Bug#4331: [linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)

To: submit@bugs.debian.org
Subject: Bug#4331: [linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Thu, 29 Aug 1996 13:02:33 +0200 (MET DST)
Message-id: <[🔎] 199608291102.NAA06175@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, 4331@bugs.debian.org

Package: wu-ftpd
Version: 2.4-23

I don't know the exploit, but tar in the anon ftp area is the
same as the normal one, so I think Debian systems may have this
problem too.  Two messages from the linux-security list (the
second one includes a patch for tar - only for anon ftp, not
for the normal one!) are attached below.

Marek

From: Elliot Lee <sopwith@redhat.com>
To: redhat-announce-list@redhat.com
cc: linux-alert@tarsier.cv.nrao.edu, bugtraq@crimelab.com
Subject: [linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp
Date: 	Mon, 19 Aug 1996 18:57:03 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----

There is a security hole in the anonftp package included with all versions
of Red Hat Linux that allows an anonymous FTP user to execute arbitrary
commands in the chroot FTP environment. Due to some options in GNU tar
that are enabled by default, any program that exists (or can be uploaded
to) an FTP server can be run.

Severity is limited due to the chroot environment, but the problem still
needs to be addressed.

Updates are available on ftp.redhat.com now.

If you are using a version prior to 3.0.3, an upgrade is recommended to
solve other security holes.

If you are using 3.0.3 on the Intel, get
ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/i386/updates/RPMS/anonftp-2.0-2.i386.rpm
and install it using 'rpm -Uvh [filename]'

If you are using 3.0.3 on the Alpha, get
ftp://ftp.redhat.com/pub/redhat/redhat-3.0.3/axp/updates/RPMS/anonftp-2.0-2.axp.rpm
and install it using 'rpm -Uvh [filename]'

If you are using 3.0.4 (Rembrandt BETA) on the Intel, get
ftp://ftp.redhat.com/pub/redhat/rembrandt/i386/updates/RPMS/anonftp-2.2-2.i386.rpm
and install it using 'rpm -Uvh [filename]'

If you are using 3.0.4 (Rembrandt BETA) on the Sparc, get
ftp://ftp.redhat.com/pub/redhat/rembrandt/sparc/updates/RPMS/anonftp-2.2-2.sparc.rpm
and install it using 'rpm -Uvh [filename]'

All packages are PGP signed. Source packages are available in the usual
locations.

MD5 checksums:

ea1798199eb426695c6d4c2ad4106422  anonftp-2.0-2.axp.rpm
764ee004e25c3e278290820dbd58cc58  anonftp-2.0-2.i386.rpm
cb0b1905ab8d389d64677519913346a5  anonftp-2.0-2.src.rpm

c14af78ec7d5083b54e61f973ca7c6fb  anonftp-2.2-2.i386.rpm
760cb3d5bb37c618f1b84f1aa0f5ea53  anonftp-2.2-2.sparc.rpm
a2f3fb6e06fca1485e3f11e5e04f83d8  anonftp-2.2-2.src.rpm

Thanks to Alan Cox for finding this problem.

- -- Elliot Lee <sopwith@redhat.com>
   Red Hat Software, http://www.redhat.com/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMhjxQiaSlK8942+NAQEngAQAgQDpcY4zYyvegaYQrAx1pW9w2IEeHqE5
yyeRre2rUsWBKVjizDttz+JO130+/2cZjjG0bpDzKeZidkENZGkHzlIP+lQLDAuG
jZ8rBqAdaEXmRUwZJzjwmEfBM218Z/W+fSrPj/w0CMqCn1THwJN4Vu6xaZ8TkxGf
2cI2lMO7XkQ=
=qu3w
-----END PGP SIGNATURE-----

Date: 	Wed, 21 Aug 1996 10:05:52 -0400 (EDT)
From: Elliot Lee <sopwith@redhat.com>
To: Roscinante <rosc@fbn.globalent.net>
cc: linux-security@tarsier.cv.nrao.edu
Subject: [linux-security] Re: Anon ftp pkg?

On Wed, 21 Aug 1996, Roscinante wrote:

> Does the updated anonftp pkg have a fixed version of tar?

Yes, that's all that changed :-)

> I've been trying all night to get rpm working on my slack system, am I
> wasting my time (someone told me all thats in the updated anonftp pkg is
> a config script)? 

No.

>  Are there options in tar that should be disabled at compile time?
> What options are exploitable? Please cc me directly.

I have attached a patch to tar that you can compile tar with to fix it.

Hope this helps,
 --==== Elliot Lee = <sopwith@redhat.com> == Red Hat Software ====--
"Usenet is like a herd of performing elephants with diarrhea; massive,
 difficult to redirect, awe-inspiring, entertaining, and a source of
 mind-boggling amounts of excrement when you least expect it."

--- tar-1.11.8/src/tar.c.sopwith	Sat Jun 17 16:48:32 1995
+++ tar-1.11.8/src/tar.c	Mon Aug 19 12:19:16 1996
@@ -22,6 +22,8 @@
 
 #include "system.h"
 
+#include <syslog.h>
+
 #ifndef FNM_LEADING_DIR
 # include <fnmatch.h>
 #endif
@@ -1202,14 +1204,19 @@
 	break;
 
       case OPTION_COMPRESS_PROG:
-	if (flag_compressprog)
-	  ERROR ((TAREXIT_FAILURE, 0,
-		  _("Only one compression option permitted")));
-	flag_compressprog = optarg;
+	openlog("ftp tar", 0, LOG_DAEMON);
+	syslog(LOG_WARNING,"Attempt to run tar via FTP with compress command %s",
+		optarg);
+	closelog();
+	flag_compressprog = NULL;
 	break;
 
       case OPTION_RSH_COMMAND:
-	flag_rsh_command = optarg;
+	openlog("ftp tar", 0, LOG_DAEMON);
+	syslog(LOG_WARNING,"Attempt to run tar via FTP with rsh command %s",
+		optarg);
+	closelog();
+	flag_rsh_command = NULL;
 	break;
 
       case 'g':

Reply to:

Follow-Ups:
- Bug#4331: linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)
  - From: lists@lina.inka.de (Bernd Eckenfels)

Prev by Date: Re: anybody debianizing qt?
Next by Date: Bug#4332: Vulnerability in the Xt library (fwd)
Previous by thread: Bug#4330: amd hangs system
Next by thread: Bug#4331: linux-security] [linux-alert] SECURITY FIX/UPDATE: anonftp (fwd)
Index(es):
- Date
- Thread