wu-ftpd exploit and patch I got, debs too

To: Debian User <debian-user@lists.debian.org>
Subject: wu-ftpd exploit and patch I got, debs too
From: Brian Lavender <brian@brie.com>
Date: Wed, 28 Nov 2001 21:57:29 -0800
Message-id: <[🔎] 20011128215729.C2390@brie.com>

A friend of mine emailed me this glob.c patch for the recent wu-ftpd
exploit.  I don't understand how the exploit works, but I am sure someone
will tell me if this patch gaurds against it. The only other patch out
there seems to be the Dead Rat src rpm, so I'll post what I found. I also
used the patch build Debian packages, so if you are running Debian, you
can use my Debian packages.  Use them at your own risk though. I don't
have extended experience at building Debian packages, and basically I
took the source from the previous package, upped the rev on the changelog,
and did a

$ fakeroot debian/rules binary 

and voila, I had new deb packages. You can get those at:

ftp://brie.com/pub/debian/potato

Below is the patch a friend emailed me.

brian


Generic patch against globc.c for:
Subject:      Wu-Ftpd File Globbing Heap Corruption Vulnerability


-- SNIP --

--- glob.c.orig	Sat Jul  1 14:17:39 2000
+++ glob.c	Wed Nov 28 00:43:38 2001
@@ -298,7 +298,7 @@

     for (lm = restbuf; *p != '{'; *lm++ = *p++)
 	continue;
-    for (pe = ++p; *pe; pe++)
+    for (pe = ++p; *pe; pe++) {
 	switch (*pe) {

 	case '{':
@@ -314,11 +314,19 @@
 	case '[':
 	    for (pe++; *pe && *pe != ']'; pe++)
 		continue;
+	    if (!*pe) {
+		globerr = "Missing ]";
+		return (0);
+	    }
 	    continue;
 	}
+    }
   pend:
-    brclev = 0;
-    for (pl = pm = p; pm <= pe; pm++)
+    if (brclev || !*pe) {
+	globerr = "Missing }";
+	return (0);
+    }
+    for (pl = pm = p; pm <= pe; pm++) {
 	switch (*pm & (QUOTE | TRIM)) {

 	case '{':
@@ -352,19 +360,18 @@
 		return (1);
 	    sort();
 	    pl = pm + 1;
-	    if (brclev)
-		return (0);
 	    continue;

 	case '[':
 	    for (pm++; *pm && *pm != ']'; pm++)
 		continue;
-	    if (!*pm)
-		pm--;
+	    if (!*pm) {
+		globerr = "Missing ]";
+		return (0);
+	    }
 	    continue;
 	}
-    if (brclev)
-	goto doit;
+    }
     return (0);
 }

@@ -416,11 +423,10 @@
 		else if (scc == (lc = cc))
 		    ok++;
 	    }
-	    if (cc == 0)
-		if (ok)
-		    p--;
-		else
-		    return 0;
+	    if (cc == 0) {
+		globerr = "Missing ]";
+		return (0);
+	    }
 	    continue;

 	case '*':


-- 
Brian Lavender
http://www.brie.com/brian/
-- 
Brian Lavender
http://www.brie.com/brian/

Reply to:

Follow-Ups:
- Re: wu-ftpd exploit and patch I got, debs too
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Getting an older package
Next by Date: ssh2 client for debian 2.2r4?
Previous by thread: Re: Getting an older package
Next by thread: Re: wu-ftpd exploit and patch I got, debs too
Index(es):
- Date
- Thread