FYI -- Michael P. Soulier <msoulier@mcss.mcmaster.ca>, GnuPG pub key: 5BC8BE08 "...the word HACK is used as a verb to indicate a massive amount of nerd-like effort." -Harley Hahn, A Student's Guide to Unix
--- Begin Message ---
- To: <bugtraq@securityfocus.com>
- Subject: WU-FTPD 2.6.1 diff glob.c patch
- From: Mark Canter <marcus@doutlets.com>
- Date: Wed, 28 Nov 2001 18:59:45 -0500 (EST)
- Message-id: <010111281858350.7190-100000@homer.doutlets.com>
Generic patch against globc.c for: Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability -- SNIP -- --- glob.c.orig Sat Jul 1 14:17:39 2000 +++ glob.c Wed Nov 28 00:43:38 2001 @@ -298,7 +298,7 @@ for (lm = restbuf; *p != '{'; *lm++ = *p++) continue; - for (pe = ++p; *pe; pe++) + for (pe = ++p; *pe; pe++) { switch (*pe) { case '{': @@ -314,11 +314,19 @@ case '[': for (pe++; *pe && *pe != ']'; pe++) continue; + if (!*pe) { + globerr = "Missing ]"; + return (0); + } continue; } + } pend: - brclev = 0; - for (pl = pm = p; pm <= pe; pm++) + if (brclev || !*pe) { + globerr = "Missing }"; + return (0); + } + for (pl = pm = p; pm <= pe; pm++) { switch (*pm & (QUOTE | TRIM)) { case '{': @@ -352,19 +360,18 @@ return (1); sort(); pl = pm + 1; - if (brclev) - return (0); continue; case '[': for (pm++; *pm && *pm != ']'; pm++) continue; - if (!*pm) - pm--; + if (!*pm) { + globerr = "Missing ]"; + return (0); + } continue; } - if (brclev) - goto doit; + } return (0); } @@ -416,11 +423,10 @@ else if (scc == (lc = cc)) ok++; } - if (cc == 0) - if (ok) - p--; - else - return 0; + if (cc == 0) { + globerr = "Missing ]"; + return (0); + } continue; case '*':
--- End Message ---
Attachment:
pgpSQsuhNYRbK.pgp
Description: PGP signature