freebsd security - Jul 2003 - Wu-ftpd FTP server contains remotely exploitable off-by-one bug

Hello,

I see in BugTraq that there's yet another problem with Wu-ftpd, but I see
no mention of it in the freebsd-security mailing list archives...I have
searched the indexes from all of June and July.

Wu is pretty widely used, so I'm surprised that nobody seems to have 
mentioned this problem in this forum.

The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
reason to assume that FreeBSD machines aren't vulnerable, too.  Which is
why I am confused as to the lack of discussion of this matter.

Can anyone shed some light on this?

Thank you,

John
-- 
+---------------------------------------------------------------------------+
| John Fox <jjf@mind.net>     |    System Administrator   | InfoStructure 
|
+---------------------------------------------------------------------------+
|  "The people and friends that we have lost, the dreams that have faded...
|
|  never forget them."  -- Yuna, Final Fantasy X                           
|
+---------------------------------------------------------------------------+

On Thu, 31 Jul 2003 jjf@mind.net wrote:
> Hello,
> 
> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
see
> no mention of it in the freebsd-security mailing list archives...I have
> searched the indexes from all of June and July.
> 
> Wu is pretty widely used, so I'm surprised that nobody seems to have 
> mentioned this problem in this forum.
> 
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too.  Which
is
> why I am confused as to the lack of discussion of this matter.
> 
> Can anyone shed some light on this?
> 
> Thank you,
> 
> John
> -- 
>
+---------------------------------------------------------------------------+
> | John Fox <jjf@mind.net>     |    System Administrator   |
InfoStructure   |
>
+---------------------------------------------------------------------------+
> |  "The people and friends that we have lost, the dreams that have
faded... |
> |  never forget them."  -- Yuna, Final Fantasy X                      
|
>
+---------------------------------------------------------------------------+
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
> 

Buffer overflows which work on Linux do not work on FreeBSD.

At 02:40 PM 31/07/2003 -0400, polytarp@cyberspace.org wrote:

>Buffer overflows which work on Linux do not work on FreeBSD.

You need to qualify that statement.  Yes, there are some that will not be 
relevant and the exact same exploit code will not work.  But  "Buffer 
overflows which work on Linux do not work on FreeBSD" is dangerously 
misleading.... In the case of wu-ftpd there have been several issues in the 
past that affected both FreeBSD and Linux.  Same bug, different exploit 
code, both vulnerable.  That being said, I havent had a chance to review 
this one so I dont know.


         ---Mike

On Thu, 31 Jul 2003, John Fox wrote:
> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
> see no mention of it in the freebsd-security mailing list archives...I
> have searched the indexes from all of June and July. 
> 
> Wu is pretty widely used, so I'm surprised that nobody seems to have
> mentioned this problem in this forum. 
> 
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too.  Which
is
> why I am confused as to the lack of discussion of this matter. 
> 
> Can anyone shed some light on this? 
I can't speak to specifically why there hasn't been an advisory of some
sort for this specific vulnerability, but I can say that the primary
reason why wu-ftpd issues don't get much discussion on FreeBSD lists
compared to Linux lists is that the default FTP server in FreeBSD isn't
wu-ftpd, unlike many Linux distributions.  It's considered a third party
software package, which means it will generally be covered in ports
security notices, as opposed to FreeBSD security advisories.  In the past,
a number of vulnerabilities in various FTP packages have been associated
with bugs in library code, not in the FTP daemon itself -- for example, at
least one or two cases were associates with the libc glob code.  This can
also affect whether a vulnerability applies on all OS's, or just a few. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories

On Thu, Jul 31, 2003 at 11:35:53AM -0700, John Fox
wrote:
> Hello,
> 
> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
see
> no mention of it in the freebsd-security mailing list archives...I have
> searched the indexes from all of June and July.
> 
> Wu is pretty widely used, so I'm surprised that nobody seems to have 
> mentioned this problem in this forum.
> 
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too.  Which
is
> why I am confused as to the lack of discussion of this matter.
> 
> Can anyone shed some light on this?
Hmm.

The issue was scheduled to be made public at 12:00 pm EDT today.
Daniel Harris <dannyboy@FreeBSD.org> committed the fix to the FreeBSD
Ports Collection around 12:07 pm EDT today.

This issue will be rolled into the next FreeBSD Security Notice
(probably Monday --- serious problems like this tend to `trigger' a
notice).

If you want to bitch at someone, bitch at the wu-ftpd.org guys for
ignoring the reported bug for two months.

Cheers,
-- 
Jacques Vidrine   . NTT/Verio SME      . FreeBSD UNIX       . Heimdal
nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se

On Thu, 2003-07-31 at 21:19, Robert Watson wrote:
> wu-ftpd, unlike many Linux distributions.  It's considered a third
party
> software package, which means it will generally be covered in ports
> security notices, as opposed to FreeBSD security advisories.  In the past,
I haven't seen a single Ports advisory during the last months,
what's happened to them?


-- 
Bjoern Engels <bjoern.engels@mail.isis.de>

   You know you're doomed when you have to whois your domain
        registrar ID to find out your own phone number