search menu icon-carat-right cmu-wordmark

CERT Coordination Center


WU-FTPD does not properly handle file name globbing

Vulnerability Note VU#886083

Original Release Date: 2001-11-28 | Last Revised: 2002-03-28

Overview

SecurityFocus and CORE Security Technologies have reported a vulnerability in WU-FTPD. WU-FTPD does not handle file name globbing properly and may allow an attacker to execute arbitrary code. WU-FTPD is a widely-used FTP daemon that is included in many UNIX and Linux distributions. This vulnerability was discussed on SecurityFocus' vuln-dev mailing list in April 2001.

Description

The CERT Coordination Center has received a report from SecurityFocus and CORE Security Technologies about a remote code execution vulnerability in the Washington University FTP daemon, WU-FTPD. The vulnerability manifests in WU-FTPD's handling of file name globbing. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs: WU-FTPD's globbing code does not properly return an error condition when interpreting the string '~{', and later frees memory which may contain user supplied data.

When certain characters are encountered in the file name argument to an FTP command issued by a client, WU-FTPD calls its globbing code, which is implemented in glob.c. The globbing code should parse the argument string, set a variable if it encounters an error condition, and return a pointer to the expanded glob expression. The function that calls glob.c eventually uses free() to free the memory allocated to hold the expanded glob expression. A problem occurs when the globbing code fails to recognize the string '~{' as a malformed argument and does not set the error variable. The pointer returned by the globbing code references memory on the heap that contains arbitrary data instead of the expanded glob expression. If an attacker can place code of their choice in the right position on the heap, WU-FTPD may execute that code when freeing the memory referenced by the pointer that was returned by the globbing code.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If unsuccessful, the thread servicing the request will fail, but WU-FTPD will not crash.

Note that BeroFTPD, which shares much of its code base with WU-FTPD, is also vulnerable. BeroFTPD is no longer separately maintained.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Solution

Apply Patch
Apply the appropriate patch supplied as described in the vendor section below. Alternatively, apply the patch provided by WU-FTPD.


Block or Restrict Access
Block or restrict access to the control port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD.

Disable Anonymous Access
Disable anonymous FTP access. Note that this will only prevent unauthenticated users from attempting to exploit this vulnerability.

Disable Vulnerable Service
Disable WU-FTPD until a patch is can be applied.

Vendor Information

886083
Expand all

BeroFTPD

Updated:  December 17, 2001

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Messages on the vuln-dev mailing list indicate that BeroFTPD is vulnerable. Since BeroFTPD shares much of its code with WU-FTPD, BeroFTPD may be affected by other vulnerabilities in WU-FTPD. BeroFTPD was split from and has since been merged back into WU-FTPD.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera

Notified:  November 21, 2001 Updated:  February 15, 2002

Status

  Vulnerable

Vendor Statement

Caldera has released Caldera Security Advisory CSSA-2001-041.0 for Linux, CSSA-2001-SCO.36 for UnixWare and OpenUnix, and CSSA-2002-SCO.1 for OpenServer.

Caldera Linux:

http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt

Caldera (SCO) UnixWare:

ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt

Caldera (SCO) Open UNIX:

ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt

Caldera (SCO) OpenServer:

ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1/CSSA-2002-SCO.1.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Updated:  November 30, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : wu-ftpd
SUMMARY   : Remote vulnerability in the wu-ftpd server
DATE      : 2001-11-29 12:20:00
ID        : CLA-2001:442
RELEVANT
RELEASES  : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
 "wu-ftpd" is one of the ftp servers available in Conectiva Linux and
 several other linux distributions.
 
 CORE Security Technologies[1] reported[2] a vulnerability[3] in the
 wu-ftpd ftp server that can be exploited remotely. The problem is in
 the internal glob function used by wu-ftpd which allows an attacker
 to corrupt memory space and execute arbitrary code remotely. There is
 no need for an user account on the ftp server, this problem can be
 abused by anonymous users as well.
 This vulnerability was first reported[4] by Matt Power but was deemed
 not exploitable at that time.


SOLUTION
 All administrators who deploy wu-ftpd should upgrade immediately. If
 an upgrade is not possible, then the service should be shut down, or
 another ftp server should be used.
 
 There is no need to restart the service after the upgrade because
 wu-ftpd is started from inetd. The administrator might want to,
 however, shut down all current connections which would still be using
 the vulnerable copy to avoid a possible abuse by currently connected
 users.
 
 
 REFERENCES
 1. http://www.core-sdi.com
 2. http://www.securityfocus.com/archive/1/242964
 3. http://www.securityfocus.com/bid/3581
 4. http://www.securityfocus.com/archive/82/180823


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/wu-ftpd-2.6.1-6U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/wu-ftpd-2.6.1-6U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/wu-ftpd-2.6.1-6U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/wu-ftpd-2.6.1-6U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/wu-ftpd-2.6.1-6U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wu-ftpd-2.6.1-6U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/wu-ftpd-2.6.1-6U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wu-ftpd-2.6.1-6U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/wu-ftpd-2.6.1-6U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/wu-ftpd-2.6.1-6U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/wu-ftpd-2.6.1-6U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/wu-ftpd-2.6.1-6U50_1cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8BkQ+42jd0JmAcZARApFvAKCl+ekMYKl4mUlnjYOPzmdpdRQ2WQCfZ37k
B9JhTSxN7u70wdESzG+mjhQ=
=+0Mk
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  November 21, 2001 Updated:  December 04, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-087-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
December  3, 2001
- ------------------------------------------------------------------------


Package        : wu-ftpd
Problem type   : remote root exploit
Debian-specific: no

CORE ST reports that an exploit has been found for a bug in the wu-ftpd
glob code (this is the code that handles filename wildcard expansion).
Any logged in user (including anonymous ftp users) can exploit the bug
to gain root privilege on the server.

This has been corrected in version 2.6.0-6 of the wu-ftpd package.

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.


Debian GNU/Linux 2.2 alias potato
- ---------------------------------

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
   http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0-6.diff.gz
     MD5 checksum: 3b1b4c45157bd09811d22e5a0319800f
   http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0-6.dsc
     MD5 checksum: bb6cde87269f88b9fd8a8b2202a62ca4
   http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0.orig.tar.gz
     MD5 checksum: 652cfe4b59e0468eded736e7c281d16f

  Architecture independent archives:
   http://security.debian.org/dists/stable/updates/main/binary-all/wu-ftpd-academ_2.6.0-6_all.deb
     MD5 checksum: 6e611c3988121914b79de3e2042a7313

  Alpha architecture:
   http://security.debian.org/dists/stable/updates/main/binary-alpha/wu-ftpd_2.6.0-6_alpha.deb
     MD5 checksum: bf2a2603573577e86a14d57814a8133a

  ARM architecture:
   http://security.debian.org/dists/stable/updates/main/binary-arm/wu-ftpd_2.6.1-6_arm.deb
     MD5 checksum: 073d205b811b077d0e2ea874b4e795e8

  Intel IA-32 architecture:
   http://security.debian.org/dists/stable/updates/main/binary-i386/wu-ftpd_2.6.0-6_i386.deb
     MD5 checksum: c3fc484e08210d7a1363c93c9d29d6eb

  PowerPC architecture:
   http://security.debian.org/dists/stable/updates/main/binary-powerpc/wu-ftpd_2.6.0-6_powerpc.deb
     MD5 checksum: 59272e14f5db909fa43b2eb0cfaf2277

  Sun Sparc architecture:
   http://security.debian.org/dists/stable/updates/main/binary-sparc/wu-ftpd_2.6.0-6_sparc.deb
     MD5 checksum: f855d628c92c7d9eccc115b167555f98

  These packages will be moved into the stable distribution on its next
 revision.

For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .

- --
- ----------------------------------------------------------------------------
apt-get: deb http://security.debian.org/ stable/updates main
dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPArQi6jZR/ntlUftAQFCaQL8DjOz0SFCAaICF4aYt+J7QGlTHusvHhGT
NNu/NiHSUJ0Em1jOcVbTkXr0Ahs4PN3ahCqN6rMdnYNe9biSRcQXKNbj73Mr6AjU
rZFYOH5nd+r6LhYd4rf48HMGCUm6J9PI
=BK/G
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  November 21, 2001 Updated:  December 07, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:64                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          wu-ftpd port contains remote root compromise

Category:       ports
Module:         wu-ftpd
Announced:      2001-12-04
Credits:        CORE Security Technologies
                Contact: Ivan Arce (iarce@corest.com)
Affects:        Ports collection prior to the correction date
Corrected:      2001-11-28 10:52:26 UTC
FreeBSD only:   NO

I.   Background

wu-ftpd is a popular full-featured FTP server.

II.  Problem Description

The wu-ftpd port, versions prior to wu-ftpd-2.6.1_7, contains a
vulnerability which allows FTP users, both anonymous FTP users and
those with valid accounts, to execute arbitrary code as root on
the local machine.  This may be accomplished by inserting invalid
globbing parameters which are incorrectly parsed by the FTP server
into command input.

The wu-ftpd port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

FTP users, including anonymous FTP users, can cause arbitrary commands
to be executed as root on the local machine.

If you have not chosen to install the wu-ftpd port/package, then your
system is not vulnerable to this problem.

IV.  Workaround

Deinstall the wu-ftpd port/package, if you have installed it.

V.   Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the wu-ftpd port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.1_7.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.1_7.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources

NOTE: It may be several days before updated packages are available. Be
sure to check the file creation date on the package, because the
version number of the software has not changed.

3) download a new port skeleton for the wu-ftpd port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path                                                             Revision
- -------------------------------------------------------------------------
ports/ftp/wu-ftpd/Makefile                                         1.41
ports/ftp/wu-ftpd/files/patch-ap                                   1.2
- -------------------------------------------------------------------------

VII. References

<URL:http://www.securityfocus.com/archive/1/242750>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPA0CA1UuHi5z0oilAQENSQP9HaHiACNyiHZtV8ILnUZWb+D01qf0wTy2
gbZJGfKL/JTP41KLR4EpUitF5SZ+3Zjm8Ebv8XXCjCFWgIBU1xhZaXgi2U9PRLlG
XxHKzvpGnTuBj3uJiLs2UvAbQ9Jz5Wp02u6fJV75dcbnXTPLSGRvxJZwOb2FHxnE
MBUlG+QDpPw=
=sp+c
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security-notifications" in the body of the message

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to first-majordomo@FIRST.ORG

DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF
THIS MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Updated:  November 29, 2001

Status

  Vulnerable

Vendor Statement

-----------------------------------------------------------------------

        Immunix OS Security Advisory

Packages updated:       wu-ftpd
Affected products:      Immunix 7.0
Bugs fixed:             immunix/1861
Date:                   Wed Nov 28 2001
Advisory ID:            IMNX-2001-70-036-01
Author:                 Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------

Description:
  CORE Security Technologies has found an heap overflow problem in
  wu-ftpd, related to the internal globbing functions. Because this is a
  heap overflow, StackGuard does not prevent any possible exploits from
  working.

  Thomas Biege from SuSE has also discovered several format-string
  problems that may or may not be remotely exploitable; these problems
  were also found independently by someone else, who sadly is unknown to
  WireX.

  The wu-ftpd packages provided here fix these problems, as well as
  other lesser problems.

  References: http://www.securityfocus.com/archive/1/242750

Package names and locations:
  Precompiled binary packages for Immunix 7.0 are available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/wu-ftpd-2.6.1-6_imnx_4.i386.rpm

  Source package for Immunix 7.0 is available at:
  http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/wu-ftpd-2.6.1-6_imnx_4.src.rpm

Immunix OS 7.0 md5sums:
  c6c2fa2fa60f2cfe5b496ad0281fa486  RPMS/wu-ftpd-2.6.1-6_imnx_4.i386.rpm
  e8a2e0a1f8abe59ad058b6fecc8a1c72  SRPMS/wu-ftpd-2.6.1-6_imnx_4.src.rpm

GPG verification:                                                              
  Our public key is available at <http://wirex.com/security/GPG_KEY>.          
  *** NOTE *** This key is different from the one used in advisories            
  IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@wirex.com. WireX
  attempts to conform to the RFP vulnerability disclosure protocol
  <http://www.wiretrip.net/rfp/policy.html>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  November 21, 2001 Updated:  December 07, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           wu-ftpd
Date:                   November 29th, 2001
Advisory ID:            MDKSA-2001:090

Affected versions:      7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1
________________________________________________________________________

Problem Description:

 A vulnerability in wu-ftpd's ftpglob() function was found by the CORE
 ST team.  This vulnerability can be exploited to obtain root access on
 the FTP server.
________________________________________________________________________

References:

  http://www.securityfocus.com/bid/3581
________________________________________________________________________

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:
  rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
  http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Linux-Mandrake 7.1:
d8bf0ffaa36f4be0d82d2a497ca97012  7.1/RPMS/wu-ftpd-2.6.1-8.7mdk.i586.rpm
8527aaf8ead9756af936518cdcf0bf19  7.1/SRPMS/wu-ftpd-2.6.1-8.7mdk.src.rpm

Linux-Mandrake 7.2:
be0ad73a7e3559ded06615df10467cbe  7.2/RPMS/wu-ftpd-2.6.1-8.8mdk.i586.rpm
02a177500ce246b536980c8884cc40fb  7.2/SRPMS/wu-ftpd-2.6.1-8.8mdk.src.rpm

Mandrake Linux 8.0:
d56665d8af147c90ac6db88d1c87ff03  8.0/RPMS/wu-ftpd-2.6.1-11.1mdk.i586.rpm
c85387ec082fd92d82d36192b96ab85b  8.0/SRPMS/wu-ftpd-2.6.1-11.1mdk.src.rpm

Mandrake Linux 8.0 (PPC):
6fd48b377e4b0ea445e4c8efe46589bd  ppc/8.0/RPMS/wu-ftpd-2.6.1-11.1mdk.ppc.rpm
c85387ec082fd92d82d36192b96ab85b  ppc/8.0/SRPMS/wu-ftpd-2.6.1-11.1mdk.src.rpm

Mandrake Linux 8.1:
108dde2929cf812461b29bd8503b8cfc  8.1/RPMS/wu-ftpd-2.6.1-11.1mdk.i586.rpm
c85387ec082fd92d82d36192b96ab85b  8.1/SRPMS/wu-ftpd-2.6.1-11.1mdk.src.rpm

Corporate Server 1.0.1:
d8bf0ffaa36f4be0d82d2a497ca97012  1.0.1/RPMS/wu-ftpd-2.6.1-8.7mdk.i586.rpm
8527aaf8ead9756af936518cdcf0bf19  1.0.1/SRPMS/wu-ftpd-2.6.1-8.7mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):

________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

You can download the updates directly from one of the mirror sites
listed at:

  http://www.linux-mandrake.com/en/ftp.php3.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/".  Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Mandrake Linux at:

  http://www.linux-mandrake.com/en/security/

If you want to report vulnerabilities, please contact

  security@linux-mandrake.com
________________________________________________________________________

Mandrake Linux has two security-related mailing list services that
anyone can subscribe to:

security-announce@linux-mandrake.com

  Mandrake Linux's security announcements mailing list.  Only
  announcements are sent to this list and it is read-only.

security-discuss@linux-mandrake.com

  Mandrake Linux's security discussion mailing list.  This list is open
  to anyone to discuss Mandrake Linux security specifically and Linux
  security in general.

To subscribe to either list, send a message to
  sympa@linux-mandrake.com
with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to
  sympa@linux-mandrake.com
with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to
  sympa@linux-mandrake.com
with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe
from either list:

  http://www.linux-mandrake.com/en/flists.php3#security
________________________________________________________________________

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security@linux-mandrake.com>


- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8BwkWmqjQ0CJFipgRAmO4AJ9K6dNutlrhhV8pIBkR2BWU1tyJ7QCfepsP
oO41cLJSkfbxnhLB9riFWP0=
=0caS
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  November 21, 2001 Updated:  November 30, 2001

Status

  Vulnerable

Vendor Statement

---------------------------------------------------------------------

                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          Updated wu-ftpd packages are available
Advisory ID:       RHSA-2001:157-06
Issue date:        2001-11-20
Updated on:        2001-11-26
Product:           Red Hat Linux
Keywords:          wu-ftpd buffer overrun glob ftpglob
Cross references:  
Obsoletes:         RHSA-2000:039
---------------------------------------------------------------------

1. Topic:

Updated wu-ftpd packages are available to fix an overflowable buffer.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386

3. Problem description:

An overflowable buffer exists in earlier versions of wu-ftpd.
An attacker could gain access to the machine by sending malicious
commands.

It is recommended that all users of wu-ftpd upgrade to the lastest
version.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm

alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm

i386:
ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm

sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm

Red Hat Linux 7.0:

SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm

alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm

alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm

ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm

7. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
a33d4557c473b88cc7bed8718bd07a2f 6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm
da84b22853f1048d45803ebeec8d061c 6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm
281fa607c3f6479e369673cb9247d169 6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm
20bf731056d48351d2194956f4762091 6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm
52406d7ddd2c14c669a8c9203f99ac5c 7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm
35315a5fa466beb3bdc26aa4fc1c872f 7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm
c97683b85603d34853b3825c9b694f20 7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm
52406d7ddd2c14c669a8c9203f99ac5c 7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm
35315a5fa466beb3bdc26aa4fc1c872f 7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm
c97683b85603d34853b3825c9b694f20 7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm
56af9e1de2b3d532e1e4dce18636f6c4 7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm
efd2a876ad8d7c4879d3eeaeeec7fcef 7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm
7306f24d3d7d518068c5e08959d43bdd 7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm
 

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:



Copyright(c) 2000, 2001 Red Hat, Inc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE

Updated:  November 29, 2001

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package:                wuftpd
       Announcement-ID:        SuSE-SA:2001:043
       Date:                   Wednesday, Nov. 28th, 2001 23:45 MET
       Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
       Vulnerability Type:     remote root compromise
       Severity (1-10):        7
       SuSE default package:   no
       Other affected systems: all liunx-like systems using wu-ftpd 2.4.x /
                               2.6.0 / 2.6.1

        Content of this advisory:
       1) security vulnerability resolved: wuftpd
          problem description, discussion, solution and upgrade information
       2) pending vulnerabilities, solutions, workarounds
       3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    The wuftpd package as shipped with SuSE Linux distributions comes with
   two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
   and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
   The admin decides which version to use by the inetd/xinetd
   configuration.

    The CORE ST Team had found an exploitable bug in all versions of wuftpd's
   ftpglob() function.
   The glob function overwrites buffer bounds while matching open and closed
   brackets. Due to a missing \0 at the end of the buffer a later call to a
   function that frees allocated memory will feed free(3) with userdefined
   data. This bug could be exploited depending on the implementation of
   the dynmaic allocateable memory API (malloc(3), free(3)) in the libc
   library. Linux and other system are exploitable!

    Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed
   by Thomas Biege, SuSE Security, revealed some other security related bugs
   that are fixed in the new RPM packages. Additionally, code from wu-ftpd
   2.6.1 were backported to version 2.6.0 to make it more stable.

    A temporary fix other than using a different server implementation of
   the ftp protocol is not available. We recommend to update the wuftpd
   package on your system.

    We thank the wuftpd team for their work on the bug, particularly because
   the coordination between the vendors and the wuftpd developers lacked
   the necessary discipline for the timely release of the information
   about the problem.

    Please download the update package for your distribution and verify its
   integrity by the methods listed in section 3) of this announcement.
   Then, install the package using the command "rpm -Uhv file.rpm" to apply
   the update.


    i386 Intel Platform:

    SuSE-7.3
   ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm
     d1b549b8c2d91d66a8b35fe17a1943b3
   source rpm:
   ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm
     9ef0e6ac850499dc0150939c62bc146f

    SuSE-7.2
   ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm
     4583443a993107b26529331fb1e6254d
   source rpm:
   ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm
     aaee0343670feae70ccc9217a8e22211

    SuSE-7.1
   ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm
     347a030a85cb5fcbe32d3d79d382e19e
   source rpm:
   ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm
     aa3e53641f6ce0263196e6f1cb0447c3

    SuSE-7.0
   ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm
     e34eec18ecc10f187f6aa1aa3b24b75b
   source rpm:
   ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm
     fafc8c2bbd68dd5ca3d04228433c359a

    SuSE-6.4
   ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm
     2354abe95b056762c7f6584449291ff2
   source rpm:
   ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm
     507b8d484b13737c9d2b6a68fda0cc26

    SuSE-6.3
   ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm
     9851ad02e656bba8b5e02ed2ddb46845
   source rpm:
   ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm
     5d7c4b6824836ca28b228cc5dcfc4fd6



    Sparc Platform:

    SuSE-7.3
   ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm
     2d19e4ead17396a1e28fca8745f9629d
   source rpm:
   ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm
     bdb0b5ddd72f8563db3c8e444a0df7f5

    SuSE-7.1
   ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm
     f6b04f284bece6bf3700facccc015ffe
   source rpm:
   ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm
     1660547ac9a5a3b32a4070d69803cf18

    SuSE-7.0
   ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm
     1bd905b095b9a4bb354fc190b6e54a01
   source rpm:
   ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm
     597263eb7d0fbbf242d519d3c126a441



    AXP Alpha Platform:

    SuSE-7.1
   ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm
     e608bfd2cc9e511c6eb6932c33c68789
   source rpm:
   ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm
     34915af1ca79b27bad8bc2fd3a5cab05

    SuSE-7.0
   ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm
     86a7d8f60d76a053873bcc13860b0bbb
   source rpm:
   ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm
     9674f9f1630b3107ac22d275705da76e

    SuSE-6.4
   ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm
     2501444a1e4241e8f6f4cdcc6fd133b0
   source rpm:
   ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm
     34812d943900bdb902ad7edd40e1943f

    SuSE-6.3
   ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm
     429a49ef9d4d0865fbb443c212b8a8c7
   source rpm:
   ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm
     76467dae0f460677ba80ec907eefca28



    PPC Power PC Platform:

    SuSE-7.3
   ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm
     a381269b3e2fc43fda59e4d08aef57ae
   source rpm:
   ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm
     7cacb696a88e57a843402a796212aee6

    SuSE-7.1
   ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm
     bfc39be2c09323d96f974fdd0c73fda1
   source rpm:
   ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm
     e2681b2ed4801ce14b5dfb926480ac51

    SuSE-7.0
   ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm
     19f989e637fd9b6fa652f8a4014bb7b1
   source rpm:
   ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm
     76c493a915691c51a2481f0925e8ce39

    SuSE-6.4
   ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm
     ad29cf172bbd03a5e1f301cf6b9404e5
   source rpm:
   ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm
     82338702692eba599d8c3d242aff3d1a



______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - ssh/openssh exploits
     The wrong fix for the crc32-compensation attack is currently actively
     exploited in the internet for both the ssh and the openssh
     implementation of the ssh-1 protocol.
     We urge our users to upgrade their ssh or openssh packages to the
     latest versions that are located on our ftp server at the usual
     directories, referred to via
     http://www.suse.de/de/support/security/adv004_ssh.txt from February
     earlier this year.
     Please note, the packages for the SuSE Linux distributions 7.0 and
     older containing cryptographic code are located on the German ftp
     server ftp.suse.de, the distributions 7.1 and newer have their crypto
     updates on ftp.suse.com. There are legal constraints beyond our
     control that lead to this situation.
     Openssh packages of the version 2.9.9p2 ready to download on the ftp
     server ftp.suse.com. They fix the security problems mentioned above,
     along with a set of less serious security problems.
     The announcement is still pending while investigations about the
     status of the package are in progress.



    - libgtop_daemon
     The libgtop_daemon, part of the libgtop package for gathering and
     monitoring process and system information, has been found vulnerable
     to a format string error. We are in the process of providing fixes for
     the affected distributions 6.4-7.3. In the meanwhile, we recommend to
     disable the libgtop_daemon on systems where it is running. This daemon
     is neither installed nor started (if installed) by default on SuSE
     Systems.


    - kernel updates
     A bug in the elf loader of the linux kernels version 2.4 from our
     announcement SSA:2001:036 can cause a system to crash if a user
     executes a vmlinux kernel image. We are preparing another update
     series to workaround this problem and will re-issue the kernel
     announcement as soon as possible.


______________________________________________________________________________

3)  standard appendix:

    SuSE runs two security mailing lists to which any interested party may
   subscribe:

    suse-security@suse.com
       -   general/linux/SuSE security discussion.
           All SuSE security announcements are sent to this list.
           To subscribe, send an email to
               <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
       -   SuSE's announce-only mailing list.
           Only SuSE's security annoucements are sent to this list.
           To subscribe, send an email to
               <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
   send mail to:
       <suse-security-info@suse.com> or
       <suse-security-faq@suse.com> respectively.

    ===============================================
   SuSE's security contact is <security@suse.com>.
   ===============================================

______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way.
   SuSE GmbH makes no warranties of any kind whatsoever with respect
   to the information contained in this security advisory.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBPAVrBHey5gA9JdPZAQFhHwf/Vw7FQu1H4TXqi3qHVaTK9S1o8lCFSvko
SS8aDJbmWSS0KXTF8iEI/tASxfk7sAE55QrBASjVC8drmAowhO1Xhw52esDdYeZX
2ygNhzVj0XRZ30e/ZjjBBhWXT91EP9F9h3R5T56BKJH1WVb5dmgVrLoiTqK1rafk
mXezFnhDqRzvMZWfJGlO4peuum8tBO8Eh8wXMhx6nXFOS71Cv0I4Em1tKeFrujjQ
kGf8CRexJZC3lr8PnAuyctdkdFInIC/KyroALmAsC/sQ0TR/YONi50BhYaeTV5Sc
jM4ENMmnF2VZ2C+iH1tJpUYHxgM6WoRHpE1aSFRDUMSxhiU1ifo6TQ==
=fm+e
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  November 21, 2001 Updated:  November 30, 2001

Status

  Vulnerable

Vendor Statement

Sun [Solaris] does not ship WU-FTPD, thus Solaris is not affected by these issues.

The only Sun Cobalt Server Appliance that is vulnerable to this exploit is the Qube1. The Qube1 is no longer a supported appliance, but we do understand the need of having updates available. The following RPM is not officially supported by Sun Cobalt, but offers legacy customers the ability to maintain a limited level of security.

Qube1:

ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/wu-ftpd-2.6.1-C1.NOPAM.mips.rpm

ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/wu-ftpd-2.6.1-C1.NOPAM.src.rpm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Turbolinux

Updated:  February 04, 2002

Status

  Vulnerable

Vendor Statement

___________________________________________________________________________

                        Turbolinux Security Announcement

        Package : wu-ftpd
       Vulnerable Packages: Versions previous to wu-ftpd-2.6.1-10
       Date: Wed Jan 23 12:26:21 PST 2002

        Affected Turbolinux versions: previous to wu-ftpd-2.6.1-10

        Turbolinux Advisory ID#:  TLSA2002002

   Credits: http://www.debian.org/security/2001/dsa-087
___________________________________________________________________________

A security hole was discovered in the package mentioned above.
Please update the package in your installation as soon as possible.
___________________________________________________________________________

1. Problem Summary

   CORE ST reports that an exploit has been found for a bug in the wu-ftpd
  glob code. This is the code that handles filename wild card expansion.

2. Impact

   Any logged in user (including anonymous FTP users) can exploit the bug to
  gain root privileges on the server.

3. Solution

  This has been  corrected in version  wu-ftpd-2.6.1-10

  Update the package from our ftp server by running the following command:

  rpm -Uvh ftp://ftp.turbolinux.com/pub/updates/6.0/security/<rpm>

  Where <rpm> are the following:

  wu-ftpd-2.6.1-10.i386.rpm

  The source RPM can be downloaded from:

  ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/wu-ftpd-2.6.1-10.src.rpm

  **Note: You must rebuild and install the RPM if you choose to download
 and install the SRPM.  Simply installing the SRPM alone WILL NOT CLOSE
 THE SECURITY HOLE.

 Please verify the MD5 checksums of the updates before you install:

  MD5 sum                               Package Name
---------------------------------------------------------------------------

  370d61d7c3a74180a1532bf462a460de  wu-ftpd-2.6.1-10.i386.rpm
 1d259c40e1c744d72d8bb8724f9ebe47  wu-ftpd-2.6.1-10.src.rpm
___________________________________________________________________________

These packages are GPG signed by Turbolinux for security. Our key
is available here:

 http://www.turbolinux.com/security/tlgpgkey2002-01-09.asc

To verify a package, use the following command:

 rpm --checksig name_of_rpm

To examine only the md5sum, use the following command:

 rpm --checksig --nogpg name_of_rpm

**Note: Checking GPG keys requires RPM 3.0 or higher.

___________________________________________________________________________
You can find more updates on our ftp server:

   ftp://ftp.turbolinux.com/pub/updates/6.0/security/ for TL6.0 Workstation
  and Server security updates
  ftp://ftp.turbolinux.com/pub/updates/7.0/security/ for TL7.0 Workstation
  and Server security updates

Our web page for security announcements:

   http://www.turbolinux.com/security

If you want to report vulnerabilities, please contact:

   security@turbolinux.com
___________________________________________________________________________

Subscribe to the Turbolinux Security Mailing lists:

  TL-security - A moderated list for discussing security issues
               Turbolinux products.
 Subscribe at http://www.turbolinux.com/mailman/listinfo/tl-security

  TL-security-announce - An announce-only mailing list for security updates
 and alerts.
 Subscribe at:

      http://www.turbolinux.com/mailman/listinfo/tl-security-announce
___________________________________________________________________________

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WU-FTPD Development Group

Notified:  November 20, 2001 Updated:  November 30, 2001

Status

  Vulnerable

Vendor Statement

The WU-FTPD Development Group has released a patch that addresses this issue in WU-FTPD 2.6.1:

ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/ftpglob.patch
WU-FTPD 2.6.2 is available and addresses this issue:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray

Notified:  November 21, 2001 Updated:  November 29, 2001

Status

  Not Vulnerable

Vendor Statement

Cray, Inc. is not vulnerable since the ftp supplied with UNICOS and UNICOS/mk is not based on the Washington University version.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  November 21, 2001 Updated:  November 30, 2001

Status

  Not Vulnerable

Vendor Statement

Regarding VU#886083 and VU#639760 (WU-FTPD vulnerabilities), UXP/V is not vulnerable, because UXP/V does not support WU-FTPD.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  November 21, 2001 Updated:  November 26, 2001

Status

  Not Vulnerable

Vendor Statement

This vulnerability was addressed in HPSBUX0107-162 which was released on July 19, 2001.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  November 21, 2001 Updated:  November 27, 2001

Status

  Not Vulnerable

Vendor Statement

IBM's AIX operating system does not use WU-FTPd, hence is not vulnerable to the exploit described by CORE ST.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NcFTP Software

Notified:  November 27, 2001 Updated:  November 30, 2001

Status

  Not Vulnerable

Vendor Statement

All versions of NcFTPd Server are not vulnerable to the problems described by VU#886083 and VU#639760.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  November 21, 2001 Updated:  November 28, 2001

Status

  Not Vulnerable

Vendor Statement

OpenBSD does not use WU-FTPd.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  November 21, 2001 Updated:  November 27, 2001

Status

  Not Vulnerable

Vendor Statement

SGI does not ship IRIX with WU-FTPd, so IRIX is not vulnerable to these issues.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  November 21, 2001 Updated:  February 04, 2002

Status

  Unknown

Vendor Statement

This reported problem could not be exploited on Compaq Tru64/UNIX Operating Systems Software. WU-FTPD 2.6.1 is shipped on the Internet Express CD.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT Coordination Center thanks CORE Security Technologies and Greg Lundberg for information used in this document. Matt Power of BindView originally reported this condition on the vuln-dev mailing list.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2001-0550
CERT Advisory: CA-2001-33
Severity Metric: 21.89
Date Public: 2001-04-30
Date First Published: 2001-11-28
Date Last Updated: 2002-03-28 22:27 UTC
Document Revision: 35

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.