Multiple Vendor ftpd setproctitle() Format String Vulnerability

Solution:

OpenBSD ftpd:
A patch is available at http://www.openbsd.org/errata.html#ftpd

ProFTPD:
Upgrade to ProFTPD 1.2.0 when it is available.

Manual patch:
Replace the call to setproctitle() in the set_proc_title() with a properly used format string.
Replace:
setproctitle(statbuf);
with
setproctitle("%s", statbuf);

wu-ftpd - upgrade to version 2.6.1:
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.gz.asc
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z
ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-2.6.1.tar.Z.asc

SuSE Linux - updates are available.
http://suse.de/de/support/security/suse_security_announce_571.txt

Debian:
This problem has been corrected in netstd 3.07-7slink.4 for Debian 2.1 (slink) and in ftpd 0.11-8potato.1 for Debian 2.2 (potato). We recommend upgrading your ftpd immediately.

Fixed in: Debian 2.1 (slink):
Source:
http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.diff.gz
http://security.debian.org/dists/slink/updates/source/netstd_3.07-7slink.4.dsc
http://security.debian.org/dists/slink/updates/source/netstd_3.07.orig.tar.gz
alpha:
http://security.debian.org/dists/slink/updates/binary-alpha/netstd_3.07-7slink.4_alpha.deb
i386:
http://security.debian.org/dists/slink/updates/binary-i386/netstd_3.07-7slink.4_i386.deb
m68k:
http://security.debian.org/dists/slink/updates/binary-m68k/netstd_3.07-7slink.4_m68k.deb
sparc:
http://security.debian.org/dists/slink/updates/binary-sparc/netstd_3.07-7slink.4_sparc.deb
Debian 2.2 (potato):
Source:
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.diff.gz
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11-8potato.1.dsc
http://security.debian.org/dists/potato/updates/main/source/linux-ftpd_0.11.orig.tar.gz
arm:
http://security.debian.org/dists/potato/updates/main/binary-arm/ftpd_0.11-8potato.1_arm.deb
i386:
http://security.debian.org/dists/potato/updates/main/binary-i386/ftpd_0.11-8potato.1_i386.deb
sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/ftpd_0.11-8potato.1_sparc.deb


ProFTPD Project ProFTPD 1.2 pre4

ProFTPD Project ProFTPD 1.2 pre5

ProFTPD Project ProFTPD 1.2 pre8

ProFTPD Project ProFTPD 1.2 pre6

ProFTPD Project ProFTPD 1.2 pre1

ProFTPD Project ProFTPD 1.2 pre9

ProFTPD Project ProFTPD 1.2 pre7

ProFTPD Project ProFTPD 1.2 pre3

ProFTPD Project ProFTPD 1.2 pre2

ProFTPD Project ProFTPD 1.2 pre10

opieftpd ftp 1.3

HP HP-UX 10.10

HP HP-UX 10.20

HP HP-UX 11.0


 

Privacy Statement
Copyright 2010, SecurityFocus