A friend of mine emailed me this glob.c patch for the recent wu-ftpd exploit. I don't understand how the exploit works, but I am sure someone will tell me if this patch gaurds against it. The only other patch out there seems to be the Dead Rat src rpm, so I'll post what I found. I also used the patch build Debian packages, so if you are running Debian, you can use my Debian packages. Use them at your own risk though. I don't have extended experience at building Debian packages, and basically I took the source from the previous package, upped the rev on the changelog, and did a
$ fakeroot debian/rules binary and voila, I had new deb packages. You can get those at: ftp://brie.com/pub/debian/potato Below is the patch a friend emailed me. brian Generic patch against globc.c for: Subject: Wu-Ftpd File Globbing Heap Corruption Vulnerability -- SNIP -- --- glob.c.orig Sat Jul 1 14:17:39 2000 +++ glob.c Wed Nov 28 00:43:38 2001 @@ -298,7 +298,7 @@ for (lm = restbuf; *p != '{'; *lm++ = *p++) continue; - for (pe = ++p; *pe; pe++) + for (pe = ++p; *pe; pe++) { switch (*pe) { case '{': @@ -314,11 +314,19 @@ case '[': for (pe++; *pe && *pe != ']'; pe++) continue; + if (!*pe) { + globerr = "Missing ]"; + return (0); + } continue; } + } pend: - brclev = 0; - for (pl = pm = p; pm <= pe; pm++) + if (brclev || !*pe) { + globerr = "Missing }"; + return (0); + } + for (pl = pm = p; pm <= pe; pm++) { switch (*pm & (QUOTE | TRIM)) { case '{': @@ -352,19 +360,18 @@ return (1); sort(); pl = pm + 1; - if (brclev) - return (0); continue; case '[': for (pm++; *pm && *pm != ']'; pm++) continue; - if (!*pm) - pm--; + if (!*pm) { + globerr = "Missing ]"; + return (0); + } continue; } - if (brclev) - goto doit; + } return (0); } @@ -416,11 +423,10 @@ else if (scc == (lc = cc)) ok++; } - if (cc == 0) - if (ok) - p--; - else - return 0; + if (cc == 0) { + globerr = "Missing ]"; + return (0); + } continue; case '*': -- Brian Lavender http://www.brie.com/brian/ -- Brian Lavender http://www.brie.com/brian/
