On Thu, Oct 11, 2007 at 01:27:17AM +0200, Nico Golde wrote:
> Package: wzdftpd
> Version: 0.5.2-1.1sarge2
> Severity: grave
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for wzdftpd.
>
> CVE-2007-5300[0]:
> | Off-by-one error in the do_login_loop function in
> | libwzd-core/wzd_login.c in wzdftpd 0.8.2 and earlier allows remote
> | attackers to cause a denial of service (daemon crash) via a long USER
> | command that triggers a stack-based buffer overflow. NOTE: some of
> | these details are obtained from third party information.
>
> If you fix this vulnerability please also include the CVE id
> in your changelog entry.
>
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5300
>
Hi,
The login system has changed a lot since 0.5.2. At the first look, I
believe the exploit will not work for 0.5.2, or not the same way.
The real problem was caused by a memset with a wrong length, which was
introduced on recent versions (which means etch, testing and unstable
are impacted). Sarge version does not have this problem.
The only fixable thing is a possible off-by-one in do_login_loop (patch
attached).
I'm also working on patches for other versions as well (feel free to NMU
if you want).
Regards,
Pierre
--- src/wzd_ClientThread.c.orig 2007-10-12 09:58:25.000000000 +0200
+++ src/wzd_ClientThread.c 2007-10-12 10:02:37.000000000 +0200
@@ -3267,7 +3267,7 @@
while (1) {
/* wait response */
- ret = (context->read_fct)(context->controlfd,buffer,BUFFER_LEN,0,HARD_XFER_TIMEOUT,context);
+ ret = (context->read_fct)(context->controlfd,buffer,BUFFER_LEN-1,0,HARD_XFER_TIMEOUT,context);
if (ret == 0) {
out_err(LEVEL_FLOOD,"Connection closed or timeout (socket %d)\n",context->controlfd);
