Re: ... / wu-ftpd <=2.5 / ...

From: Gregory A Lundberg (lundbergat_private)
Date: Sat Aug 28 1999 - 22:30:05 PDT

Next message: Jethro Tull: "Dynamic DNS"

Previous message: mb: "Re: Vulnerability in Solaris 2.6. rpc.statd ?"
Next in thread: Jason Downs: "Re: ... / wu-ftpd <=2.5 / ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 25, 1999 at 11:48:18AM +0200, Volker Borchert wrote:

> |> ----------------------------
> |> wu-ftpd 2.5, VR and BeroFTPD
> |> ----------------------------
>
> *** ftpd.c	Sun Jun  6 15:20:21 1999
> --- ftpd_patched.c	Sun Jun  6 15:15:03 1999
> ***************
> *** 1245,1251 ****
>         /* append the dir part with a leading / unless at root */
>         if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
>                 strcat( mapped_path, "/" );
> !       strcat( mapped_path, dir );
>   }
>
>   int
> --- 1245,1254 ----
>         /* append the dir part with a leading / unless at root */
>         if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
>                 strcat( mapped_path, "/" );
> !       if ( strlen(mapped_path) + strlen (dir) < 4095 )
> !               strcat( mapped_path, dir );
> !       else
> !         syslog(LOG_ERR, "FTP mapped_path attack ");
>   }
>
>   int
>
> This patch has a serious flaw - like making the wolf your shepherd:
> the hard coded "4095" buffer size. See line 1200:
>
> 	char mapped_path[ MAXPATHLEN ] = "/";
>
> For example, on this here machine running SunOS 5.6, MAXPATHLEN is
> 1024. Use "sizeof(mapped_path)" instead.
>
> (BTW, your diff contains DOS style "cr/lf" sequences, so anyone
>  willing to apply it should pipe it into "patch" via "dos2unix".)
>
> 	vb

Which is WHY you should report bugs to the developers first.  We know
enough about the code to build a correct patch.  We'll probably even test
it against a couple machines before releasing it.  Heck, we might even fix
more than the narrow case you saw.

In this case the patch fixes the problem he _saw_ (but not the one he
missed), and ONLY on his Linux box (not on lots of other systems).  If he'd
have bothered to simply ask the developers of ANY of the packages he
discussed, he'd have gotten a review/correction of SOME of his patches.  He
didn't.  So his patches are wrong.  Such is the quality of _patches_ on
Bugtraq.  Let's face it people: if you take a patch from just anyone you
deserve what you get.

--

Gregory A Lundberg              Senior Partner, VRnet Company
1441 Elmdale Drive              lundbergat_private
Kettering, OH 45409-1615 USA    1-800-809-2195

Next message: Jethro Tull: "Dynamic DNS"
Previous message: mb: "Re: Vulnerability in Solaris 2.6. rpc.statd ?"
Next in thread: Jason Downs: "Re: ... / wu-ftpd <=2.5 / ..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:53 PDT