04.10.15 CVE: CAN-2004-0148, CAN-2004-0185
Platform: Unix
Title: WU-FTPD Restricted-gid and Buffer Overflow Vulnerability
Description: Debian has reported that WU-FTPD is affected by two
vulnerabilities. The first one is related to the "restricted-gid"
feature which allows an administrator to restrict FTP user access to
certain directories. The vulnerability allows users to bypass those
restrictions through modifying the permissions on their home
directory. The second vulnerability is a buffer overflow in the
server's implementation of S/KEY authentication.
Ref: http://www.securityfocus.com/archive/1/356748/2004-03-07/2004-03-13/0



------- Additional Comments From jackiem 2004-03-22 10:33:21 ----

I'm not sure how well this plays out with the putting things in the works to
include in the update, but I've put together an updated wu-ftpd that includes
patches for these vulnerabilities, blatantly stolen from the 2.1 AS
distribution.  sroms and roms can be gotten at
ftp://ftp.iddl.vt.edu/pub/updates/wu-ftpd-2.6.2-12.73.1.i386.rpm
and 
ftp://ftp.iddl.vt.edu/pub/updates/wu-ftpd-2.6.2-12.73.1.src.rpm

enjoy, and let me knnow any issues that arise with these.



------- Additional Comments From jpdalbec 2004-03-24 09:13:57 ----

Created an attachment (id=598)
Patch for CVE-1999-0997

This patch is from the Debian package.	It adds "--" before "%s" in
/etc/ftpconversions and /usr/share/doc/wu-ftpd-2.6.2/examples/ftpconversions to
prevent users from adding options to the command.  In the case of tar the
--use-compress-program option can be used to run arbitrary programs.  If the
patch is applied with .b then the backup file in the "examples" directory must
be removed or it will be packaged into the RPM.



------- Additional Comments From jpdalbec 2004-04-01 11:30:13 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RH 7.3:

97814df859305410d2aca1d24d5c72164ab704ca  wu-ftpd-2.6.2-12.73.1.src.rpm

I built custom RPMs with the CVE-1999-0997 patch I posted and two bugfix
patches that Red Hat never accepted (wrong name/facility in syslog; active
SSL data connections fail).  Those RPMs work fine.  The new -escape patch
is a rediff of the Debian version because Red Hat added a lot of #ifdefs
to that section of ftpd.c.  The new -skeychallenge patch matches the Debian
version exactly.

I would take issue with the changelog entry since the time_fix and
connect_dos patches are commented out.  Instead of:
        - bugfix release: connect_dos, skeychallenge
        - bugfix for xferlog: using TZ environment variable (#115979)
I would recommend:
        - bugfix release CAN-2004-0185 skeychallenge
Otherwise the .spec file looks OK.

I would recommend including the CVE-1999-0997 patch I posted.
For comparison purposes see http://security.debian.org/pool/updates/
        main/w/wu-ftpd/wu-ftpd_2.6.2-3woody4.diff.gz
(Sorry, had to split URL across two lines.)

- --- wu-ftpd-2.6.2-11.73.1/wu-ftpd.spec        Mon Jul 28 06:46:05 2003
+++ wu-ftpd-2.6.2-12.73.1/wu-ftpd.spec  Mon Mar 22 14:48:56 2004
@@ -1,7 +1,7 @@
 Summary: An FTP daemon provided by Washington University.
 Name: wu-ftpd
 Version: 2.6.2
- -Release: 11.73.1
+Release: 12.73.1
 License: BSD
 Group: System Environment/Daemons
 URL: http://www.wu-ftpd.org/
@@ -15,6 +15,10 @@
 Patch5: wu-ftpd-2.6.0-owners.patch
 Patch6: wu-ftpd-2.7.0-snapshot-bison.patch
 Patch7: wu-ftpd-2.6.2-realpatch.patch
+Patch8: wu-ftpd-2.6.2-escape.patch
+#Patch9: wu-ftpd-2.6.2-time_fix.patch
+#Patch10: wu-ftpd-2.6.1-connect_dos.patch
+Patch11: wu-ftpd-2.6.2-skeychallenge.patch
 Provides: ftpserver
 Prereq: fileutils, openssl
 Requires: xinetd, /etc/pam.d/system-auth
@@ -38,6 +42,10 @@
 %patch5 -p1 -b .owners
 %patch6 -p1 -b .bison
 %patch7 -p1 -b .realpath
+%patch8 -p1 -b .escape
+#%patch9 -p1 -b .time_fix
+#%patch10 -p1 -b .connect_dos
+%patch11 -p1 -b .skeychallenge
 find . -type d -name CVS |xargs rm -rf
 
 if pkg-config openssl ; then
@@ -112,6 +120,12 @@
 %{_bindir}/*
 
 %changelog
+* Mon Mar  22 2004 Jackie Meese <jackiem> 2.6.2-12.73.1
+- bugfix release CAN-2004-0148 escape from home
+- bugfix release: connect_dos, skeychallenge
+- bugfix for xferlog: using TZ environment variable (#115979)
+
+
 * Mon Jul 28 2003 Thomas Woerner <twoerner> 2.6.2-11.73.1
 - bugfix release CAN-2003-0466 off-by-one
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAbIoSJL4A+ldA7asRAmcuAJ9Gwevb7Lj60DPpFCntTEWdnc9/WwCfUlEU
WNMcdkNAXjrWyvRAPG24N+Q=
=KR+4
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-05-18 18:32:27 ----

In reply to comment #3, do you wish to apply these patches to RHL8's version of
wu, then we can release the whole thing at once, 7.2-8.0 all the same version. 
Seems only a build number seperates 7.3 from 8.0.



------- Additional Comments From marcdeslauriers 2004-05-22 18:20:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I added the three following patches to the original 8.0 packages:

CAN-1999-0997
CAN-2004-0148
CAN-2004-0185

The source rpm can be used to build 7.2, 7.3 and 8.0.

2d970fd608262d4deecba1733918bc1b74148094  wu-ftpd-2.6.2-13.legacy.i386.rpm
c9d84d8e20a335128e177f4f78f5419ba134f9ba  wu-ftpd-2.6.2-13.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/wu-ftpd-2.6.2-13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/wu-ftpd-2.6.2-13.legacy.src.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAsCYYLMAs/0C4zNoRAlGTAKCgvkaXiDbAIvJHCXs9EAN3aff2nwCgnYuO
1q9uLthev2wWZFleCrUPcTc=
=1pGZ
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-05-31 11:41:34 ----

Pushed to updates-testing.

  http://download.fedoralegacy.org/redhat/
 
4fafbba3bd2a5522d5ad39ad4a1ae742751628d5 
7.3/updates-testing/SRPMS/wu-ftpd-2.6.2-14.legacy.7x.src.rpm
8005185d531ffc61f6b749b7a49b4875fbd49e33 
7.3/updates-testing/i386/wu-ftpd-2.6.2-14.legacy.7x.i386.rpm



------- Additional Comments From norbert.warmuth 2004-06-04 00:03:18 ----

wu-ftpd-2.6.2-14.legacy.7x.i386.rpm lacks pam support (missing BuildRequires:
pam-devel):

$ rpm -q wu-ftpd 
wu-ftpd-2.6.2-14.legacy.7x
$ ldd /usr/sbin/in.ftpd 
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x40018000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40046000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4005b000)
        libssl.so.2 => /lib/libssl.so.2 (0x4006c000)
        libcrypto.so.2 => /lib/libcrypto.so.2 (0x40099000)
        libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
        libdl.so.2 => /lib/libdl.so.2 (0x4015d000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)





------- Additional Comments From jpdalbec 2004-06-04 02:53:37 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New RH 7.3 wu-ftpd packages are available.

sha1sums:
cd99299abbf0ee898b246b7dd31159ed8248c534
http://cc.ysu.edu/~jpdalbec/wu-ftpd-2.6.2-15.7x.legacy.i386.rpm
585d76eef4e987de84257e1da33273905b4a6d6f
http://cc.ysu.edu/~jpdalbec/wu-ftpd-2.6.2-15.7x.legacy.src.rpm

* Fri Jun 4 2004 John Dalbec <jpdalbec> 2.6.2-15.7x.legacy
- - Added pam-devel to buildreqs
- - Added bugfix patch to reopen syslog after calling PAM
- - Added bugfix patch to fix active-mode SSL data connections

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAwHAOJL4A+ldA7asRAsW7AKCsz5IM0sxfh4UDDdCCo7Accv0iDwCfU4cU
gGvNfweiYVX5ftR32DhMUiM=
=LyU5
-----END PGP SIGNATURE-----

I tested the packages on RH 7.3.



------- Additional Comments From marcdeslauriers 2004-06-07 14:11:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA'd the 7.3 package:

585d76eef4e987de84257e1da33273905b4a6d6f wu-ftpd-2.6.2-15.7x.legacy.src.rpm

- - sha1sum matches
- - Spec file changes are good
- - Patch files looks good
- - Other sources are OK when diffed with previous release
- - Builds OK
- - Installs OK
- - Runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAxQQELMAs/0C4zNoRAnQxAKCbmbwBKLKqN+LYIpaOKJ/eDT9rJQCgvkuK
chFoOUDABHRVyaQDYRNfi80=
=haS8
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-06-10 16:19:50 ----

re-pushed to updates-testing.

  http://download.fedoralegacy.org/redhat/
 
5b50aa3a91d8bb30aa860ac05ca7b2ea60f91c05 
7.3/updates-testing/SRPMS/wu-ftpd-2.6.2-15.7x.legacy.src.rpm
6215a42cadf71683e87a4b7ffa54fd7b37d106a9 
7.3/updates-testing/i386/wu-ftpd-2.6.2-15.7x.legacy.i386.rpm




------- Additional Comments From rmy.uk 2004-06-17 23:58:34 ----

-----BEGIN PGP SIGNED MESSAGE-----

I've installed the RPM on four machines, though only one of these
is a dedicated ftp server.  Everything seems to work as expected,
both uploading and downloading
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQCVAwUBQNK8bR2/joqPEUdFAQHMfgP/Zl4TBbDaKJQvTDcg8yKK+OLEzTBuwnAt
hmwhuq+6o7APZkcuhbdlfPpMYc+2ESVAH9WgwPRqVz43nBFzgVk7I6uMYibfiYGY
jnXNmQqv0/Ygwgq7YleVHxQRPyvnna5/KagLQtSoirJyBBMpQBHtOs3y5t/oGNdU
korOMyMxVpI=
=KPVk
-----END PGP SIGNATURE-----



------- Bug moved to this database by dkl 2005-03-30 18:24 -------

This bug previously known as bug 1376 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1376
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Patch for CVE-1999-0997
https://bugzilla.fedora.us/attachment.cgi?action=view&id=598

Unknown priority P1. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.