Bug 12890

Summary: wu-ftpd remote hole (PATCH)
Product: [Retired] Red Hat Linux Reporter: Pekka Savola <pekkas>
Component: wu-ftpdAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: gedetil
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-06-23 22:07:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
security patch for the latest bug (HTH) none

Description Pekka Savola 2000-06-23 22:05:28 UTC 
Yet another wu-ftpd remote hole was reported (w/ intentionally broken 
sploit) on BugTraq yesterday.

I couldn't check this further, but an attached patch (from Connectiva 
Linux, similar stuff in Debian) might help.
Comment 1 Pekka Savola 2000-06-23 22:07:07 UTC 
Created attachment 698 [details]
security patch for the latest bug (HTH)
Comment 2 Bernhard Rosenkraenzer 2000-06-23 22:09:01 UTC 
We're aware of it and have already built an updated package.
It'll be released as soon as the QA guys approve it, should be only a couple
more minutes.
Comment 3 Gilbert E. Detillieux 2000-06-28 15:26:28 UTC 
The security patch included in the updated package fixes only the problems
with the *printf-style % format specifications (the known exploit of the
site exec bug).  The patch submitted by pekkas is different,
in that it deals with other potential buffer overrun problems related to
the site exec command.  Would it not be a good idea to include both patches?