.MIT.EDU (Tomasz Grabowski)
Thu Feb 18 14:07:49 1999
Date: Wed, 17 Feb 1999 13:01:07 +0100
Reply-To: Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
From: Tomasz Grabowski <cadence@APOLLO.ACI.COM.PL>
X-To: Henrik Storner <storner@N-M.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36C3F396.5C9D5B0D@n-m.com>
On Fri, 12 Feb 1999, Henrik Storner wrote:
> I looked into the patch that Red Hat included with the new wu-ftpd
> package.
> It does implement some checking of the parameters given to the ftp
> daemon's realpath() routine; however, at the very top of this routine
> there
> is an unguarded "strcpy(currpath, pathname)" - the currpath buffer is
> declared
> locally of size MAXPATHLEN (4K on Linux, it seems).
>
> It looks as if it is still vulnerable.
I think that You are wrong.
Look at the ftpd.c code.
The *pathname can only have up to 250 chars while curpath[1024] ;)
---
Tomasz Grabowski (0-91)4333950
Akademickie Centrum Informatyki
mailto:cadence@man.szczecin.pl
