Date: Wed, 28 Nov 2001 18:30:12 +0900 (JST) From: Koga Youichirou <y-koga@jp.FreeBSD.org> To: ache@nagual.pp.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? Message-ID: <20011128.183012.26333334.y-koga@jp.FreeBSD.org> In-Reply-To: <20011128084416.GA32507@nagual.pp.ru> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> <20011128.122552.45455442.y-koga@jp.FreeBSD.org> <20011128084416.GA32507@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
"Andrey A. Chernov" <ache@nagual.pp.ru>:
> > Following is RedHat's patch:
> >
> > --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001
> > +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001
> > @@ -309,7 +309,7 @@
> > if (lm >= restbufend)
> > return (0);
> > }
>
> It seems that this patch is over another patch and not for original 2.6.1
> sources. Could you please provide cumulative patch compared to original
> sources?
The patch I sent is included in RedHat's wu-ftpd source package.
There includes wu-ftpd-2.7.0-20010531.tar.bz2 in it and
the patch is for 2.7.0-20010531 (although it is named as
"wu-ftpd-2.6.1-sec.patch" ;).
Kajino-san has sent a patch for original 2.6.1,
and I think it works well.
-- Koga, Youichirou
PS
Just FYI.
CHANGES of wu-ftpd-2.7.0-2001-531 since 2.6.1 are:
BEGIN-----------------------------------------------------
Changes in 2.7.0: Released <not yet>
o Spurious home directory restrictions would occur if the user did not
have permission to read their own home or one of its parent
directories.
o Still MORE changes to ftpaccess parsing. All looping parses now
continue past missing parameters instead of stopping unexpectedly.
o When using PAM, the anonymous user (ftp) can be authenticated but may
not be known to the local system. If this occurs, try the "nobody"
user. If neither exists, log a suitable message and kill the session.
This should probably be done for other network-based authentication
methods: patches would be very welcome.
o Treat ASCII CR (\r) as white space in the fptaccess file. Done the
Wrong Way but good enough to prevent most problems when a clueless
admin uses Windows Notepad to edit the file instead of a real editor
like emacs or vi.
o New ftpaccess clause "iptos" to allow management of IP Type Of Service
for both control and data connections. Note: the default IPTOS changes
to use the same TOS as previous versions you must add the following to
your ftpaccess:
iptos control lowdelay
iptos data throughput
See the ftpaccess manpage for a full description of these options.
o Guestserver clause with no parameters hangs the control socket.
o New ftpaccess clauses "signoff" and "stat" work similar to "greeting".
Please read the ftpaccess man page for more information on these new
options.
o Log security issue on denied umask and chmod.
o Properly log security issue if RMD is denied because deletes are not
allowed for this user.
o Restricted users should be allowed to use chmod and umask as well as
SITE GROUP and SITE GPASS, but still cannot use SITE EXEC and SITE
INDEX.
o Make y/n for chmod, umask, chmod, delete, overwrite case-insensitive.
o Correct chmod, umask, overwrite and rename to match documented
operation. Namely, anonymous users cannot use them and all other can.
o Avoid crashes on certain configuration problems by making parameters
optional and choosing reasonable defaults. Effected clauses are:
private (default is no)
log commands (default is log commands for all users)
log transfers (default to log all transfers)
log security (default to log all issues)
compress (default to allow compression/uncompression)
tar (default to allow tar on-the-fly)
Also, ignore without crashing on banner clause without a pathname.
o In fixpath(), don't remove a trailing '.' at the end of the path. From
John Simmons <jbsimmon@us.ibm.com>.
o If using OPIE, don't accept regular passwords if OPIE tells us not to.
From Ken Mort <ken@mort.net>.
o Added optional parameters to the upload clause. Newly created
directories can now be given user/group ownership different than newly
created files.
o For autoconf, some systems define __SVR4 and not SVR4. So, in
src/config.h.in, if we see __SVR4 and not SVR4, go ahead and define
SVR4. Solaris is the most-cited culprit here, but there may be
others. The old build configs specifically define SVR4 so they
have no problems.
o Add support for tcpwrappers in standalone daemon mode. Read the
comments at the end of src/config.h.noac for instructions on how
to enable them.
o Add logging of restart point and actual byte count in the xferlog.
Since this will break xferstats and other llog analyzers, it is
disabled by default.
o Add To: and Date: headers for upload notification emails. Note the
Date: header is *always* in UTC. If someone wants to change it to
local time with a correct UTC offset, send the patch along.
o Update ftpaccess manpage to better describe lslong, lsshort and
lsplain.
o Fix passive ports, missing ntohl() call caused misinterpretation.
o Document logfile ftpaccess option. Promote it to be usable in all
configurations instead of just new-style virtual hosts (with
/etc/ftphosts existing).
o Fix crash following timeout on a data connection.
o Add an option to track logins via the lastlog file. This option is
enabled by default.
o Add user= to work similarly to class=; this also fixes a long-standing
problem with class=. Things should now work a bit more like we'd
expect when you use class=.
o Add throughput rate limiting to ASCII-mode file transfers. For some
reason it was only applied to binary transfers.
o Use mkstemp() and mktemp() for temp file creation in privatepw if those
functions are available
o Fix so virtual hosts work with the standalone daemon.
o Add an option to define an alternate home directory to log real users
into if we're doing strict_homedir checking or base_homedir checking
and we fail either one of those.
o Split up the PARANOID configuration option into individual options
for finer control.
o Add an option to check a user's home directory against a "base"
directory and refuse the login if the former isn't below the
latter.
o Renamed support/ftw.h to support/wuftpd_ftw.h to ensure the system ftw.h
is used when HAVE_FTW is defined.
o Changed the way support headers are included to work with VPATH.
o Added workarounds for stdio bugs, email on anonymous upload now works
on Solaris and AIX.
o Send a 502 reply instead of a 500 in disabled SITE commands.
o Fixed command and transfer logging so -L, -i and -o work with -a.
o Someone moved the call to get quota data earlier in the msg_massage
function. This little optimization causes a segfault. Rather than
reverse the change, just output "[unknown]" when quota information
is desired and not yet available (for instance in the initial banner).
o Added host-limit configuration which enables the limiting of the
number of sessions from one IP.
o Added NO_UTMP #ifdefs for systems that don't have a wtmp file.
o Improved the error reporting in ftpshut, ftprestart and ftpcount.
o Send a 502 reply instead of a 425 when PASV support is disabled.
Send 502 instead of 500 when PORT is disabled.
o Two PASV commands in the same second get the same port assigned.
Add some salt to spice things up.
o Host matching on the class clause and elsewhere used to allow []
ranges as well as wildcards. They are now allowed once more.
o Off-by-one in wu_fnmatch caused problems parsing [] ranges.
o Fix a segfault if there's a typo on pasv-allow. For instance,
"pasv-allow all *" instead of "pasv-allow all 0.0.0.0/0". To be
save, for NOMATCH result instead of allowing the PASV connection.
o If using restricted-uid and the user's home includes symlinks, the
PWD command can cause a crash. Run both paths through realpath to
fix this.
o guestserver should deny anonymous access with no parameters.
o When using OPIE, don't require an OPIE reply if the user does not
have an opie key.
o Don't lose last character when STOU exceeds 9 probes to find a
unique filename.
o When using OPIE, don't allow normal passwords when OPIE is
required.
o On command-line -u option, don't allow non-octal digits. Doh.
o Need HAVE_QUOTACTL on IRIX.
o In src/extensions.c is a definition of snprintf. If needs to be
protected by HAVE_SNPRINTF.
o SunOS really doesn't have a working fchdir().
o NLST should not send the names of dangling symlinks since they can
not be retrieved.
o guestuser and guestgroup no longer make anonymous users into guests
when matching wildcards and ranges.
o Corrected an information leak when failing a MKD with restricted-uid.
The pathname reported in the error needs to have the user's home
stripped off the error reply. From Richard Mirch <mirchr@sunyit.edu>
o AIX 4.1.x needs libbsd.a & libs.a.
o Added definition for AIX's file system (JFS).
o AIX 4.1.x has no has getrlimit() but no RLIMIT_NOFILE. It does have
gettablesize().
o Fixed a problem with the order of the includes of sys/mnttab.h and
sys/mntent.h. Solaris has them both but only defines struct mnttab.
o IRIX has no NCARGS in the system's include files but defines it in the
kernel ('systune ncargs' outputs: ncargs = 20480 (0x5000)).
o Local quota updates can now be seen during the session. Two exceptions:
1) It wont work in a chroot() environment unless the quota DB can be
accessed there.
2) WU-FTPD does not support displaying of files with cookies more than
once. So the current solution is to display different files in
different places (in example cd to other directories).
o Fixed file descriptor and memory leaks in the email on anonymous upload
code.
o Michael Brennen has contributed the Guest HOWTO to the project. It is
now located in the doc/HOWTO section and will be included in all
future releases.
o Provide a compile-time option to revert NLST to showing directories.
o Somehow the fix for pasv-allow didn't actually make it into 2.6.1
o Off-by-one and missing step-increment in a couple routines for
throughput limiting.
o Fix another missing format string. This was in debugging code, so it's
not considered serious enough to push a new release yet.
END-------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128.183012.26333334.y-koga>