From owner-freebsd-security@FreeBSD.ORG Thu Jul 31 12:20:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DC9A37B401 for ; Thu, 31 Jul 2003 12:20:25 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D200943FAF for ; Thu, 31 Jul 2003 12:20:24 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (localhost [127.0.0.1]) by fledge.watson.org (8.12.9/8.12.9) with ESMTP id h6VJJOai058048; Thu, 31 Jul 2003 15:19:25 -0400 (EDT) (envelope-from robert@fledge.watson.org) Received: from localhost (robert@localhost)h6VJJO1g058045; Thu, 31 Jul 2003 15:19:24 -0400 (EDT) Date: Thu, 31 Jul 2003 15:19:24 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: John Fox In-Reply-To: <20030731183553.GA85469@mind.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jul 2003 19:20:25 -0000 On Thu, 31 Jul 2003, John Fox wrote: > I see in BugTraq that there's yet another problem with Wu-ftpd, but I > see no mention of it in the freebsd-security mailing list archives...I > have searched the indexes from all of June and July. > > Wu is pretty widely used, so I'm surprised that nobody seems to have > mentioned this problem in this forum. > > The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no > reason to assume that FreeBSD machines aren't vulnerable, too. Which is > why I am confused as to the lack of discussion of this matter. > > Can anyone shed some light on this? I can't speak to specifically why there hasn't been an advisory of some sort for this specific vulnerability, but I can say that the primary reason why wu-ftpd issues don't get much discussion on FreeBSD lists compared to Linux lists is that the default FTP server in FreeBSD isn't wu-ftpd, unlike many Linux distributions. It's considered a third party software package, which means it will generally be covered in ports security notices, as opposed to FreeBSD security advisories. In the past, a number of vulnerabilities in various FTP packages have been associated with bugs in library code, not in the FTP daemon itself -- for example, at least one or two cases were associates with the libc glob code. This can also affect whether a vulnerability applies on all OS's, or just a few. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories