COMMAND

    wuftpd

SYSTEMS AFFECTED

    wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15
    wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17
    wu-ftpd-2.5.0
    BeroFTPD, all present versions

PROBLEM

    Michal Zalewski found following.   There's an overflow in  wu-ftpd
    2.5 and prior releases (including VR and BeroFTPD) in  mapped_path
    when mapping  current working  directory to  command-line.   While
    Michal discovered this vunerability  by himself, he wishes  not to
    provide  exploit  code,  as  all  other,  hard  work has been done
    independently by someone else.   Instead of that, there's a  .diff
    file with patch.

SOLUTION

    'typo' made rh 4.2, 5.0 and 6.0 rpms(and srpms) available on:

	http://teso.scene.at/wuftpd/

    He also corrected  lcamtuf's patch not  to add a  / to mapped_path
    everytime client tries to  CWD after mapped_path is  too long(this
    is just for beauty and no security issue).

    The latest version of  wu-ftpd from the WU-FTPD  Development Group
    is 2.5.0; sites  running earlier versions  should upgrade to  this
    version as soon as possible.  The WU-FTPD Development Group has  a
    patch available which corrects this vulnerabililty.  The patch  is
    available directly  from the  WU-FTPD Development  Group's primary
    distribution site, and will be propogating to its mirrors shortly.
    Patches  for   version  2.5.0   are  available   at  the   primary
    distribution site:

	ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/

    The Debian package of wu-ftpd (2.5.0-3) has just been updated with
    this patch:

    --- wu-ftpd-2.5.0.orig/src/ftpd.c
    +++ wu-ftpd-2.5.0/src/ftpd.c
    @@ -1243,9 +1246,12 @@
	   }

	   /* append the dir part with a leading / unless at root */
    -      if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
    -              strcat( mapped_path, "/" );
    -      strcat( mapped_path, dir );
    +      if ( strlen( mapped_path ) + strlen( dir ) < MAXPATHLEN-2 ) {
    +              if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
    +                      strcat( mapped_path, "/" );
    +              strcat( mapped_path, dir );
    +      } else
    +             syslog( LOG_ERR, "mapped_path overflow: possible exploit attempt" );
     }

     int

    SuSE Linux is not vulnerable  to the new wu-ftpd security  breach.
    They ship wu-ftpd-2.4.2-beta-18, which doesn't use the mapped_path
    stuff.