[15651] in bugtraq
ftpd and setproctitle()
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Thu Jul 6 13:08:20 2000
Message-ID: <200007060905.e6695iF29634@cvs.openbsd.org>
Date: Thu, 6 Jul 2000 03:05:44 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Well, while everyone is talking about setproctitle affecting wuftpd,
I should probably note that it even affects the OpenBSD ftpd. In fact,
looking around, it looks like it might affect everyone's ftpd.
Our patch is at
http://www.openbsd.org/errata.html#ftpd
We're currently going through our tree looking for *printf(), err*(),
warn*(), syslog(), setproctitle(), and even curses *print*() functions
that might have issues like this. We did this before for the *printf
family, perhaps 3 years ago, but even now we are discovering a few that
we have missed.
It's scary, and quite a bit of work to check every such call. They
happen a lot..
