Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 31 Jul 2003 15:19:24 -0400 (EDT)
From:      Robert Watson <rwatson@freebsd.org>
To:        John Fox <jjf@mind.net>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug
Message-ID:  <Pine.NEB.3.96L.1030731151702.37179A-100000@fledge.watson.org>
In-Reply-To: <20030731183553.GA85469@mind.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Thu, 31 Jul 2003, John Fox wrote:

> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
> see no mention of it in the freebsd-security mailing list archives...I
> have searched the indexes from all of June and July. 
> 
> Wu is pretty widely used, so I'm surprised that nobody seems to have
> mentioned this problem in this forum. 
> 
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too.  Which is
> why I am confused as to the lack of discussion of this matter. 
> 
> Can anyone shed some light on this? 

I can't speak to specifically why there hasn't been an advisory of some
sort for this specific vulnerability, but I can say that the primary
reason why wu-ftpd issues don't get much discussion on FreeBSD lists
compared to Linux lists is that the default FTP server in FreeBSD isn't
wu-ftpd, unlike many Linux distributions.  It's considered a third party
software package, which means it will generally be covered in ports
security notices, as opposed to FreeBSD security advisories.  In the past,
a number of vulnerabilities in various FTP packages have been associated
with bugs in library code, not in the FTP daemon itself -- for example, at
least one or two cases were associates with the libc glob code.  This can
also affect whether a vulnerability applies on all OS's, or just a few. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030731151702.37179A-100000>