wu-ftpd exploit and patch I got, debs too
A friend of mine emailed me this glob.c patch for the recent wu-ftpd
exploit. I don't understand how the exploit works, but I am sure someone
will tell me if this patch gaurds against it. The only other patch out
there seems to be the Dead Rat src rpm, so I'll post what I found. I also
used the patch build Debian packages, so if you are running Debian, you
can use my Debian packages. Use them at your own risk though. I don't
have extended experience at building Debian packages, and basically I
took the source from the previous package, upped the rev on the changelog,
and did a
$ fakeroot debian/rules binary
and voila, I had new deb packages. You can get those at:
ftp://brie.com/pub/debian/potato
Below is the patch a friend emailed me.
brian
Generic patch against globc.c for:
Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability
-- SNIP --
--- glob.c.orig Sat Jul 1 14:17:39 2000
+++ glob.c Wed Nov 28 00:43:38 2001
@@ -298,7 +298,7 @@
for (lm = restbuf; *p != '{'; *lm++ = *p++)
continue;
- for (pe = ++p; *pe; pe++)
+ for (pe = ++p; *pe; pe++) {
switch (*pe) {
case '{':
@@ -314,11 +314,19 @@
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
+ if (!*pe) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
+ }
pend:
- brclev = 0;
- for (pl = pm = p; pm <= pe; pm++)
+ if (brclev || !*pe) {
+ globerr = "Missing }";
+ return (0);
+ }
+ for (pl = pm = p; pm <= pe; pm++) {
switch (*pm & (QUOTE | TRIM)) {
case '{':
@@ -352,19 +360,18 @@
return (1);
sort();
pl = pm + 1;
- if (brclev)
- return (0);
continue;
case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
- if (!*pm)
- pm--;
+ if (!*pm) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
}
- if (brclev)
- goto doit;
+ }
return (0);
}
@@ -416,11 +423,10 @@
else if (scc == (lc = cc))
ok++;
}
- if (cc == 0)
- if (ok)
- p--;
- else
- return 0;
+ if (cc == 0) {
+ globerr = "Missing ]";
+ return (0);
+ }
continue;
case '*':
--
Brian Lavender
http://www.brie.com/brian/
--
Brian Lavender
http://www.brie.com/brian/
Reply to: