[LWN Logo]

Date:         Fri, 17 Sep 1999 16:15:11 -0500
From: Tymm Twillman <tymm@COE.MISSOURI.EDU>
Subject:      proftpd 1.2.0pre6 patch
To: BUGTRAQ@SECURITYFOCUS.COM

Before I release the exploit, I'd like to give people a chance to fix
the problem.  Here's the patch.  Note that there are other potential
problems; I've been in contact with MacGyver and a new version fixing
this and other stuff should be out within a few days (at this point I
really have no clue if there are exploits possible for the other issues
that might allow breakins; please keep up to date and upgrade as soon as
the new version is available).

Anyhow, here's the patch:

<cut>
--- proftpd-1.2.0pre6.old/src/main.c	Fri Sep 10 15:49:32 1999
+++ proftpd-1.2.0pre6/src/main.c	Thu Sep 16 01:50:43 1999
@@ -379,7 +379,7 @@
 #if PF_ARGV_TYPE == PF_ARGV_WRITEABLE
   /* We can overwrite individual argv[] arguments.  Semi-nice.
    */
-  snprintf(Argv[0], maxlen, statbuf);
+  snprintf(Argv[0], maxlen, "%s", statbuf);
   p = &Argv[0][i];

   while(p < LastArgv)
</cut>

-- that's it.  Amazing how much these little things matter.

-Tymm