SuSE Information for VU#886083

WU-FTPD does not properly handle file name globbing



Vendor Statement



                        SuSE Security Announcement

        Package:                wuftpd
       Announcement-ID:        SuSE-SA:2001:043
       Date:                   Wednesday, Nov. 28th, 2001 23:45 MET
       Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
       Vulnerability Type:     remote root compromise
       Severity (1-10):        7
       SuSE default package:   no
       Other affected systems: all liunx-like systems using wu-ftpd 2.4.x /
                               2.6.0 / 2.6.1

        Content of this advisory:
       1) security vulnerability resolved: wuftpd
          problem description, discussion, solution and upgrade information
       2) pending vulnerabilities, solutions, workarounds
       3) standard appendix (further information)


1)  problem description, brief discussion, solution, upgrade information

    The wuftpd package as shipped with SuSE Linux distributions comes with
   two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
   and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
   The admin decides which version to use by the inetd/xinetd

    The CORE ST Team had found an exploitable bug in all versions of wuftpd's
   ftpglob() function.
   The glob function overwrites buffer bounds while matching open and closed
   brackets. Due to a missing \0 at the end of the buffer a later call to a
   function that frees allocated memory will feed free(3) with userdefined
   data. This bug could be exploited depending on the implementation of
   the dynmaic allocateable memory API (malloc(3), free(3)) in the libc
   library. Linux and other system are exploitable!

    Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed
   by Thomas Biege, SuSE Security, revealed some other security related bugs
   that are fixed in the new RPM packages. Additionally, code from wu-ftpd
   2.6.1 were backported to version 2.6.0 to make it more stable.

    A temporary fix other than using a different server implementation of
   the ftp protocol is not available. We recommend to update the wuftpd
   package on your system.

    We thank the wuftpd team for their work on the bug, particularly because
   the coordination between the vendors and the wuftpd developers lacked
   the necessary discipline for the timely release of the information
   about the problem.

    Please download the update package for your distribution and verify its
   integrity by the methods listed in section 3) of this announcement.
   Then, install the package using the command "rpm -Uhv file.rpm" to apply
   the update.

    i386 Intel Platform:

   source rpm:

   source rpm:

   source rpm:

   source rpm:

   source rpm:

   source rpm:

    Sparc Platform:

   source rpm:

   source rpm:

   source rpm:

    AXP Alpha Platform:

   source rpm:

   source rpm:

   source rpm:

   source rpm:

    PPC Power PC Platform:

   source rpm:

   source rpm:

   source rpm:

   source rpm:


2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - ssh/openssh exploits
     The wrong fix for the crc32-compensation attack is currently actively
     exploited in the internet for both the ssh and the openssh
     implementation of the ssh-1 protocol.
     We urge our users to upgrade their ssh or openssh packages to the
     latest versions that are located on our ftp server at the usual
     directories, referred to via from February
     earlier this year.
     Please note, the packages for the SuSE Linux distributions 7.0 and
     older containing cryptographic code are located on the German ftp
     server, the distributions 7.1 and newer have their crypto
     updates on There are legal constraints beyond our
     control that lead to this situation.
     Openssh packages of the version 2.9.9p2 ready to download on the ftp
     server They fix the security problems mentioned above,
     along with a set of less serious security problems.
     The announcement is still pending while investigations about the
     status of the package are in progress.

    - libgtop_daemon
     The libgtop_daemon, part of the libgtop package for gathering and
     monitoring process and system information, has been found vulnerable
     to a format string error. We are in the process of providing fixes for
     the affected distributions 6.4-7.3. In the meanwhile, we recommend to
     disable the libgtop_daemon on systems where it is running. This daemon
     is neither installed nor started (if installed) by default on SuSE

    - kernel updates
     A bug in the elf loader of the linux kernels version 2.4 from our
     announcement SSA:2001:036 can cause a system to crash if a user
     executes a vmlinux kernel image. We are preparing another update
     series to workaround this problem and will re-issue the kernel
     announcement as soon as possible.


3)  standard appendix:

    SuSE runs two security mailing lists to which any interested party may
       -   general/linux/SuSE security discussion.
           All SuSE security announcements are sent to this list.
           To subscribe, send an email to
       -   SuSE's announce-only mailing list.
           Only SuSE's security annoucements are sent to this list.
           To subscribe, send an email to

    For general information or the frequently asked questions (faq)
   send mail to:
       <> or
       <> respectively.

   SuSE's security contact is <>.


    The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way.
   SuSE GmbH makes no warranties of any kind whatsoever with respect
   to the information contained in this security advisory.

Version: 2.6.3i
Charset: noconv


Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.