Wu-ftpd FTP server contains remotely exploitable off-by-one bug
Robert Watson
rwatson at freebsd.org
Thu Jul 31 12:20:25 PDT 2003
On Thu, 31 Jul 2003, John Fox wrote:
> I see in BugTraq that there's yet another problem with Wu-ftpd, but I
> see no mention of it in the freebsd-security mailing list archives...I
> have searched the indexes from all of June and July.
>
> Wu is pretty widely used, so I'm surprised that nobody seems to have
> mentioned this problem in this forum.
>
> The notice on BugTraq mentioned only Linux, not FreeBSD, but that's no
> reason to assume that FreeBSD machines aren't vulnerable, too. Which is
> why I am confused as to the lack of discussion of this matter.
>
> Can anyone shed some light on this?
I can't speak to specifically why there hasn't been an advisory of some
sort for this specific vulnerability, but I can say that the primary
reason why wu-ftpd issues don't get much discussion on FreeBSD lists
compared to Linux lists is that the default FTP server in FreeBSD isn't
wu-ftpd, unlike many Linux distributions. It's considered a third party
software package, which means it will generally be covered in ports
security notices, as opposed to FreeBSD security advisories. In the past,
a number of vulnerabilities in various FTP packages have been associated
with bugs in library code, not in the FTP daemon itself -- for example, at
least one or two cases were associates with the libc glob code. This can
also affect whether a vulnerability applies on all OS's, or just a few.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Network Associates Laboratories
More information about the freebsd-security
mailing list