Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug

From: Robert Watson (rwatson_at_freebsd.org)
Date: 07/31/03

  • Next message: polytarp_at_cyberspace.org: "Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug"
    Date: Thu, 31 Jul 2003 15:19:24 -0400 (EDT)
    To: John Fox <jjf@mind.net>
    
    

    On Thu, 31 Jul 2003, John Fox wrote:

    > I see in BugTraq that there's yet another problem with Wu-ftpd, but I
    > see no mention of it in the freebsd-security mailing list archives...I
    > have searched the indexes from all of June and July.
    >
    > Wu is pretty widely used, so I'm surprised that nobody seems to have
    > mentioned this problem in this forum.
    >
    > The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
    > reason to assume that FreeBSD machines aren't vulnerable, too. Which is
    > why I am confused as to the lack of discussion of this matter.
    >
    > Can anyone shed some light on this?

    I can't speak to specifically why there hasn't been an advisory of some
    sort for this specific vulnerability, but I can say that the primary
    reason why wu-ftpd issues don't get much discussion on FreeBSD lists
    compared to Linux lists is that the default FTP server in FreeBSD isn't
    wu-ftpd, unlike many Linux distributions. It's considered a third party
    software package, which means it will generally be covered in ports
    security notices, as opposed to FreeBSD security advisories. In the past,
    a number of vulnerabilities in various FTP packages have been associated
    with bugs in library code, not in the FTP daemon itself -- for example, at
    least one or two cases were associates with the libc glob code. This can
    also affect whether a vulnerability applies on all OS's, or just a few.

    Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
    robert@fledge.watson.org Network Associates Laboratories

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: polytarp_at_cyberspace.org: "Re: Wu-ftpd FTP server contains remotely exploitable off-by-one bug"

    Relevant Pages