Wu-ftpd FTP server contains remotely exploitable off-by-one bug

Robert Watson rwatson at freebsd.org
Thu Jul 31 12:20:25 PDT 2003


On Thu, 31 Jul 2003, John Fox wrote:

> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
> see no mention of it in the freebsd-security mailing list archives...I
> have searched the indexes from all of June and July. 
> 
> Wu is pretty widely used, so I'm surprised that nobody seems to have
> mentioned this problem in this forum. 
> 
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too.  Which is
> why I am confused as to the lack of discussion of this matter. 
> 
> Can anyone shed some light on this? 

I can't speak to specifically why there hasn't been an advisory of some
sort for this specific vulnerability, but I can say that the primary
reason why wu-ftpd issues don't get much discussion on FreeBSD lists
compared to Linux lists is that the default FTP server in FreeBSD isn't
wu-ftpd, unlike many Linux distributions.  It's considered a third party
software package, which means it will generally be covered in ports
security notices, as opposed to FreeBSD security advisories.  In the past,
a number of vulnerabilities in various FTP packages have been associated
with bugs in library code, not in the FTP daemon itself -- for example, at
least one or two cases were associates with the libc glob code.  This can
also affect whether a vulnerability applies on all OS's, or just a few. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Network Associates Laboratories




More information about the freebsd-security mailing list