From owner-freebsd-security Wed Nov 28 1:30:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO202.gate.nec.co.jp (TYO202.gate.nec.co.jp [202.247.6.41]) by hub.freebsd.org (Postfix) with ESMTP id 32F1D37B417 for ; Wed, 28 Nov 2001 01:30:19 -0800 (PST) Received: from mailgate4.nec.co.jp ([10.7.69.193]) by TYO202.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS9UIO19985; Wed, 28 Nov 2001 18:30:19 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id fAS9UEU05121; Wed, 28 Nov 2001 18:30:14 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id fAS9UDi22126; Wed, 28 Nov 2001 18:30:13 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.1/8.12.1) with ESMTP id fAS9UClC053596; Wed, 28 Nov 2001 18:30:12 +0900 (JST) Date: Wed, 28 Nov 2001 18:30:12 +0900 (JST) Message-Id: <20011128.183012.26333334.y-koga@jp.FreeBSD.org> To: ache@nagual.pp.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? From: Koga Youichirou In-Reply-To: <20011128084416.GA32507@nagual.pp.ru> References: <5.1.0.14.0.20011127210017.0545a5e0@192.168.0.12> <20011128.122552.45455442.y-koga@jp.FreeBSD.org> <20011128084416.GA32507@nagual.pp.ru> X-Mailer: Mew version 3.0.50 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Andrey A. Chernov" : > > Following is RedHat's patch: > > > > --- wu-ftpd/src/glob.c.sec Thu May 31 09:30:36 2001 > > +++ wu-ftpd/src/glob.c Wed Nov 21 18:22:17 2001 > > @@ -309,7 +309,7 @@ > > if (lm >= restbufend) > > return (0); > > } > > It seems that this patch is over another patch and not for original 2.6.1 > sources. Could you please provide cumulative patch compared to original > sources? The patch I sent is included in RedHat's wu-ftpd source package. There includes wu-ftpd-2.7.0-20010531.tar.bz2 in it and the patch is for 2.7.0-20010531 (although it is named as "wu-ftpd-2.6.1-sec.patch" ;). Kajino-san has sent a patch for original 2.6.1, and I think it works well. -- Koga, Youichirou PS Just FYI. CHANGES of wu-ftpd-2.7.0-2001-531 since 2.6.1 are: BEGIN----------------------------------------------------- Changes in 2.7.0: Released o Spurious home directory restrictions would occur if the user did not have permission to read their own home or one of its parent directories. o Still MORE changes to ftpaccess parsing. All looping parses now continue past missing parameters instead of stopping unexpectedly. o When using PAM, the anonymous user (ftp) can be authenticated but may not be known to the local system. If this occurs, try the "nobody" user. If neither exists, log a suitable message and kill the session. This should probably be done for other network-based authentication methods: patches would be very welcome. o Treat ASCII CR (\r) as white space in the fptaccess file. Done the Wrong Way but good enough to prevent most problems when a clueless admin uses Windows Notepad to edit the file instead of a real editor like emacs or vi. o New ftpaccess clause "iptos" to allow management of IP Type Of Service for both control and data connections. Note: the default IPTOS changes to use the same TOS as previous versions you must add the following to your ftpaccess: iptos control lowdelay iptos data throughput See the ftpaccess manpage for a full description of these options. o Guestserver clause with no parameters hangs the control socket. o New ftpaccess clauses "signoff" and "stat" work similar to "greeting". Please read the ftpaccess man page for more information on these new options. o Log security issue on denied umask and chmod. o Properly log security issue if RMD is denied because deletes are not allowed for this user. o Restricted users should be allowed to use chmod and umask as well as SITE GROUP and SITE GPASS, but still cannot use SITE EXEC and SITE INDEX. o Make y/n for chmod, umask, chmod, delete, overwrite case-insensitive. o Correct chmod, umask, overwrite and rename to match documented operation. Namely, anonymous users cannot use them and all other can. o Avoid crashes on certain configuration problems by making parameters optional and choosing reasonable defaults. Effected clauses are: private (default is no) log commands (default is log commands for all users) log transfers (default to log all transfers) log security (default to log all issues) compress (default to allow compression/uncompression) tar (default to allow tar on-the-fly) Also, ignore without crashing on banner clause without a pathname. o In fixpath(), don't remove a trailing '.' at the end of the path. From John Simmons . o If using OPIE, don't accept regular passwords if OPIE tells us not to. From Ken Mort . o Added optional parameters to the upload clause. Newly created directories can now be given user/group ownership different than newly created files. o For autoconf, some systems define __SVR4 and not SVR4. So, in src/config.h.in, if we see __SVR4 and not SVR4, go ahead and define SVR4. Solaris is the most-cited culprit here, but there may be others. The old build configs specifically define SVR4 so they have no problems. o Add support for tcpwrappers in standalone daemon mode. Read the comments at the end of src/config.h.noac for instructions on how to enable them. o Add logging of restart point and actual byte count in the xferlog. Since this will break xferstats and other llog analyzers, it is disabled by default. o Add To: and Date: headers for upload notification emails. Note the Date: header is *always* in UTC. If someone wants to change it to local time with a correct UTC offset, send the patch along. o Update ftpaccess manpage to better describe lslong, lsshort and lsplain. o Fix passive ports, missing ntohl() call caused misinterpretation. o Document logfile ftpaccess option. Promote it to be usable in all configurations instead of just new-style virtual hosts (with /etc/ftphosts existing). o Fix crash following timeout on a data connection. o Add an option to track logins via the lastlog file. This option is enabled by default. o Add user= to work similarly to class=; this also fixes a long-standing problem with class=. Things should now work a bit more like we'd expect when you use class=. o Add throughput rate limiting to ASCII-mode file transfers. For some reason it was only applied to binary transfers. o Use mkstemp() and mktemp() for temp file creation in privatepw if those functions are available o Fix so virtual hosts work with the standalone daemon. o Add an option to define an alternate home directory to log real users into if we're doing strict_homedir checking or base_homedir checking and we fail either one of those. o Split up the PARANOID configuration option into individual options for finer control. o Add an option to check a user's home directory against a "base" directory and refuse the login if the former isn't below the latter. o Renamed support/ftw.h to support/wuftpd_ftw.h to ensure the system ftw.h is used when HAVE_FTW is defined. o Changed the way support headers are included to work with VPATH. o Added workarounds for stdio bugs, email on anonymous upload now works on Solaris and AIX. o Send a 502 reply instead of a 500 in disabled SITE commands. o Fixed command and transfer logging so -L, -i and -o work with -a. o Someone moved the call to get quota data earlier in the msg_massage function. This little optimization causes a segfault. Rather than reverse the change, just output "[unknown]" when quota information is desired and not yet available (for instance in the initial banner). o Added host-limit configuration which enables the limiting of the number of sessions from one IP. o Added NO_UTMP #ifdefs for systems that don't have a wtmp file. o Improved the error reporting in ftpshut, ftprestart and ftpcount. o Send a 502 reply instead of a 425 when PASV support is disabled. Send 502 instead of 500 when PORT is disabled. o Two PASV commands in the same second get the same port assigned. Add some salt to spice things up. o Host matching on the class clause and elsewhere used to allow [] ranges as well as wildcards. They are now allowed once more. o Off-by-one in wu_fnmatch caused problems parsing [] ranges. o Fix a segfault if there's a typo on pasv-allow. For instance, "pasv-allow all *" instead of "pasv-allow all 0.0.0.0/0". To be save, for NOMATCH result instead of allowing the PASV connection. o If using restricted-uid and the user's home includes symlinks, the PWD command can cause a crash. Run both paths through realpath to fix this. o guestserver should deny anonymous access with no parameters. o When using OPIE, don't require an OPIE reply if the user does not have an opie key. o Don't lose last character when STOU exceeds 9 probes to find a unique filename. o When using OPIE, don't allow normal passwords when OPIE is required. o On command-line -u option, don't allow non-octal digits. Doh. o Need HAVE_QUOTACTL on IRIX. o In src/extensions.c is a definition of snprintf. If needs to be protected by HAVE_SNPRINTF. o SunOS really doesn't have a working fchdir(). o NLST should not send the names of dangling symlinks since they can not be retrieved. o guestuser and guestgroup no longer make anonymous users into guests when matching wildcards and ranges. o Corrected an information leak when failing a MKD with restricted-uid. The pathname reported in the error needs to have the user's home stripped off the error reply. From Richard Mirch o AIX 4.1.x needs libbsd.a & libs.a. o Added definition for AIX's file system (JFS). o AIX 4.1.x has no has getrlimit() but no RLIMIT_NOFILE. It does have gettablesize(). o Fixed a problem with the order of the includes of sys/mnttab.h and sys/mntent.h. Solaris has them both but only defines struct mnttab. o IRIX has no NCARGS in the system's include files but defines it in the kernel ('systune ncargs' outputs: ncargs = 20480 (0x5000)). o Local quota updates can now be seen during the session. Two exceptions: 1) It wont work in a chroot() environment unless the quota DB can be accessed there. 2) WU-FTPD does not support displaying of files with cookies more than once. So the current solution is to display different files in different places (in example cd to other directories). o Fixed file descriptor and memory leaks in the email on anonymous upload code. o Michael Brennen has contributed the Guest HOWTO to the project. It is now located in the doc/HOWTO section and will be included in all future releases. o Provide a compile-time option to revert NLST to showing directories. o Somehow the fix for pasv-allow didn't actually make it into 2.6.1 o Off-by-one and missing step-increment in a couple routines for throughput limiting. o Fix another missing format string. This was in debugging code, so it's not considered serious enough to push a new release yet. END------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message