Debian Bug report logs - #78786
bsd-ftpd possibly vulnerable to off-by-one

version graph

Package: bsd-ftpd; Maintainer for bsd-ftpd is (unknown);

Reported by: Jeff Bachtel <jeffb@isc.tamu.edu>

Date: Mon, 4 Dec 2000 19:18:01 UTC

Severity: normal

Fixed in version bsd-ftpd/0.3.2-7

Done: Michael Vogt <mvogt@acm.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Michael Vogt <mvo@debian.org>:
Bug#78786; Package bsd-ftpd. Full text and rfc822 format available.

Acknowledgement sent to Jeff Bachtel <jeffb@isc.tamu.edu>:
New Bug report received and forwarded. Copy sent to Michael Vogt <mvo@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jeff Bachtel <jeffb@isc.tamu.edu>
To: submit@bugs.debian.org
Subject: bsd-ftpd possibly vulnerable to off-by-one
Date: Mon, 4 Dec 2000 13:07:23 -0600
Package: bsd-ftpd

bsd-ftpd's upstream (supposedly OpenBSD), has just been made aware of
(and patched) an off-by-one error in the replydirname function in
ftpd.c

The exact patch is available at:
http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c?r1=1.83&r2=1.84

I do not represent OpenBSD in any way, I merely noticed you maintain a
seperate port of BSD ftpd.

Regards,
jeff

-- 
Jeff Bachtel | http://www.isc.tamu.edu/~jeffb
Systems Administrator, Insitute for Scientific Computing, TAMU
* Disclaimer: My employer doesn't even agree with me about C
* indentation style.



Reply sent to mvo@debian.org:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Jeff Bachtel <jeffb@isc.tamu.edu>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 78786-done@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvogt@acm.org>
To: Jeff Bachtel <jeffb@isc.tamu.edu>, 78786-done@bugs.debian.org
Subject: Re: Bug#78786: bsd-ftpd possibly vulnerable to off-by-one
Date: Mon, 4 Dec 2000 23:17:41 +0100
On Mon, Dec 04, 2000 at 01:07:23PM -0600, Jeff Bachtel wrote:
> Package: bsd-ftpd
> 
> bsd-ftpd's upstream (supposedly OpenBSD), has just been made aware of
> (and patched) an off-by-one error in the replydirname function in
> ftpd.c
> 
> The exact patch is available at:
> http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c?r1=1.83&r2=1.84
> 
> I do not represent OpenBSD in any way, I merely noticed you maintain a
> seperate port of BSD ftpd.
Thanks a lot for this bugreport. I just uploaded a package that contains the
diff (version 0.3.2-7).


> Regards,
> jeff
thanks!
 Michael

-- 
GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
People get the OS they deserve.



Message #11 received at 78786-close@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvo@debian.org>
To: 78786-close@bugs.debian.org
Subject: Bug#78786: fixed in bsd-ftpd 0.3.2-7
Date: Tue, 05 Dec 2000 14:52:59 -0500
We believe that the bug you reported is fixed in the latest version of
bsd-ftpd, which has been installed in the Debian FTP archive:
bsd-ftpd_0.3.2-7.dsc
  to dists/woody/main/source/net/bsd-ftpd_0.3.2-7.dsc
  replacing bsd-ftpd_0.3.2-6.dsc
bsd-ftpd_0.3.2-7_i386.deb
  to dists/woody/main/binary-i386/net/bsd-ftpd_0.3.2-7.deb
  replacing bsd-ftpd_0.3.2-6.deb
bsd-ftpd_0.3.2-7.diff.gz
  to dists/woody/main/source/net/bsd-ftpd_0.3.2-7.diff.gz
  replacing bsd-ftpd_0.3.2-6.diff.gz

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 78786@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated bsd-ftpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 04 Dec 2000 22:44:33 +0100
Source: bsd-ftpd
Binary: bsd-ftpd
Architecture: source i386
Version: 0.3.2-7
Distribution: unstable
Urgency: high
Maintainer: Michael Vogt <mvo@debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 bsd-ftpd   - Port of the OpenBSD FTP server
Closes: 78786
Changes: 
 bsd-ftpd (0.3.2-7) unstable; urgency=high
 .
   * closes: #78786 (thanks to Jeff Bachtel)
   * closes possible security bug in upstream OpenBSD ftpd
     (see http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c?r1=1.83&r2=1.84
      for the patch)
Files: 
 4099b15fbc7e32c2f270ba3ecc402ee5 620 net extra bsd-ftpd_0.3.2-7.dsc
 3e661844c38e5bae8cb018df7edbebdb 5835 net extra bsd-ftpd_0.3.2-7.diff.gz
 99776efe0572ba75c8385a119913a215 46886 net extra bsd-ftpd_0.3.2-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6LBUwliSD4VZixzQRAoUYAJ9T6wnKieSYNmFOsQvCaX1w9gV8oACdHH6V
xr98OE04KarW7XV62wZTd4o=
=iHAG
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Vogt <mvo@debian.org>:
Bug#78786; Package bsd-ftpd. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wichert@valinux.com>:
Extra info received and forwarded to list. Copy sent to Michael Vogt <mvo@debian.org>. Full text and rfc822 format available.

Message #16 received at 78786@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@valinux.com>
To: Jeff Bachtel <jeffb@isc.tamu.edu>, 78786@bugs.debian.org
Subject: Re: Bug#78786: bsd-ftpd possibly vulnerable to off-by-one
Date: Fri, 8 Dec 2000 12:35:53 +0100
Previously Jeff Bachtel wrote:
> bsd-ftpd's upstream (supposedly OpenBSD), has just been made aware of
> (and patched) an off-by-one error in the replydirname function in
> ftpd.c

Amusingly enough linux-ftpd is also the OpenBSD ftpd with PAM support
adderd, and includes this fix now.

Wichert.

-- 
  _________________________________________________________________
 /       Nothing is fool-proof to a sufficiently talented fool     \
| wichert@cistron.nl                  http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Information forwarded to debian-bugs-dist@lists.debian.org, Michael Vogt <mvo@debian.org>:
Bug#78786; Package bsd-ftpd. Full text and rfc822 format available.

Acknowledgement sent to mvo@debian.org:
Extra info received and forwarded to list. Copy sent to Michael Vogt <mvo@debian.org>. Full text and rfc822 format available.

Message #21 received at 78786@bugs.debian.org (full text, mbox):

From: Michael Vogt <mvogt@acm.org>
To: Wichert Akkerman <wichert@valinux.com>, 78786@bugs.debian.org
Subject: Re: Bug#78786: bsd-ftpd possibly vulnerable to off-by-one
Date: Fri, 8 Dec 2000 14:07:37 +0100
On Fri, Dec 08, 2000 at 12:35:53PM +0100, Wichert Akkerman wrote:
> Previously Jeff Bachtel wrote:
> > bsd-ftpd's upstream (supposedly OpenBSD), has just been made aware of
> > (and patched) an off-by-one error in the replydirname function in
> > ftpd.c
> Amusingly enough linux-ftpd is also the OpenBSD ftpd with PAM support
> adderd, and includes this fix now.
I added the fix in version 0.3.2-7 (which is the current version in woody).
linux-ftpd and bsd-ftpd are different ports with differnt advantages and
disadvantages.

> Wichert.
Michael


-- 
GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
People get the OS they deserve.



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:24:18 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.