Lucene search

CERTVU:886083

HistoryNov 28, 2001 - 12:00 a.m.

WU-FTPD does not properly handle file name globbing

2001-11-2800:00:00

www.kb.cert.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.961 High

EPSS

Percentile

99.5%

JSON

Overview

SecurityFocus and CORE Security Technologies have reported a vulnerability in WU-FTPD. WU-FTPD does not handle file name globbing properly and may allow an attacker to execute arbitrary code. WU-FTPD is a widely-used FTP daemon that is included in many UNIX and Linux distributions. This vulnerability was discussed on SecurityFocus’ vuln-dev mailing list in April 2001.

Description

The CERT Coordination Center has received a report from SecurityFocus and CORE Security Technologies about a remote code execution vulnerability in the Washington University FTP daemon, WU-FTPD. The vulnerability manifests in WU-FTPD’s handling of file name globbing. The problem is not a typical buffer overflow or format string vulnerability, but a combination of two bugs: WU-FTPD’s globbing code does not properly return an error condition when interpreting the string ‘~{’, and later frees memory which may contain user supplied data.

When certain characters are encountered in the file name argument to an FTP command issued by a client, WU-FTPD calls its globbing code, which is implemented in glob.c. The globbing code should parse the argument string, set a variable if it encounters an error condition, and return a pointer to the expanded glob expression. The function that calls glob.c eventually uses free() to free the memory allocated to hold the expanded glob expression. A problem occurs when the globbing code fails to recognize the string ‘~{’ as a malformed argument and does not set the error variable. The pointer returned by the globbing code references memory on the heap that contains arbitrary data instead of the expanded glob expression. If an attacker can place code of their choice in the right position on the heap, WU-FTPD may execute that code when freeing the memory referenced by the pointer that was returned by the globbing code.

This vulnerability is potentially exploitable by any user who is able to log in to a vulnerable server, including users with anonymous access. If successful, an attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root. If unsuccessful, the thread servicing the request will fail, but WU-FTPD will not crash.

Note that BeroFTPD, which shares much of its code base with WU-FTPD, is also vulnerable. BeroFTPD is no longer separately maintained.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of WU-FTPD, typically root.

Solution

Apply Patch
Apply the appropriate patch supplied as described in the vendor section below. Alternatively, apply the patch provided by WU-FTPD.

Block or Restrict Access
Block or restrict access to the control port used by WU-FTPD, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPD.

Disable Anonymous Access
Disable anonymous FTP access. Note that this will only prevent unauthenticated users from attempting to exploit this vulnerability.

Disable Vulnerable Service
Disable WU-FTPD until a patch is can be applied.

Vendor Information

886083

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

BeroFTPD __ Affected

Updated: December 17, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Messages on the vuln-dev mailing list indicate that BeroFTPD is vulnerable. Since BeroFTPD shares much of its code with WU-FTPD, BeroFTPD may be affected by other vulnerabilities in WU-FTPD. BeroFTPD was split from and has since been merged back into WU-FTPD.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

Caldera __ Affected

Notified: November 21, 2001 Updated: February 15, 2002

Status

Affected

Vendor Statement

Caldera has released Caldera Security Advisory CSSA-2001-041.0 for Linux, CSSA-2001-SCO.36 for UnixWare and OpenUnix, and CSSA-2002-SCO.1 for OpenServer.

Caldera Linux:

&lt;http://www.caldera.com/support/security/advisories/CSSA-2001-041.0.txt&gt;

Caldera (SCO) UnixWare:

&lt;ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt&gt;

Caldera (SCO) Open UNIX:

&lt;ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.36.2/CSSA-2001-SCO.36.2.txt&gt;

Caldera (SCO) OpenServer:

&lt;ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1/CSSA-2002-SCO.1.txt&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

Conectiva __ Affected

Updated: November 30, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE : wu-ftpd
SUMMARY : Remote vulnerability in the wu-ftpd server
DATE : 2001-11-29 12:20:00
ID : CLA-2001:442
RELEVANT
RELEASES : 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

- -------------------------------------------------------------------------

DESCRIPTION
"wu-ftpd" is one of the ftp servers available in Conectiva Linux and
several other linux distributions.

CORE Security Technologies[1] reported[2] a vulnerability[3] in the
wu-ftpd ftp server that can be exploited remotely. The problem is in
the internal glob function used by wu-ftpd which allows an attacker
to corrupt memory space and execute arbitrary code remotely. There is
no need for an user account on the ftp server, this problem can be
abused by anonymous users as well.
This vulnerability was first reported[4] by Matt Power but was deemed
not exploitable at that time.

SOLUTION
All administrators who deploy wu-ftpd should upgrade immediately. If
an upgrade is not possible, then the service should be shut down, or
another ftp server should be used.

There is no need to restart the service after the upgrade because
wu-ftpd is started from inetd. The administrator might want to,
however, shut down all current connections which would still be using
the vulnerable copy to avoid a possible abuse by currently connected
users.

REFERENCES
1. ``_<http://www.core-sdi.com>_
2. ``_<http://www.securityfocus.com/archive/1/242964>_
3. ``_<http://www.securityfocus.com/bid/3581>_
4. ``_<http://www.securityfocus.com/archive/82/180823>_

DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
_<ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/wu-ftpd-2.6.1-6U50_1cl.src.rpm>_
_<ftp://atualizacoes.conectiva.com.br/5.0/i386/wu-ftpd-2.6.1-6U50_1cl.i386.rpm>_
_<ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/wu-ftpd-2.6.1-6U51_1cl.src.rpm>_
_<ftp://atualizacoes.conectiva.com.br/5.1/i386/wu-ftpd-2.6.1-6U51_1cl.i386.rpm>_
_<ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/wu-ftpd-2.6.1-6U60_1cl.src.rpm>_
_<ftp://atualizacoes.conectiva.com.br/6.0/RPMS/wu-ftpd-2.6.1-6U60_1cl.i386.rpm>_
_<ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/wu-ftpd-2.6.1-6U70_1cl.src.rpm>_
_<ftp://atualizacoes.conectiva.com.br/7.0/RPMS/wu-ftpd-2.6.1-6U70_1cl.i386.rpm>_
_<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/wu-ftpd-2.6.1-6U50_1cl.src.rpm>_
_<ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/wu-ftpd-2.6.1-6U50_1cl.i386.rpm>_
_<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/wu-ftpd-2.6.1-6U50_1cl.src.rpm>_
_<ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/wu-ftpd-2.6.1-6U50_1cl.i386.rpm>_

ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] ``_<ftp://atualizacoes.conectiva.com.br>_`` 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at ``_<http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en>_

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
_<http://distro.conectiva.com.br/seguranca/chave/?idioma=en>_
Instructions on how to check the signatures of the RPM packages can be
found at ``_<http://distro.conectiva.com.br/seguranca/politica/?idioma=en>_
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
_<http://distro.conectiva.com.br/atualizacoes/?idioma=en>_

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see ``_<http://www.gnupg.org>_

iD8DBQE8BkQ+42jd0JmAcZARApFvAKCl+ekMYKl4mUlnjYOPzmdpdRQ2WQCfZ37k
B9JhTSxN7u70wdESzG+mjhQ=
=+0Mk
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

Debian __ Affected

Notified: November 21, 2001 Updated: December 04, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

`- ------------------------------------------------------------------------
Debian Security Advisory DSA-087-1 [email protected]
<http://www.debian.org/security/> Wichert Akkerman
December 3, 2001

Package : wu-ftpd Problem type : remote root exploit Debian-specific: no
CORE ST reports that an exploit has been found for a bug in the wu-ftpd glob code (this is the code that handles filename wildcard expansion). Any logged in user (including anonymous ftp users) can exploit the bug to gain root privilege on the server.
This has been corrected in version 2.6.0-6 of the wu-ftpd package.
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

`Debian GNU/Linux 2.2 alias potato

apt-get: deb <http://security.debian.org/> stable/updates main
dpkg-ftp: <ftp://security.debian.org/debian-security> dists/stable/updates/main
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBPArQi6jZR/ntlUftAQFCaQL8DjOz0SFCAaICF4aYt+J7QGlTHusvHhGT
NNu/NiHSUJ0Em1jOcVbTkXr0Ahs4PN3ahCqN6rMdnYNe9biSRcQXKNbj73Mr6AjU
rZFYOH5nd+r6LhYd4rf48HMGCUm6J9PI
=BK/G
-----END PGP SIGNATURE-----`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

FreeBSD __ Affected

Notified: November 21, 2001 Updated: December 07, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:64 Security Advisory
FreeBSD, Inc.

Topic: wu-ftpd port contains remote root compromise

Category: ports
Module: wu-ftpd
Announced: 2001-12-04
Credits: CORE Security Technologies
Contact: Ivan Arce ([email protected])
Affects: Ports collection prior to the correction date
Corrected: 2001-11-28 10:52:26 UTC
FreeBSD only: NO

I. Background

wu-ftpd is a popular full-featured FTP server.

II. Problem Description

The wu-ftpd port, versions prior to wu-ftpd-2.6.1_7, contains a
vulnerability which allows FTP users, both anonymous FTP users and
those with valid accounts, to execute arbitrary code as root on
the local machine. This may be accomplished by inserting invalid
globbing parameters which are incorrectly parsed by the FTP server
into command input.

The wu-ftpd port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

FTP users, including anonymous FTP users, can cause arbitrary commands
to be executed as root on the local machine.

If you have not chosen to install the wu-ftpd port/package, then your
system is not vulnerable to this problem.

IV. Workaround

Deinstall the wu-ftpd port/package, if you have installed it.

V. Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the wu-ftpd port.

2) Deinstall the old package and install a new package dated after the
correction date, obtained from:

[i386]
<ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/wu-ftpd-2.6.1_7.tgz>
<ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/wu-ftpd-2.6.1_7.tgz>

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources

NOTE: It may be several days before updated packages are available. Be
sure to check the file creation date on the package, because the
version number of the software has not changed.

3) download a new port skeleton for the wu-ftpd port from:

<http://www.freebsd.org/ports/>

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

<ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz>
<ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz>

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in the FreeBSD ports collection.

Path Revision
- -------------------------------------------------------------------------
ports/ftp/wu-ftpd/Makefile 1.41
ports/ftp/wu-ftpd/files/patch-ap 1.2
- -------------------------------------------------------------------------

VII. References

<URL:<http://www.securityfocus.com/archive/1/242750>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see <http://www.gnupg.org>

iQCVAwUBPA0CA1UuHi5z0oilAQENSQP9HaHiACNyiHZtV8ILnUZWb+D01qf0wTy2
gbZJGfKL/JTP41KLR4EpUitF5SZ+3Zjm8Ebv8XXCjCFWgIBU1xhZaXgi2U9PRLlG
XxHKzvpGnTuBj3uJiLs2UvAbQ9Jz5Wp02u6fJV75dcbnXTPLSGRvxJZwOb2FHxnE
MBUlG+QDpPw=
=sp+c
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to [email protected]
with "unsubscribe freebsd-security-notifications" in the body of the message

-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+
This message was posted through the FIRST mailing list server. If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to [email protected]

DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF
THIS MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE
-+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

Immunix __ Affected

Updated: November 29, 2001

Status

Affected

Vendor Statement

-----------------------------------------------------------------------

Immunix OS Security Advisory

Packages updated: wu-ftpd
Affected products: Immunix 7.0
Bugs fixed: immunix/1861
Date: Wed Nov 28 2001
Advisory ID: IMNX-2001-70-036-01
Author: Seth Arnold <[email protected]>
-----------------------------------------------------------------------

Description:
CORE Security Technologies has found an heap overflow problem in
wu-ftpd, related to the internal globbing functions. Because this is a
heap overflow, StackGuard does not prevent any possible exploits from
working.

Thomas Biege from SuSE has also discovered several format-string
problems that may or may not be remotely exploitable; these problems
were also found independently by someone else, who sadly is unknown to
WireX.

The wu-ftpd packages provided here fix these problems, as well as
other lesser problems.

References: <http://www.securityfocus.com/archive/1/242750>

Package names and locations:
Precompiled binary packages for Immunix 7.0 are available at:
<http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/wu-ftpd-2.6.1-6_imnx_4.i386.rpm>

Source package for Immunix 7.0 is available at:
<http://download.immunix.org/ImmunixOS/7.0/updates/SRPMS/wu-ftpd-2.6.1-6_imnx_4.src.rpm>

Immunix OS 7.0 md5sums:
c6c2fa2fa60f2cfe5b496ad0281fa486 RPMS/wu-ftpd-2.6.1-6_imnx_4.i386.rpm
e8a2e0a1f8abe59ad058b6fecc8a1c72 SRPMS/wu-ftpd-2.6.1-6_imnx_4.src.rpm

GPG verification:
Our public key is available at <<http://wirex.com/security/GPG_KEY>>.
*** NOTE*** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.

Online version of all Immunix 6.2 updates and advisories:
<http://immunix.org/ImmunixOS/6.2/updates/>

Online version of all Immunix 7.0-beta updates and advisories:
<http://immunix.org/ImmunixOS/7.0-beta/updates/>

Online version of all Immunix 7.0 updates and advisories:
<http://immunix.org/ImmunixOS/7.0/updates/>

NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
<ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/>
or one of the many mirrors available at:
<http://www.ibiblio.org/pub/Linux/MIRRORS.html>

ImmunixOS 6.2 is no longer officially supported.

Contact information:
To report vulnerabilities, please contact [email protected]. WireX
attempts to conform to the RFP vulnerability disclosure protocol
<<http://www.wiretrip.net/rfp/policy.html>>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

MandrakeSoft __ Affected

Notified: November 21, 2001 Updated: December 07, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

________________________________________________________________________

Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name: wu-ftpd
Date: November 29th, 2001
Advisory ID: MDKSA-2001:090

Affected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1
________________________________________________________________________

Problem Description:

A vulnerability in wu-ftpd's ftpglob() function was found by the CORE
ST team. This vulnerability can be exploited to obtain root access on
the FTP server.
________________________________________________________________________

References:

<http://www.securityfocus.com/bid/3581>
________________________________________________________________________

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:
rpm --checksig package.rpm
You can get the GPG public key of the Mandrake Linux Security Team at
<http://www.linux-mandrake.com/en/security/RPM-GPG-KEYS>
If you use MandrakeUpdate, the verification of md5 checksum and GPG
signature is performed automatically for you.

Linux-Mandrake 7.1:
d8bf0ffaa36f4be0d82d2a497ca97012 7.1/RPMS/wu-ftpd-2.6.1-8.7mdk.i586.rpm
8527aaf8ead9756af936518cdcf0bf19 7.1/SRPMS/wu-ftpd-2.6.1-8.7mdk.src.rpm

Linux-Mandrake 7.2:
be0ad73a7e3559ded06615df10467cbe 7.2/RPMS/wu-ftpd-2.6.1-8.8mdk.i586.rpm
02a177500ce246b536980c8884cc40fb 7.2/SRPMS/wu-ftpd-2.6.1-8.8mdk.src.rpm

Mandrake Linux 8.0:
d56665d8af147c90ac6db88d1c87ff03 8.0/RPMS/wu-ftpd-2.6.1-11.1mdk.i586.rpm
c85387ec082fd92d82d36192b96ab85b 8.0/SRPMS/wu-ftpd-2.6.1-11.1mdk.src.rpm

Mandrake Linux 8.0 (PPC):
6fd48b377e4b0ea445e4c8efe46589bd ppc/8.0/RPMS/wu-ftpd-2.6.1-11.1mdk.ppc.rpm
c85387ec082fd92d82d36192b96ab85b ppc/8.0/SRPMS/wu-ftpd-2.6.1-11.1mdk.src.rpm

Mandrake Linux 8.1:
108dde2929cf812461b29bd8503b8cfc 8.1/RPMS/wu-ftpd-2.6.1-11.1mdk.i586.rpm
c85387ec082fd92d82d36192b96ab85b 8.1/SRPMS/wu-ftpd-2.6.1-11.1mdk.src.rpm

Corporate Server 1.0.1:
d8bf0ffaa36f4be0d82d2a497ca97012 1.0.1/RPMS/wu-ftpd-2.6.1-8.7mdk.i586.rpm
8527aaf8ead9756af936518cdcf0bf19 1.0.1/SRPMS/wu-ftpd-2.6.1-8.7mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see <https://qa.mandrakesoft.com> for more information):

________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".

You can download the updates directly from one of the mirror sites
listed at:

<http://www.linux-mandrake.com/en/ftp.php3>.

Updated packages are available in the "updates/[ver]/RPMS/" directory.
For example, if you are looking for an updated RPM package for
Mandrake Linux 8.0, look for it in "updates/8.0/RPMS/". Updated source
RPMs are available as well, but you generally do not need to download
them.

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other security advisories for Mandrake Linux at:

<http://www.linux-mandrake.com/en/security/>

If you want to report vulnerabilities, please contact

[email protected]
________________________________________________________________________

Mandrake Linux has two security-related mailing list services that
anyone can subscribe to:

[email protected]

Mandrake Linux's security announcements mailing list. Only
announcements are sent to this list and it is read-only.

[email protected]

Mandrake Linux's security discussion mailing list. This list is open
to anyone to discuss Mandrake Linux security specifically and Linux
security in general.

To subscribe to either list, send a message to
[email protected]
with "subscribe [listname]" in the body of the message.

To remove yourself from either list, send a message to
[email protected]
with "unsubscribe [listname]" in the body of the message.

To get more information on either list, send a message to
[email protected]
with "info [listname]" in the body of the message.

Optionally, you can use the web interface to subscribe to or unsubscribe
from either list:

<http://www.linux-mandrake.com/en/flists.php3#security>
________________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<[email protected]>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see <http://www.gnupg.org>

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn
7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
lA==
=0ahQ
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see <http://www.gnupg.org>

iD8DBQE8BwkWmqjQ0CJFipgRAmO4AJ9K6dNutlrhhV8pIBkR2BWU1tyJ7QCfepsP
oO41cLJSkfbxnhLB9riFWP0=
=0caS
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

RedHat __ Affected

Notified: November 21, 2001 Updated: November 30, 2001

Status

Affected

Vendor Statement

---------------------------------------------------------------------

Red Hat, Inc. Red Hat Security Advisory

Synopsis: Updated wu-ftpd packages are available
Advisory ID: RHSA-2001:157-06
Issue date: 2001-11-20
Updated on: 2001-11-26
Product: Red Hat Linux
Keywords: wu-ftpd buffer overrun glob ftpglob
Cross references:
Obsoletes: RHSA-2000:039
---------------------------------------------------------------------

1. Topic:

Updated wu-ftpd packages are available to fix an overflowable buffer.

2. Relevant releases/architectures:

Red Hat Linux 6.2 - alpha, i386, sparc

Red Hat Linux 7.0 - alpha, i386

Red Hat Linux 7.1 - alpha, i386, ia64

Red Hat Linux 7.2 - i386

3. Problem description:

An overflowable buffer exists in earlier versions of wu-ftpd.
An attacker could gain access to the machine by sending malicious
commands.

It is recommended that all users of wu-ftpd upgrade to the lastest
version.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (``_<http://bugzilla.redhat.com/bugzilla> for more info_``):

6. RPMs required:

Red Hat Linux 6.2:

SRPMS:
_<ftp://updates.redhat.com/6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm>_

alpha:
_<ftp://updates.redhat.com/6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm>_

i386:
_<ftp://updates.redhat.com/6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm>_

sparc:
_<ftp://updates.redhat.com/6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm>_

Red Hat Linux 7.0:

SRPMS:
_<ftp://updates.redhat.com/7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm>_

alpha:
_<ftp://updates.redhat.com/7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm>_

i386:
_<ftp://updates.redhat.com/7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm>_

Red Hat Linux 7.1:

SRPMS:
_<ftp://updates.redhat.com/7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm>_

alpha:
_<ftp://updates.redhat.com/7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm>_

i386:
_<ftp://updates.redhat.com/7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm>_

ia64:
_<ftp://updates.redhat.com/7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm>_

Red Hat Linux 7.2:

SRPMS:
_<ftp://updates.redhat.com/7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm>_

i386:
_<ftp://updates.redhat.com/7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm>_

7. Verification:

MD5 sum Package Name
--------------------------------------------------------------------------
a33d4557c473b88cc7bed8718bd07a2f 6.2/en/os/SRPMS/wu-ftpd-2.6.1-0.6x.21.src.rpm
da84b22853f1048d45803ebeec8d061c 6.2/en/os/alpha/wu-ftpd-2.6.1-0.6x.21.alpha.rpm
281fa607c3f6479e369673cb9247d169 6.2/en/os/i386/wu-ftpd-2.6.1-0.6x.21.i386.rpm
20bf731056d48351d2194956f4762091 6.2/en/os/sparc/wu-ftpd-2.6.1-0.6x.21.sparc.rpm
52406d7ddd2c14c669a8c9203f99ac5c 7.0/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm
35315a5fa466beb3bdc26aa4fc1c872f 7.0/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm
c97683b85603d34853b3825c9b694f20 7.0/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm
52406d7ddd2c14c669a8c9203f99ac5c 7.1/en/os/SRPMS/wu-ftpd-2.6.1-16.7x.1.src.rpm
35315a5fa466beb3bdc26aa4fc1c872f 7.1/en/os/alpha/wu-ftpd-2.6.1-16.7x.1.alpha.rpm
c97683b85603d34853b3825c9b694f20 7.1/en/os/i386/wu-ftpd-2.6.1-16.7x.1.i386.rpm
56af9e1de2b3d532e1e4dce18636f6c4 7.1/en/os/ia64/wu-ftpd-2.6.1-16.7x.1.ia64.rpm
efd2a876ad8d7c4879d3eeaeeec7fcef 7.2/en/os/SRPMS/wu-ftpd-2.6.1-20.src.rpm
7306f24d3d7d518068c5e08959d43bdd 7.2/en/os/i386/wu-ftpd-2.6.1-20.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
``_<http://www.redhat.com/about/contact/pgpkey.html>_

You can verify each package with the following command:
rpm --checksig <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>

8. References:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

SuSE __ Affected

Updated: November 29, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
SuSE Security Announcement
Package: wuftpd Announcement-ID: SuSE-SA:2001:043 Date: Wednesday, Nov. 28th, 2001 23:45 MET Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3 Vulnerability Type: remote root compromise Severity (1-10): 7 SuSE default package: no Other affected systems: all liunx-like systems using wu-ftpd 2.4.x / 2.6.0 / 2.6.1
` Content of this advisory:

security vulnerability resolved: wuftpd
problem description, discussion, solution and upgrade information
pending vulnerabilities, solutions, workarounds
standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The wuftpd package as shipped with SuSE Linux distributions comes with
two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
The admin decides which version to use by the inetd/xinetd
configuration.
The CORE ST Team had found an exploitable bug in all versions of wuftpd’s
ftpglob() function.
The glob function overwrites buffer bounds while matching open and closed
brackets. Due to a missing \0 at the end of the buffer a later call to a
function that frees allocated memory will feed free(3) with userdefined
data. This bug could be exploited depending on the implementation of
the dynmaic allocateable memory API (malloc(3), free(3)) in the libc
library. Linux and other system are exploitable!
Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed
by Thomas Biege, SuSE Security, revealed some other security related bugs
that are fixed in the new RPM packages. Additionally, code from wu-ftpd
2.6.1 were backported to version 2.6.0 to make it more stable.
A temporary fix other than using a different server implementation of
the ftp protocol is not available. We recommend to update the wuftpd
package on your system.
We thank the wuftpd team for their work on the bug, particularly because
the coordination between the vendors and the wuftpd developers lacked
the necessary discipline for the timely release of the information
about the problem.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command “rpm -Uhv file.rpm” to apply
the update.
`

i386 Intel Platform:
SuSE-7.3 <ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm> d1b549b8c2d91d66a8b35fe17a1943b3 source rpm: <ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm> 9ef0e6ac850499dc0150939c62bc146f
SuSE-7.2 <ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm> 4583443a993107b26529331fb1e6254d source rpm: <ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm> aaee0343670feae70ccc9217a8e22211
SuSE-7.1 <ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm> 347a030a85cb5fcbe32d3d79d382e19e source rpm: <ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm> aa3e53641f6ce0263196e6f1cb0447c3
SuSE-7.0 <ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm> e34eec18ecc10f187f6aa1aa3b24b75b source rpm: <ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm> fafc8c2bbd68dd5ca3d04228433c359a
SuSE-6.4 <ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm> 2354abe95b056762c7f6584449291ff2 source rpm: <ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm> 507b8d484b13737c9d2b6a68fda0cc26
SuSE-6.3 <ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm> 9851ad02e656bba8b5e02ed2ddb46845 source rpm: <ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm> 5d7c4b6824836ca28b228cc5dcfc4fd6

Sparc Platform:
SuSE-7.3 <ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm> 2d19e4ead17396a1e28fca8745f9629d source rpm: <ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm> bdb0b5ddd72f8563db3c8e444a0df7f5
SuSE-7.1 <ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm> f6b04f284bece6bf3700facccc015ffe source rpm: <ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm> 1660547ac9a5a3b32a4070d69803cf18
SuSE-7.0 <ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm> 1bd905b095b9a4bb354fc190b6e54a01 source rpm: <ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm> 597263eb7d0fbbf242d519d3c126a441

AXP Alpha Platform:
SuSE-7.1 <ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm> e608bfd2cc9e511c6eb6932c33c68789 source rpm: <ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm> 34915af1ca79b27bad8bc2fd3a5cab05
SuSE-7.0 <ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm> 86a7d8f60d76a053873bcc13860b0bbb source rpm: <ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm> 9674f9f1630b3107ac22d275705da76e
SuSE-6.4 <ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm> 2501444a1e4241e8f6f4cdcc6fd133b0 source rpm: <ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm> 34812d943900bdb902ad7edd40e1943f
SuSE-6.3 <ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm> 429a49ef9d4d0865fbb443c212b8a8c7 source rpm: <ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm> 76467dae0f460677ba80ec907eefca28

PPC Power PC Platform:
SuSE-7.3 <ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm> a381269b3e2fc43fda59e4d08aef57ae source rpm: <ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm> 7cacb696a88e57a843402a796212aee6
SuSE-7.1 <ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm> bfc39be2c09323d96f974fdd0c73fda1 source rpm: <ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm> e2681b2ed4801ce14b5dfb926480ac51
SuSE-7.0 <ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm> 19f989e637fd9b6fa652f8a4014bb7b1 source rpm: <ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm> 76c493a915691c51a2481f0925e8ce39
SuSE-6.4 <ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm> ad29cf172bbd03a5e1f301cf6b9404e5 source rpm: <ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm> 82338702692eba599d8c3d242aff3d1a

______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ssh/openssh exploits The wrong fix for the crc32-compensation attack is currently actively exploited in the internet for both the ssh and the openssh implementation of the ssh-1 protocol. We urge our users to upgrade their ssh or openssh packages to the latest versions that are located on our ftp server at the usual directories, referred to via <http://www.suse.de/de/support/security/adv004_ssh.txt> from February earlier this year. Please note, the packages for the SuSE Linux distributions 7.0 and older containing cryptographic code are located on the German ftp server ftp.suse.de, the distributions 7.1 and newer have their crypto updates on ftp.suse.com. There are legal constraints beyond our control that lead to this situation. Openssh packages of the version 2.9.9p2 ready to download on the ftp server ftp.suse.com. They fix the security problems mentioned above, along with a set of less serious security problems. The announcement is still pending while investigations about the status of the package are in progress.

- libgtop_daemon The libgtop_daemon, part of the libgtop package for gathering and monitoring process and system information, has been found vulnerable to a format string error. We are in the process of providing fixes for the affected distributions 6.4-7.3. In the meanwhile, we recommend to disable the libgtop_daemon on systems where it is running. This daemon is neither installed nor started (if installed) by default on SuSE Systems.

- kernel updates A bug in the elf loader of the linux kernels version 2.4 from our announcement SSA:2001:036 can cause a system to crash if a user executes a vmlinux kernel image. We are preparing another update series to workaround this problem and will re-issue the kernel announcement as soon as possible.

______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may subscribe:
` [email protected]

general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
<[email protected]>.
[email protected]
SuSE’s announce-only mailing list.
Only SuSE’s security annoucements are sent to this list.
To subscribe, send an email to
<[email protected]>.
For general information or the frequently asked questions (faq)
send mail to:
<[email protected]> or
<[email protected]> respectively.
===============================================
SuSE’s security contact is <[email protected]>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
`

-----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv
iQEVAwUBPAVrBHey5gA9JdPZAQFhHwf/Vw7FQu1H4TXqi3qHVaTK9S1o8lCFSvko SS8aDJbmWSS0KXTF8iEI/tASxfk7sAE55QrBASjVC8drmAowhO1Xhw52esDdYeZX 2ygNhzVj0XRZ30e/ZjjBBhWXT91EP9F9h3R5T56BKJH1WVb5dmgVrLoiTqK1rafk mXezFnhDqRzvMZWfJGlO4peuum8tBO8Eh8wXMhx6nXFOS71Cv0I4Em1tKeFrujjQ kGf8CRexJZC3lr8PnAuyctdkdFInIC/KyroALmAsC/sQ0TR/YONi50BhYaeTV5Sc jM4ENMmnF2VZ2C+iH1tJpUYHxgM6WoRHpE1aSFRDUMSxhiU1ifo6TQ== =fm+e -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

Sun __ Affected

Notified: November 21, 2001 Updated: November 30, 2001

Status

Affected

Vendor Statement

Sun [Solaris] does not ship WU-FTPD, thus Solaris is not affected by these issues.

The only Sun Cobalt Server Appliance that is vulnerable to this exploit is the Qube1. The Qube1 is no longer a supported appliance, but we do understand the need of having updates available. The following RPM is not officially supported by Sun Cobalt, but offers legacy customers the ability to maintain a limited level of security.

Qube1:

&lt;ftp://ftp.cobaltnet.com/pub/unsupported/qube1/rpms/wu-ftpd-2.6.1-C1.NOPAM.mips.rpm&gt;

<ftp://ftp.cobaltnet.com/pub/unsupported/qube1/srpms/wu-ftpd-2.6.1-C1.NOPAM.src.rpm>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

Turbolinux __ Affected

Updated: February 04, 2002

Status

Affected

Vendor Statement

___________________________________________________________________________

Turbolinux Security Announcement
Package : wu-ftpd Vulnerable Packages: Versions previous to wu-ftpd-2.6.1-10 Date: Wed Jan 23 12:26:21 PST 2002
Affected Turbolinux versions: previous to wu-ftpd-2.6.1-10
Turbolinux Advisory ID#: TLSA2002002
` Credits: <http://www.debian.org/security/2001/dsa-087>

A security hole was discovered in the package mentioned above.
Please update the package in your installation as soon as possible.

1. Problem Summary
CORE ST reports that an exploit has been found for a bug in the wu-ftpd
glob code. This is the code that handles filename wild card expansion.
2. Impact
Any logged in user (including anonymous FTP users) can exploit the bug to
gain root privileges on the server.
3. Solution
This has been corrected in version wu-ftpd-2.6.1-10
Update the package from our ftp server by running the following command:
rpm -Uvh <ftp://ftp.turbolinux.com/pub/updates/6.0/security/><rpm>
Where <rpm> are the following:
wu-ftpd-2.6.1-10.i386.rpm
The source RPM can be downloaded from:
``<ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/wu-ftpd-2.6.1-10.src.rpm>
**Note: You must rebuild and install the RPM if you choose to download
and install the SRPM. Simply installing the SRPM alone WILL NOT CLOSE
THE SECURITY HOLE.
Please verify the MD5 checksums of the updates before you install:
MD5 sum Package Name
--------------------------------------------------------------------------- 370d61d7c3a74180a1532bf462a460de wu-ftpd-2.6.1-10.i386.rpm
1d259c40e1c744d72d8bb8724f9ebe47 wu-ftpd-2.6.1-10.src.rpm

These packages are GPG signed by Turbolinux for security. Our key
is available here:
<http://www.turbolinux.com/security/tlgpgkey2002-01-09.asc> ` `To verify a package, use the following command: ` ` rpm --checksig name_of_rpm ` `To examine only the md5sum, use the following command: ` ` rpm --checksig --nogpg name_of_rpm ` `**Note: Checking GPG keys requires RPM 3.0 or higher. ` `___________________________________________________________________________ You can find more updates on our ftp server: ` ` <ftp://ftp.turbolinux.com/pub/updates/6.0/security/> for TL6.0 Workstation
and Server security updates
<ftp://ftp.turbolinux.com/pub/updates/7.0/security/> for TL7.0 Workstation
and Server security updates
Our web page for security announcements:
``<http://www.turbolinux.com/security>
If you want to report vulnerabilities, please contact:
[email protected]

Subscribe to the Turbolinux Security Mailing lists:
TL-security - A moderated list for discussing security issues
Turbolinux products.
Subscribe at <http://www.turbolinux.com/mailman/listinfo/tl-security>
TL-security-announce - An announce-only mailing list for security updates
and alerts.
Subscribe at:
``<http://www.turbolinux.com/mailman/listinfo/tl-security-announce>
___________________________________________________________________________`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

WU-FTPD Development Group __ Affected

Notified: November 20, 2001 Updated: November 30, 2001

Status

Affected

Vendor Statement

The WU-FTPD Development Group has released a patch that addresses this issue in WU-FTPD 2.6.1:

&lt;ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.1/ftpglob.patch&gt;

WU-FTPD 2.6.2 is available and addresses this issue:

&lt;ftp://ftp.wu-ftpd.org/pub/wu-ftpd/&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23886083 Feedback>).

View all 20 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center thanks CORE Security Technologies and Greg Lundberg for information used in this document. Matt Power of BindView originally reported this condition on the vuln-dev mailing list.

This document was written by Art Manion.