Re: ftpd security issue ?

On 11/30/2011 8:16 PM, Xin LI wrote:

Sorry I patched at the wrong place, this one should do.

Note however this is not sufficient to fix the problem, for instance
one can still upload .so's that run arbitrary code at his privilege,
which has to be addressed in libc. I need some time to play around
with libc to really fix this one.

Yes, that looks better! With respect to users uploading .so files, I
guess why not just upload executables directly ? Although I suppose if
they are not allowed to execute anything, this would be a way around that.

Now to prod the proftpd folks


Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@xxxxxxxxxx
Providing Internet services since 1994
Cambridge, Ontario Canada
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"