Bugtraq mailing list archives
Re: ftpd and setproctitle()
From: nic () BELLAMY CO NZ (Nic Bellamy)
Date: Sat, 8 Jul 2000 14:42:45 +1200
On Fri, 7 Jul 2000, Roger Espel Llima wrote:
Theo de Raadt wrote:Well, while everyone is talking about setproctitle affecting wuftpd, I should probably note that it even affects the OpenBSD ftpd. In fact, looking around, it looks like it might affect everyone's ftpd.Curiously enough, this bug didn't affect the Linux port of the OpenBSD ftpd (http://freshmeat.net/appindex/1999/10/09/939509389.html), because it doesn't #define HASSETPROCTITLE.
There's actually more than one Linux port of the OpenBSD ftpd - for
instance the one included in Debian's netstd (from 2.1/Slink) and ftpd
(from 2.2/Potato) packages.
The Slink package *is* vunerable to this, the Potato version probably is
(according to the source) but I have not been able to check as yet.
The port they use does define a printf-like setproctitle() function, and
#defines HASSETPROCTITLE.
I mailed the Debian security people about this yesterday, with patches.
Regards,
Nic.
-- Nic Bellamy <nic () bellamy co nz>
Director, Bellamy Consulting Ltd.
Current thread:
- Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies, (continued)
- Re: ftpd and setproctitle() D. J. Bernstein (Jul 07)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- Re: ftpd and setproctitle() Firstname Lastname (Jul 10)
- BitchX update Vincent Danen (Jul 07)
- Re: ftpd and setproctitle() Pavel Kankovsky (Jul 08)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- ANNOUNCE: PScan, a simple security scanner. Alan DeKok (Jul 07)
- Re: ftpd and setproctitle() Roger Espel Llima (Jul 07)
- Re: ftpd and setproctitle() Adam McKenna (Jul 07)
- Security Update: symlink attack on makewhatis script possible Technical Support (Jul 07)
- Re: ftpd and setproctitle() Nic Bellamy (Jul 07)