[LWN Logo]
[Timeline]
Date:         Fri, 23 Jun 2000 18:29:00 -0400
From: bugzilla@REDHAT.COM
Subject:      [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed
To: BUGTRAQ@SECURITYFOCUS.COM

---------------------------------------------------------------------
                   Red Hat, Inc. Security Advisory

Synopsis:          remote root exploit (SITE EXEC) fixed
Advisory ID:       RHSA-2000:039-02
Issue date:        2000-06-23
Updated on:        2000-06-23
Product:           Red Hat Linux
Keywords:          wu-ftpd, root exploit, site exec, buffer overrun
Cross references:  N/A
---------------------------------------------------------------------

1. Topic:

A security bug in wu-ftpd can permit remote users, even without
an account, to gain root access.
The new version closes the hole.

2. Relevant releases/architectures:

Red Hat Linux 5.2 - i386 alpha sparc
Red Hat Linux 6.2 - i386 alpha sparc

3. Problem description:

An exploitable buffer overrun existed in wu-ftpd code's status update code.
Fixed by adding bounds checking by passing the status strings through %s.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

N/A

6. RPMs required:

Red Hat Linux 5.2:

i386:
ftp://updates.redhat.com/5.2/i386/wu-ftpd-2.6.0-2.5.x.i386.rpm

alpha:
ftp://updates.redhat.com/5.2/alpha/wu-ftpd-2.6.0-2.5.x.alpha.rpm

sparc:
ftp://updates.redhat.com/5.2/sparc/wu-ftpd-2.6.0-2.5.x.sparc.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/wu-ftpd-2.6.0-2.5.x.src.rpm

Red Hat Linux 6.2:

i386:
ftp://updates.redhat.com/6.2/i386/wu-ftpd-2.6.0-14.6x.i386.rpm

alpha:
ftp://updates.redhat.com/6.2/alpha/wu-ftpd-2.6.0-14.6x.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/wu-ftpd-2.6.0-14.6x.sparc.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/wu-ftpd-2.6.0-14.6x.src.rpm

7. Verification:

MD5 sum                           Package Name
--------------------------------------------------------------------------
e1f3b09d8ad0067fa7fd22e7afe77e64  5.2/SRPMS/wu-ftpd-2.6.0-2.5.x.src.rpm
7c2f89b3f8533ec54a36c5dde5995ce6  5.2/alpha/wu-ftpd-2.6.0-2.5.x.alpha.rpm
8dbd0b0f1fa1d0755393942cb4cb141d  5.2/i386/wu-ftpd-2.6.0-2.5.x.i386.rpm
5d9df2512a15e5c8914f398d980b12e7  5.2/sparc/wu-ftpd-2.6.0-2.5.x.sparc.rpm
67349a75b767585628912b840e52806e  6.2/SRPMS/wu-ftpd-2.6.0-14.6x.src.rpm
fafe870fc91762dd7e9182df3b4dfee5  6.2/alpha/wu-ftpd-2.6.0-14.6x.alpha.rpm
50c11f333641277ab75e6207bffb13b4  6.2/i386/wu-ftpd-2.6.0-14.6x.i386.rpm
8abba6ffa660d1c221581855630ed40d  6.2/sparc/wu-ftpd-2.6.0-14.6x.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
    rpm --checksig  <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg <filename>

8. References:

N/A