SuSE: 'wuftpd' Remote buffer overflow vulnerability

    Date29 Nov 2001
    CategorySuSE
    2702
    Posted ByLinuxSecurity Advisories
    Due to a missing \0 at the end of the buffer a later call to a function that frees allocated memory will feed free(3) with userdefined data. This bug could be exploited depending on the implementation of the dynmaic allocateable memory API (malloc(3), free(3)) in the libc library.
    
    ______________________________________________________________________________
    
                            SuSE Security Announcement
    
            Package:                wuftpd
            Announcement-ID:        SuSE-SA:2001:043
            Date:                   Wednesday, Nov. 28th, 2001 23:45 MET
            Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
            Vulnerability Type:     remote root compromise
            Severity (1-10):        7
            SuSE default package:   no
            Other affected systems: all liunx-like systems using wu-ftpd 2.4.x /
                                    2.6.0 / 2.6.1
    
            Content of this advisory:
            1) security vulnerability resolved: wuftpd
               problem description, discussion, solution and upgrade information
            2) pending vulnerabilities, solutions, workarounds
            3) standard appendix (further information)
    
    ______________________________________________________________________________
    
    1)  problem description, brief discussion, solution, upgrade information
    
        The wuftpd package as shipped with SuSE Linux distributions comes with
        two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
        and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
        The admin decides which version to use by the inetd/xinetd
        configuration.
    
        The CORE ST Team had found an exploitable bug in all versions of wuftpd's
        ftpglob() function.
        The glob function overwrites buffer bounds while matching open and closed
        brackets. Due to a missing \0 at the end of the buffer a later call to a
        function that frees allocated memory will feed free(3) with userdefined
        data. This bug could be exploited depending on the implementation of
        the dynmaic allocateable memory API (malloc(3), free(3)) in the libc
        library. Linux and other system are exploitable!
    
        Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed
        by Thomas Biege, SuSE Security, revealed some other security related bugs
        that are fixed in the new RPM packages. Additionally, code from wu-ftpd
        2.6.1 were backported to version 2.6.0 to make it more stable.
    
        A temporary fix other than using a different server implementation of
        the ftp protocol is not available. We recommend to update the wuftpd
        package on your system.
    
        We thank the wuftpd team for their work on the bug, particularly because
        the coordination between the vendors and the wuftpd developers lacked
        the necessary discipline for the timely release of the information
        about the problem.
    
        Please download the update package for your distribution and verify its
        integrity by the methods listed in section 3) of this announcement.
        Then, install the package using the command "rpm -Uhv file.rpm" to apply
        the update.
    
    
        i386 Intel Platform:
    
        SuSE-7.3
         ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm
          d1b549b8c2d91d66a8b35fe17a1943b3
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm
          9ef0e6ac850499dc0150939c62bc146f
    
        SuSE-7.2
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm
          4583443a993107b26529331fb1e6254d
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm
          aaee0343670feae70ccc9217a8e22211
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm
          347a030a85cb5fcbe32d3d79d382e19e
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm
          aa3e53641f6ce0263196e6f1cb0447c3
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm
          e34eec18ecc10f187f6aa1aa3b24b75b
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm
          fafc8c2bbd68dd5ca3d04228433c359a
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm
          2354abe95b056762c7f6584449291ff2
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm
          507b8d484b13737c9d2b6a68fda0cc26
    
        SuSE-6.3
         ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm
          9851ad02e656bba8b5e02ed2ddb46845
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm
          5d7c4b6824836ca28b228cc5dcfc4fd6
    
    
    
        Sparc Platform:
    
        SuSE-7.3
         ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm
          2d19e4ead17396a1e28fca8745f9629d
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm
          bdb0b5ddd72f8563db3c8e444a0df7f5
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm
          f6b04f284bece6bf3700facccc015ffe
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm
          1660547ac9a5a3b32a4070d69803cf18
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm
          1bd905b095b9a4bb354fc190b6e54a01
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm
          597263eb7d0fbbf242d519d3c126a441
    
    
    
        AXP Alpha Platform:
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm
          e608bfd2cc9e511c6eb6932c33c68789
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm
          34915af1ca79b27bad8bc2fd3a5cab05
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm
          86a7d8f60d76a053873bcc13860b0bbb
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm
          9674f9f1630b3107ac22d275705da76e
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm
          2501444a1e4241e8f6f4cdcc6fd133b0
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm
          34812d943900bdb902ad7edd40e1943f
    
        SuSE-6.3
         ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm
          429a49ef9d4d0865fbb443c212b8a8c7
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm
          76467dae0f460677ba80ec907eefca28
    
    
    
        PPC Power PC Platform:
    
        SuSE-7.3
         ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm
          a381269b3e2fc43fda59e4d08aef57ae
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm
          7cacb696a88e57a843402a796212aee6
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm
          bfc39be2c09323d96f974fdd0c73fda1
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm
          e2681b2ed4801ce14b5dfb926480ac51
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm
          19f989e637fd9b6fa652f8a4014bb7b1
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm
          76c493a915691c51a2481f0925e8ce39
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm
          ad29cf172bbd03a5e1f301cf6b9404e5
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm
          82338702692eba599d8c3d242aff3d1a
    
    
    
    ______________________________________________________________________________
    
    2)  Pending vulnerabilities in SuSE Distributions and Workarounds:
    
        - ssh/openssh exploits
          The wrong fix for the crc32-compensation attack is currently actively
          exploited in the internet for both the ssh and the openssh
          implementation of the ssh-1 protocol.
          We urge our users to upgrade their ssh or openssh packages to the
          latest versions that are located on our ftp server at the usual
          directories, referred to via
           http://www.suse.de/de/support/security/adv004_ssh.txt from February
          earlier this year.
          Please note, the packages for the SuSE Linux distributions 7.0 and
          older containing cryptographic code are located on the German ftp
          server ftp.suse.de, the distributions 7.1 and newer have their crypto
          updates on ftp.suse.com. There are legal constraints beyond our
          control that lead to this situation.
          Openssh packages of the version 2.9.9p2 ready to download on the ftp
          server ftp.suse.com. They fix the security problems mentioned above,
          along with a set of less serious security problems.
          The announcement is still pending while investigations about the
          status of the package are in progress.
    
    
    
        - libgtop_daemon
          The libgtop_daemon, part of the libgtop package for gathering and
          monitoring process and system information, has been found vulnerable
          to a format string error. We are in the process of providing fixes for
          the affected distributions 6.4-7.3. In the meanwhile, we recommend to
          disable the libgtop_daemon on systems where it is running. This daemon
          is neither installed nor started (if installed) by default on SuSE
          Systems.
    
    
        - kernel updates
          A bug in the elf loader of the linux kernels version 2.4 from our
          announcement SSA:2001:036 can cause a system to crash if a user
          executes a vmlinux kernel image. We are preparing another update
          series to workaround this problem and will re-issue the kernel
          announcement as soon as possible.
    
    
    ______________________________________________________________________________
    
    3)  standard appendix:
    
        SuSE runs two security mailing lists to which any interested party may
        subscribe:
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   general/linux/SuSE security discussion.
                All SuSE security announcements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   SuSE's announce-only mailing list.
                Only SuSE's security annoucements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        For general information or the frequently asked questions (faq)
        send mail to:
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> or
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> respectively.
    
        ===============================================
        SuSE's security contact is <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        ===============================================
    
    ______________________________________________________________________________
    
        The information in this advisory may be distributed or reproduced,
        provided that the advisory is not modified in any way.
        SuSE GmbH makes no warranties of any kind whatsoever with respect
        to the information contained in this security advisory.
    
    
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"23","type":"x","order":"1","pct":53.49,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.63,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.88,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.