From owner-freebsd-security Tue Nov 27 19:26:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id E134837B419 for ; Tue, 27 Nov 2001 19:26:26 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.195]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS3Q2R14454; Wed, 28 Nov 2001 12:26:02 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id fAS3Pqa16511; Wed, 28 Nov 2001 12:25:52 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id fAS3Pqi24235; Wed, 28 Nov 2001 12:25:52 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.1/8.12.1) with ESMTP id fAS3PqlC009970; Wed, 28 Nov 2001 12:25:52 +0900 (JST) Date: Wed, 28 Nov 2001 12:25:52 +0900 (JST) Message-Id: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> To: mike@sentex.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? From: Koga Youichirou In-Reply-To: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> X-Mailer: Mew version 3.0.50 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa : > I guess the post below is relates to what was on bugtraq last week about > the mysterious new wu-ftpd vulnerability. I still dont see anything on > wu-ftpd's site about it. Is this something specific to LINUX then ? Anyone > have any info ? Following is RedHat's patch: --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001 +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001 @@ -309,7 +309,7 @@ if (lm >= restbufend) return (0); } - for (pe = ++p; *pe; pe++) + for (pe = ++p; *pe; pe++) { switch (*pe) { case '{': @@ -325,11 +325,19 @@ case '[': for (pe++; *pe && *pe != ']'; pe++) continue; + if (!*pe) { + globerr = "Missing ]"; + return (0); + } continue; } + } pend: - brclev = 0; - for (pl = pm = p; pm <= pe; pm++) + if (brclev || !*pe) { + globerr = "Missing }"; + return (0); + } + for (pl = pm = p; pm <= pe; pm++) { switch (*pm & (QUOTE | TRIM)) { case '{': @@ -365,19 +373,18 @@ return (1); sort(); pl = pm + 1; - if (brclev) - return (0); continue; case '[': for (pm++; *pm && *pm != ']'; pm++) continue; - if (!*pm) - pm--; + if (!*pm) { + globerr = "Missing ]"; + return (0); + } continue; } - if (brclev) - goto doit; + } return (0); } @@ -429,11 +436,10 @@ else if (scc == (lc = cc)) ok++; } - if (cc == 0) - if (ok) - p--; - else - return 0; + if (cc == 0) { + globerr = "Missing ]"; + return (0); + } continue; case '*': @@ -486,67 +492,6 @@ } } -/* This function appears to be unused, so why waste time and space on it? */ -#if 0 == 1 -static int Gmatch(register char *s, register char *p) -{ - register int scc; - int ok, lc; - int c, cc; - - for (;;) { - scc = *s++ & TRIM; - switch (c = *p++) { - - case '[': - ok = 0; - lc = 077777; - while (cc = *p++) { - if (cc == ']') { - if (ok) - break; - return (0); - } - if (cc == '-') { - if (lc <= scc && scc <= *p++) - ok++; - } - else if (scc == (lc = cc)) - ok++; - } - if (cc == 0) - if (ok) - p--; - else - return 0; - continue; - - case '*': - if (!*p) - return (1); - for (s--; *s; s++) - if (Gmatch(s, p)) - return (1); - return (0); - - case 0: - return (scc == 0); - - default: - if ((c & TRIM) != scc) - return (0); - continue; - - case '?': - if (scc == 0) - return (0); - continue; - - } - } -} -#endif /* Gmatch exclusion */ - static void Gcat(register char *s1, register char *s2) { register size_t len = strlen(s1) + strlen(s2) + 1; -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message