Date: Wed, 28 Nov 2001 12:25:52 +0900 (JST) From: Koga Youichirou <y-koga@jp.FreeBSD.org> To: mike@sentex.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? Message-ID: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> In-Reply-To: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa <mike@sentex.net>:
> I guess the post below is relates to what was on bugtraq last week about
> the mysterious new wu-ftpd vulnerability. I still dont see anything on
> wu-ftpd's site about it. Is this something specific to LINUX then ? Anyone
> have any info ?
Following is RedHat's patch:
--- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001
+++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001
@@ -309,7 +309,7 @@
if (lm >= restbufend)
return (0);
}
- for (pe = ++p; *pe; pe++)
+ for (pe = ++p; *pe; pe++) {
switch (*pe) {
case '{':
@@ -325,11 +325,19 @@
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
+ if (!*pe) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
+ }
pend:
- brclev = 0;
- for (pl = pm = p; pm <= pe; pm++)
+ if (brclev || !*pe) {
+ globerr = "Missing }";
+ return (0);
+ }
+ for (pl = pm = p; pm <= pe; pm++) {
switch (*pm & (QUOTE | TRIM)) {
case '{':
@@ -365,19 +373,18 @@
return (1);
sort();
pl = pm + 1;
- if (brclev)
- return (0);
continue;
case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
- if (!*pm)
- pm--;
+ if (!*pm) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
- if (brclev)
- goto doit;
+ }
return (0);
}
@@ -429,11 +436,10 @@
else if (scc == (lc = cc))
ok++;
}
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
+ if (cc == 0) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
case '*':
@@ -486,67 +492,6 @@
}
}
-/* This function appears to be unused, so why waste time and space on it? */
-#if 0 == 1
-static int Gmatch(register char *s, register char *p)
-{
- register int scc;
- int ok, lc;
- int c, cc;
-
- for (;;) {
- scc = *s++ & TRIM;
- switch (c = *p++) {
-
- case '[':
- ok = 0;
- lc = 077777;
- while (cc = *p++) {
- if (cc == ']') {
- if (ok)
- break;
- return (0);
- }
- if (cc == '-') {
- if (lc <= scc && scc <= *p++)
- ok++;
- }
- else if (scc == (lc = cc))
- ok++;
- }
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
- continue;
-
- case '*':
- if (!*p)
- return (1);
- for (s--; *s; s++)
- if (Gmatch(s, p))
- return (1);
- return (0);
-
- case 0:
- return (scc == 0);
-
- default:
- if ((c & TRIM) != scc)
- return (0);
- continue;
-
- case '?':
- if (scc == 0)
- return (0);
- continue;
-
- }
- }
-}
-#endif /* Gmatch exclusion */
-
static void Gcat(register char *s1, register char *s2)
{
register size_t len = strlen(s1) + strlen(s2) + 1;
-- Koga, Youichirou
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128.122552.45455442.y-koga>