Subject: Re: NetBSD Security Advisory 2000-009
To: None <security-officer@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 07/10/2000 14:03:37
by mail.netbsd.org with SMTP; 10 Jul 2000 18:03:43 -0000
id D148AE0; Mon, 10 Jul 2000 14:03:37 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: woods@weird.com (Greg A. Woods)
To: security-officer@netbsd.org
Cc: tech-security@netbsd.org
Subject: Re: NetBSD Security Advisory 2000-009
In-Reply-To: <20000710161641.182C32A43@orchard.arlington.ma.us>
References: <20000710161641.182C32A43@orchard.arlington.ma.us>
Reply-To: woods@planix.com (Greg A. Woods)
Organization: Planix, Inc.; Toronto, Ontario; Canada
Message-Id: <20000710180337.D148AE0@proven.weird.com>
Date: Mon, 10 Jul 2000 14:03:37 -0400 (EDT)
[ On Monday, July 10, 2000 at 12:16:35 (-0400), security-officer@netbsd.org wrote: ]
> Subject: NetBSD Security Advisory 2000-009
>
> This problem affects all versions of NetBSD. Patches are available
> for the NetBSD-1.4 series of releases.
>
> If you're runing NetBSD 1.4, 1.4.1, or 1.4.2, fetch the following
> patch, apply it to src/libexec/ftpd/ftpd.c using the patch(1) command,
> rebuild and reinstall ftpd, and kill off any existing FTP daemons (to
> ensure that any improperly granted access is revoked).
>
> ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000708-ftpd
>
> If you're running a version of NetBSD-current or the NetBSD 1.5 branch
> from before 2000/07/05, you should update to a newer version of
> NetBSD-current. Similarly, if you're running a version of
> NetBSD-release (NetBSD 1.4 branch) from before 2000/07/08, you should
> update to a newer version of NetBSD-release.
That's fairly lame, and unnecessary, IMO.
Even worse is the fact that the claim I made on another list about
NetBSD's ftpd being fairly portable seems untrue these days. It
unfortunately has INET6 support firmly entrenched within it and is now
most definitely not portable, not even backwards to older NetBSD
releases.
You could at least have recommended recompiling without
"-DHASSETPROCTITLE" (though anyone viewing the patch will
probably figure this out on short order.
In any case here's the equivalent patch for 1.3.x:
Index: ftpd.c
===================================================================
RCS file: /cvs/NetBSD-1.3/libexec/ftpd/ftpd.c,v
retrieving revision 1.1.1.2
diff -c -u -r1.1.1.2 ftpd.c
--- ftpd.c 1998/12/24 07:43:14 1.1.1.2
+++ ftpd.c 2000/07/10 17:59:09
@@ -771,7 +771,7 @@
"%s: anonymous/%.*s", remotehost,
(int) (sizeof(proctitle) - sizeof(remotehost) -
sizeof(": anonymous/")), passwd);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
#endif /* HASSETPROCTITLE */
if (logging)
syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s, %s",
@@ -781,7 +781,7 @@
#ifdef HASSETPROCTITLE
snprintf(proctitle, sizeof(proctitle),
"%s: %s", remotehost, pw->pw_name);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
#endif /* HASSETPROCTITLE */
if (logging)
syslog(LOG_INFO, "FTP LOGIN FROM %s as %s",
@@ -1541,7 +1541,7 @@
sizeof(remotehost));
#ifdef HASSETPROCTITLE
snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost);
- setproctitle(proctitle);
+ setproctitle("%s", proctitle);
#endif /* HASSETPROCTITLE */
if (logging)
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>