Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 11 Dec 2006 09:29:19 +0500 (YEKT)
From:      "Sergey N. Voronkov" <serg@tmn.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/106594: ftp/tnftpd - fix critical bug
Message-ID:  <200612110429.kBB4TJpH019458@sv.tech.sibitex.tmn.ru>
Resent-Message-ID: <200612110430.kBB4U5B4085469@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         106594
>Category:       ports
>Synopsis:       ftp/tnftpd - fix critical bug
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 11 04:30:04 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Sergey N. Voronkov
>Release:        FreeBSD 6.2-RC1 i386
>Organization:
Sibitex Ltd.
>Environment:
System: FreeBSD sv.tech.sibitex.tmn.ru 6.2-RC1 FreeBSD 6.2-RC1 #1: Fri Dec 8 12:12:23 YEKT 2006 serg@sv.tech.sibitex.tmn.ru:/usr/obj/usr/src/sys/SV i386

>Description:
	Fix a root exploit:

	http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051009.html

>How-To-Repeat:
	See above URL.
>Fix:
diff -ruN tnftpd.orig/Makefile tnftpd/Makefile
--- tnftpd.orig/Makefile        Sun May  7 17:09:21 2006
+++ tnftpd/Makefile     Mon Dec 11 09:16:48 2006
@@ -7,6 +7,7 @@
 
 PORTNAME=      tnftpd
 PORTVERSION=   20040810
+PORTREVISION=  1
 CATEGORIES=    ftp ipv6
 MASTER_SITES=  ftp://ftp.netbsd.org/pub/NetBSD/misc/tnftp/
 
diff -ruN tnftpd.orig/files/patch-libnetbsd-glob.c
tnftpd/files/patch-libnetbsd-glob.c
--- tnftpd.orig/files/patch-libnetbsd-glob.c    Thu Jan  1 05:00:00 1970
+++ tnftpd/files/patch-libnetbsd-glob.c Mon Dec 11 09:16:19 2006
@@ -0,0 +1,13 @@
+--- libnetbsd/glob.c-orig      Mon Dec 11 09:13:10 2006
++++ libnetbsd/glob.c   Mon Dec 11 09:14:16 2006
+@@ -497,7 +497,9 @@
+        * we save one character so that we can use ptr >= limit,
+        * in the general case when we are appending non nul chars only.
+        */
+-      return(glob2(pathbuf, pathbuf, pathbuf + sizeof(pathbuf) - 1,
pattern,
++      return(glob2(pathbuf, pathbuf,
++                   pathbuf + (sizeof(pathbuf) / sizeof(*pathbuf)) - 1,
++                   pattern,
+           pglob, limit));
+ }
+ 
      

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200612110429.kBB4TJpH019458>