COMMAND

    bftpd

SYSTEMS AFFECTED

    bftpd-1.0.13

PROBLEM

    Bialleux Christophe found following.  There is a potential  buffer
    overflow vulnerability in the command "SITE CHOWN".

        230 User logged in.
        site chown AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAA A
        550 User 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' not found.
        Connection closed by foreign host.


        gdb /usr/sbin/bftpd 18214
        .............
        Loaded symbols for /lib/libnss_compat.so.2
        Reading symbols from /lib/libnsl.so.1...done.
        Loaded symbols for /lib/libnsl.so.1
        0x400e7514 in read () from /lib/libc.so.6
        (gdb) c
        Continuing.
        Program received signal SIGSEGV, Segmentation fault.
        0x41414141 in ?? ()
        (gdb) x $esp
        0xbffffc68:     0x41414141
        (gdb)

    The problem is in the command_chown function in commands.c:

        465  void command_chown(char *params) {
        466    char foo[USERLEN + 1], owner[USERLEN + 1], group[USERLEN + 1], filename[256];
        467    int uid, gid;
        468    if(!strstr(params, " ")) {
        469      fprintf(stderr, "550 Usage: SITE CHOWN <owner>[.<group>] <filename>\r\n");
        470      return;
        471    }
        472    sscanf(params, "%[^ ] %s", foo, filename);
        473    if(strstr(foo, "."))
        474      sscanf(foo, "%[^.].%s", owner, group);
        475    else {
        476      strcpy(owner, foo);
        477      group[0] = '\0';
        478    }
        479    if(!sscanf(owner, "%i", &uid)) /* Is it a number? */
        480      if(((uid = mygetpwnam(owner, passwdfile))) < 0) {
        481        fprintf(stderr, "550 User '%s' not found.\r\n", owner);
        482        return;
        483      }

SOLUTION

    Replace in /etc/bftpd.conf

        ENABLE_SITE=yes

    by

        ENABLE_SITE=no