04.10.15 CVE: CAN-2004-0148, CAN-2004-0185 Platform: Unix Title: WU-FTPD Restricted-gid and Buffer Overflow Vulnerability Description: Debian has reported that WU-FTPD is affected by two vulnerabilities. The first one is related to the "restricted-gid" feature which allows an administrator to restrict FTP user access to certain directories. The vulnerability allows users to bypass those restrictions through modifying the permissions on their home directory. The second vulnerability is a buffer overflow in the server's implementation of S/KEY authentication. Ref: http://www.securityfocus.com/archive/1/356748/2004-03-07/2004-03-13/0 ------- Additional Comments From jackiem 2004-03-22 10:33:21 ---- I'm not sure how well this plays out with the putting things in the works to include in the update, but I've put together an updated wu-ftpd that includes patches for these vulnerabilities, blatantly stolen from the 2.1 AS distribution. sroms and roms can be gotten at ftp://ftp.iddl.vt.edu/pub/updates/wu-ftpd-2.6.2-12.73.1.i386.rpm and ftp://ftp.iddl.vt.edu/pub/updates/wu-ftpd-2.6.2-12.73.1.src.rpm enjoy, and let me knnow any issues that arise with these. ------- Additional Comments From jpdalbec 2004-03-24 09:13:57 ---- Created an attachment (id=598) Patch for CVE-1999-0997 This patch is from the Debian package. It adds "--" before "%s" in /etc/ftpconversions and /usr/share/doc/wu-ftpd-2.6.2/examples/ftpconversions to prevent users from adding options to the command. In the case of tar the --use-compress-program option can be used to run arbitrary programs. If the patch is applied with .b then the backup file in the "examples" directory must be removed or it will be packaged into the RPM. ------- Additional Comments From jpdalbec 2004-04-01 11:30:13 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RH 7.3: 97814df859305410d2aca1d24d5c72164ab704ca wu-ftpd-2.6.2-12.73.1.src.rpm I built custom RPMs with the CVE-1999-0997 patch I posted and two bugfix patches that Red Hat never accepted (wrong name/facility in syslog; active SSL data connections fail). Those RPMs work fine. The new -escape patch is a rediff of the Debian version because Red Hat added a lot of #ifdefs to that section of ftpd.c. The new -skeychallenge patch matches the Debian version exactly. I would take issue with the changelog entry since the time_fix and connect_dos patches are commented out. Instead of: - bugfix release: connect_dos, skeychallenge - bugfix for xferlog: using TZ environment variable (#115979) I would recommend: - bugfix release CAN-2004-0185 skeychallenge Otherwise the .spec file looks OK. I would recommend including the CVE-1999-0997 patch I posted. For comparison purposes see http://security.debian.org/pool/updates/ main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4.diff.gz (Sorry, had to split URL across two lines.) - --- wu-ftpd-2.6.2-11.73.1/wu-ftpd.spec Mon Jul 28 06:46:05 2003 +++ wu-ftpd-2.6.2-12.73.1/wu-ftpd.spec Mon Mar 22 14:48:56 2004 @@ -1,7 +1,7 @@ Summary: An FTP daemon provided by Washington University. Name: wu-ftpd Version: 2.6.2 - -Release: 11.73.1 +Release: 12.73.1 License: BSD Group: System Environment/Daemons URL: http://www.wu-ftpd.org/ @@ -15,6 +15,10 @@ Patch5: wu-ftpd-2.6.0-owners.patch Patch6: wu-ftpd-2.7.0-snapshot-bison.patch Patch7: wu-ftpd-2.6.2-realpatch.patch +Patch8: wu-ftpd-2.6.2-escape.patch +#Patch9: wu-ftpd-2.6.2-time_fix.patch +#Patch10: wu-ftpd-2.6.1-connect_dos.patch +Patch11: wu-ftpd-2.6.2-skeychallenge.patch Provides: ftpserver Prereq: fileutils, openssl Requires: xinetd, /etc/pam.d/system-auth @@ -38,6 +42,10 @@ %patch5 -p1 -b .owners %patch6 -p1 -b .bison %patch7 -p1 -b .realpath +%patch8 -p1 -b .escape +#%patch9 -p1 -b .time_fix +#%patch10 -p1 -b .connect_dos +%patch11 -p1 -b .skeychallenge find . -type d -name CVS |xargs rm -rf if pkg-config openssl ; then @@ -112,6 +120,12 @@ %{_bindir}/* %changelog +* Mon Mar 22 2004 Jackie Meese <jackiem> 2.6.2-12.73.1 +- bugfix release CAN-2004-0148 escape from home +- bugfix release: connect_dos, skeychallenge +- bugfix for xferlog: using TZ environment variable (#115979) + + * Mon Jul 28 2003 Thomas Woerner <twoerner> 2.6.2-11.73.1 - bugfix release CAN-2003-0466 off-by-one -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAbIoSJL4A+ldA7asRAmcuAJ9Gwevb7Lj60DPpFCntTEWdnc9/WwCfUlEU WNMcdkNAXjrWyvRAPG24N+Q= =KR+4 -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-05-18 18:32:27 ---- In reply to comment #3, do you wish to apply these patches to RHL8's version of wu, then we can release the whole thing at once, 7.2-8.0 all the same version. Seems only a build number seperates 7.3 from 8.0. ------- Additional Comments From marcdeslauriers 2004-05-22 18:20:14 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I added the three following patches to the original 8.0 packages: CAN-1999-0997 CAN-2004-0148 CAN-2004-0185 The source rpm can be used to build 7.2, 7.3 and 8.0. 2d970fd608262d4deecba1733918bc1b74148094 wu-ftpd-2.6.2-13.legacy.i386.rpm c9d84d8e20a335128e177f4f78f5419ba134f9ba wu-ftpd-2.6.2-13.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/wu-ftpd-2.6.2-13.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/wu-ftpd-2.6.2-13.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAsCYYLMAs/0C4zNoRAlGTAKCgvkaXiDbAIvJHCXs9EAN3aff2nwCgnYuO 1q9uLthev2wWZFleCrUPcTc= =1pGZ -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-05-31 11:41:34 ---- Pushed to updates-testing. http://download.fedoralegacy.org/redhat/ 4fafbba3bd2a5522d5ad39ad4a1ae742751628d5 7.3/updates-testing/SRPMS/wu-ftpd-2.6.2-14.legacy.7x.src.rpm 8005185d531ffc61f6b749b7a49b4875fbd49e33 7.3/updates-testing/i386/wu-ftpd-2.6.2-14.legacy.7x.i386.rpm ------- Additional Comments From norbert.warmuth 2004-06-04 00:03:18 ---- wu-ftpd-2.6.2-14.legacy.7x.i386.rpm lacks pam support (missing BuildRequires: pam-devel): $ rpm -q wu-ftpd wu-ftpd-2.6.2-14.legacy.7x $ ldd /usr/sbin/in.ftpd libcrypt.so.1 => /lib/libcrypt.so.1 (0x40018000) libnsl.so.1 => /lib/libnsl.so.1 (0x40046000) libresolv.so.2 => /lib/libresolv.so.2 (0x4005b000) libssl.so.2 => /lib/libssl.so.2 (0x4006c000) libcrypto.so.2 => /lib/libcrypto.so.2 (0x40099000) libc.so.6 => /lib/i686/libc.so.6 (0x42000000) libdl.so.2 => /lib/libdl.so.2 (0x4015d000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) ------- Additional Comments From jpdalbec 2004-06-04 02:53:37 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New RH 7.3 wu-ftpd packages are available. sha1sums: cd99299abbf0ee898b246b7dd31159ed8248c534 http://cc.ysu.edu/~jpdalbec/wu-ftpd-2.6.2-15.7x.legacy.i386.rpm 585d76eef4e987de84257e1da33273905b4a6d6f http://cc.ysu.edu/~jpdalbec/wu-ftpd-2.6.2-15.7x.legacy.src.rpm * Fri Jun 4 2004 John Dalbec <jpdalbec> 2.6.2-15.7x.legacy - - Added pam-devel to buildreqs - - Added bugfix patch to reopen syslog after calling PAM - - Added bugfix patch to fix active-mode SSL data connections -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAwHAOJL4A+ldA7asRAsW7AKCsz5IM0sxfh4UDDdCCo7Accv0iDwCfU4cU gGvNfweiYVX5ftR32DhMUiM= =LyU5 -----END PGP SIGNATURE----- I tested the packages on RH 7.3. ------- Additional Comments From marcdeslauriers 2004-06-07 14:11:03 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA'd the 7.3 package: 585d76eef4e987de84257e1da33273905b4a6d6f wu-ftpd-2.6.2-15.7x.legacy.src.rpm - - sha1sum matches - - Spec file changes are good - - Patch files looks good - - Other sources are OK when diffed with previous release - - Builds OK - - Installs OK - - Runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxQQELMAs/0C4zNoRAnQxAKCbmbwBKLKqN+LYIpaOKJ/eDT9rJQCgvkuK chFoOUDABHRVyaQDYRNfi80= =haS8 -----END PGP SIGNATURE----- ------- Additional Comments From jkeating 2004-06-10 16:19:50 ---- re-pushed to updates-testing. http://download.fedoralegacy.org/redhat/ 5b50aa3a91d8bb30aa860ac05ca7b2ea60f91c05 7.3/updates-testing/SRPMS/wu-ftpd-2.6.2-15.7x.legacy.src.rpm 6215a42cadf71683e87a4b7ffa54fd7b37d106a9 7.3/updates-testing/i386/wu-ftpd-2.6.2-15.7x.legacy.i386.rpm ------- Additional Comments From rmy.uk 2004-06-17 23:58:34 ---- -----BEGIN PGP SIGNED MESSAGE----- I've installed the RPM on four machines, though only one of these is a dedicated ftp server. Everything seems to work as expected, both uploading and downloading -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iQCVAwUBQNK8bR2/joqPEUdFAQHMfgP/Zl4TBbDaKJQvTDcg8yKK+OLEzTBuwnAt hmwhuq+6o7APZkcuhbdlfPpMYc+2ESVAH9WgwPRqVz43nBFzgVk7I6uMYibfiYGY jnXNmQqv0/Ygwgq7YleVHxQRPyvnna5/KagLQtSoirJyBBMpQBHtOs3y5t/oGNdU korOMyMxVpI= =KPVk -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:24 ------- This bug previously known as bug 1376 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=1376 Originally filed under the Fedora Legacy product and Package request component. Attachments: Patch for CVE-1999-0997 https://bugzilla.fedora.us/attachment.cgi?action=view&id=598 Unknown priority P1. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown severity critical. Setting to default severity "normal". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.