tlug: FTP client buffer overflow [SECURITY]

To: "Tokyo Linux Users' Group" <tlug@example.com>
Subject: tlug: FTP client buffer overflow [SECURITY]
From: Scott Stone <sstone@example.com>
Date: Thu, 17 Dec 1998 09:23:04 +0900 (JST)
Content-Type: TEXT/PLAIN; charset=US-ASCII
Reply-To: tlug@example.com
Sender: owner-tlug@example.com


Someone, I believe it was Christian Gafton at Redhat, found a buffer
overflow in the standard FTP client.  Redhat, Caldera, and PHT have posted
fixes - I don't have URLs for Redhat and Caldera's fixes (I assume you
should look in the Usual Places), but for TL 2.0, 3.0, or 3.0.1 (E or J),
get the RPM:

ftp.pht.com:/pub/turbolinux-3.0-updates/i386/ftp-0.10-2.i386.rpm
                                       /SRPMS/ftp-0.10-2.src.rpm


note that we've also stopped putting TL in the release number.  This is to
let people know that our packages aren't going to self-destruct if not
used with TL, or something to that affect.  Anyway, here's the patch
that's applied to the FTP client, in case you want to see what's been
done:

-- cut here, unified diff patch follows --

--- netkit-ftp-0.10/ftp/ftp.c.ovr	Thu Mar 20 21:02:13 1997
+++ netkit-ftp-0.10/ftp/ftp.c	Tue Dec 15 16:42:46 1998
@@ -394,7 +394,8 @@
 			if (dig > 4 && pflag == 1 && isdigit(c))
 				pflag = 2;
 			if (pflag == 2) {
-				if (c != '\r' && c != ')')
+				if ( (strlen(pasv) <= sizeof(pasv) - 1) &&
+				    (c != '\r') && (c != ')'))
 					*pt++ = c;
 				else {
 					*pt = '\0';
@@ -811,7 +812,8 @@
 				return;
 			}
 		}
-		else if (runique && (local = gunique(local)) == NULL) {
+		else if (runique && (strcmp(cmd,"NLST") != 0) &&
+			 (local = gunique(local)) == NULL) {
 			(void) signal(SIGINT, oldintr);
 			code = -1;
 			return;
--- netkit-ftp-0.10/ftp/cmds.c.ovr	Sun Jun  8 16:07:19 1997
+++ netkit-ftp-0.10/ftp/cmds.c	Tue Dec 15 16:41:26 1998
@@ -131,7 +131,7 @@
 setpeer(int argc, char *argv[])
 {
 	char *host;
-	short port;
+	unsigned short port;
 
 	if (connected) {
 		printf("Already connected to %s, use close first.\n",


--------------------------------------------------
Scott M. Stone <sstone@example.com, sstone@example.com>
Head of TurboLinux Development/Systems Administrator
Pacific HiTech, Inc (USA) / Pacific HiTech, KK (Japan)


------------------------------------------------------------------
Next Nomikai: 15 January 1999, 19:30 Tengu TokyoEkiMae 03-3275-3691
Next Technical Meeting: 13 February, 12:30               Place: TBD
------------------------------------------------------------------
more info: http://tlug.linux.or.jp                     Sponsor: PHT

Follow-Ups:
- Re: tlug: FTP client buffer overflow [SECURITY]
  - From: Chris Sekiya <chris@example.com>

Prev by Date: Re: tlug: PC-PJ1 modem
Next by Date: Re: tlug: FTP client buffer overflow [SECURITY]
Prev by thread: Re: tlug: PC-PJ1 modem
Next by thread: Re: tlug: FTP client buffer overflow [SECURITY]
Index(es):
- Date
- Thread

Home | Main Index | Thread Index