Red Hat Bugzilla – Bug 169791
prozilla: CAN-2005-2961 (remotely exploitable)
Last modified: 2007-11-30 17:11:14 EST
http://secunia.com/advisories/17021/ http://genesys.ro/pipermail/prozilla/2005-September/000790.html AFAICT, 1.3.7.4-1 is affected.
I've backported the fix for this in newer versions of prozilla to 1.3.7.4 (prozilla is not maintained by my, so I don't want to move to a newer version). When backporting I noticed that the fix was not correct, it strncpy's up to out_size bytes and then does out[out_size] = 0; Say out_size is 512 then the code does out[512] = 0; iow it writes a 0 to the 513th place of the array. This is a typical of by one error, and a bufferoverflow (if only for one char). I'v also checked the other uses of strncpy in ftpsearch.c , the one other piece of code using strncpy passes the resulting string to strlen before making sure its 0 terminated (bad). Last I've cleaned up the code by using sizeof(buf)/sizeof(char) instead of just sizeof(buf) as sizeof(char) is not always 1. I've send the fixes to the fix upstream and I'll attach a patch against 1.3.7.4 fixing all this.
Created attachment 122812 [details] patch fixing the reported problems Anvil, I know you're very busy and I have CVS access myself shall I include this patch bump the release and push through a build?
Repeating myself: Anvil, I know you're very busy and I have CVS access myself shall I include THE patch bump the release and push through a build?
pinggggggggg?
In my opinion, this bug has been open for (far) more than enough time without the maintainer replying to it, so I think it's fair to just go ahead if you have the fix handy.
I'll give it another day or 2 and then push trough the patch.
I've commited my changes / fix and done a sucessfull rebuild for FC-3, 4 and devel.