Immunix Information for VU#886083

WU-FTPD does not properly handle file name globbing



Vendor Statement


        Immunix OS Security Advisory

Packages updated:       wu-ftpd
Affected products:      Immunix 7.0
Bugs fixed:             immunix/1861
Date:                   Wed Nov 28 2001
Advisory ID:            IMNX-2001-70-036-01
Author:                 Seth Arnold <>

  CORE Security Technologies has found an heap overflow problem in
  wu-ftpd, related to the internal globbing functions. Because this is a
  heap overflow, StackGuard does not prevent any possible exploits from

  Thomas Biege from SuSE has also discovered several format-string
  problems that may or may not be remotely exploitable; these problems
  were also found independently by someone else, who sadly is unknown to

  The wu-ftpd packages provided here fix these problems, as well as
  other lesser problems.


Package names and locations:
  Precompiled binary packages for Immunix 7.0 are available at:

  Source package for Immunix 7.0 is available at:

Immunix OS 7.0 md5sums:
  c6c2fa2fa60f2cfe5b496ad0281fa486  RPMS/wu-ftpd-2.6.1-6_imnx_4.i386.rpm
  e8a2e0a1f8abe59ad058b6fecc8a1c72  SRPMS/wu-ftpd-2.6.1-6_imnx_4.src.rpm

GPG verification:                                                              
  Our public key is available at <>.          
  *** NOTE *** This key is different from the one used in advisories            
  IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:

Online version of all Immunix 7.0-beta updates and advisories:

Online version of all Immunix 7.0 updates and advisories:

  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
  or one of the many mirrors available at:

  ImmunixOS 6.2 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact WireX
  attempts to conform to the RFP vulnerability disclosure protocol

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.