[15694] in bugtraq
Re: ftpd and setproctitle()
daemon@ATHENA.MIT.EDU (Nic Bellamy)
Mon Jul 10 02:13:22 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0007081430060.23300-100000@skyelar.bellamy.co.nz>
Date: Sat, 8 Jul 2000 14:42:45 +1200
Reply-To: Nic Bellamy <nic@BELLAMY.CO.NZ>
From: Nic Bellamy <nic@BELLAMY.CO.NZ>
X-To: Roger Espel Llima <espel@IAGORA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000707120152.A549@rajpur.iagora.es>
On Fri, 7 Jul 2000, Roger Espel Llima wrote:
> Theo de Raadt wrote:
> > Well, while everyone is talking about setproctitle affecting wuftpd,
> > I should probably note that it even affects the OpenBSD ftpd. In fact,
> > looking around, it looks like it might affect everyone's ftpd.
>
> Curiously enough, this bug didn't affect the Linux port of the OpenBSD
> ftpd (http://freshmeat.net/appindex/1999/10/09/939509389.html), because
> it doesn't #define HASSETPROCTITLE.
There's actually more than one Linux port of the OpenBSD ftpd - for
instance the one included in Debian's netstd (from 2.1/Slink) and ftpd
(from 2.2/Potato) packages.
The Slink package *is* vunerable to this, the Potato version probably is
(according to the source) but I have not been able to check as yet.
The port they use does define a printf-like setproctitle() function, and
#defines HASSETPROCTITLE.
I mailed the Debian security people about this yesterday, with patches.
Regards,
Nic.
-- Nic Bellamy <nic@bellamy.co.nz>
Director, Bellamy Consulting Ltd.
