Date: Thu, 14 Aug 1997 18:37:21 -0500 (CDT) From: wu-ftpd-bugs@academ.com (Stan Barber) To: wu-ftpd@wugate.wustl.edu Subject: Academ version of wu-ftpd 2.4 Release 2 Beta 14 available for testing BETA 14 is now available. It has been tested on the following systems: Solaris 2.4 Sparc and x86, Solaris 2.5.1 x86, SunOS 4.1.4, Unixware 2.1, FreeBSD 2.2.2-RELEASE, BSD/OS 1.1, BSD/OS 2.1, BSD/OS 3.0, SCO Open Server 5, Linux 1.3.39 and 2.0.X. I would like to hear from folks with access to HP-UX, Digital Unix, IRIX and AIX in particular. Please send mail to the wu-ftpd-bugs@academ.com address. If hardware companies wish to donate equipment running their proprietary UNIX derivatives to me for doing maintenance work on this and the other packages I maintain (NNTP, RN, etc), please contact me directly to discuss. If software companies that sell UNIX derivatives I don't to which I don't have access wish to donain copies of their UNIX derivative to me for the purposes of doing maintenace work on this and the other packages I maintain, please contact me directly to discuss. Finally, my thanks to Ian Willis with SCO for his assistance in reviewing pre-releases of this software. This is another release candidate. The location is: ftp://ftp.academ.com/pub/wu-ftpd/private/wu-ftpd-2.4.2-beta-14.tar.Z NOTE: This directory is protected. Attempts to use a directory listing command will fail. You can also check http://www.academ.com/academ/wu-ftpd for more information. -0-FIXES IN THIS RELEASE-0- ----------------------------------------------------------------------------- I edited the INSTALL, README and NOTES documents in an attempt to make them clearer. I had a number of questions about "-a" and /etc/inetd.conf. People evidently don't read the README file very closely, so now I have put this information in more places than just the NOTES file. Hopefully that will stop most of these types of questions. ----------------------------------------------------------------------------- Mark Galbraith noted a Y2K compliance problem in ftpcmd.y where the year would always be printed as 19XX. This is now fixed. Unfortunately, it appears that noone opened a ticket on this one that I can find. This came from the mailing list. I believe that wu-ftpd is as Y2K compliant as it can be with this fix. ----------------------------------------------------------------------------- Ticket 125 from Marc Slemko points up a problem with the dependencies on vers.c that are not uniform in all makefiles and can cause problems with certain versions of make. This is now resolved. All makefiles for all operating systems supported in this distribution now have an explict dependency that should cause newvers.sh to be run if yacc was successful in building ftpcmd.c from ftpcmd.y. It will also properly stop attempting to compile anyting (other than ckconfig) until this problem is fixed by the user. This can usually be done by being sure yacc is installed and in the user's PATH. ----------------------------------------------------------------------------- Ticket 164 from Ian Willis points up a bug in the SITE CHMOD command that would cause the server to send two replies in some cases. This could confuse some FTP clients (and is a violation of protocol anyway). This should have been in beta-13, but I missed it somehow. It is in beta-14. ----------------------------------------------------------------------------- Ticket 170 from Volker Schmidt offered some changes to the Linux configuration and Makefiles. I have integrated these changes. They have been tested on Slackware Linux 2.3, RedHat 3.0.3 and RedHat 4.0. ----------------------------------------------------------------------------- Tickets 173 from Albert Lunde and 175 from David Capshaw suggested that a define (HAVE_GETRLIMIT) be added to the config.hpx for HP-UX 10.10. This has been done, but I have no idea if it will help. I don't have HP-UX to test this on. ----------------------------------------------------------------------------- Tickets 188 and 299 from Andrey A. Chernov notes that FreeBSD uses for file system information used by the %F macro. This is included in this release. ----------------------------------------------------------------------------- Ticket 210 from Wilhelm Mueller suggested that getdatasock should return the errno to the caller that caused the socket call to fail (as opposed to anything else that happens in that routine). I agree. He also suggested that RMD and DELE should both check permissions before attempting to do anything. I also agree. These changes are in this release. ----------------------------------------------------------------------------- Tickets 221 from Luc Lalonde , 332 from Andrew Siegele and 333 from Tim Wicinski reminded me of problems some releases of IRIX had with the installation script I supply here in the distributions. I think I have addressed these problems now. ----------------------------------------------------------------------------- Ticket 225 from Sergey Zhuk offered some fixes to the xferstats script that would make it work when the log involves timestamps from two years. ----------------------------------------------------------------------------- Ticket 237 from Ian Willis suggested another fix for access.c and ftpcount.c that addresses a problem in a bug fix in beta-13 that kept access limits involving days other than Any from being enforced. This fix is included in this release. ----------------------------------------------------------------------------- Ticket 238 from Ian Willis suggested another fix for popen.c to keep it from overflowing the argv buffer and from freeing space that was not allocated for that same argv buffer. This fix has been included in this release. ----------------------------------------------------------------------------- Ticket 239 from Ian Willis offered a fix for ftpcmd.y where there is a one-off error in checking the length of a string. This is fixed in this release. Ian also suggested a use of snprintf which was also suggested in ticket 249. This change was included with the rest of the fixes in 249. ----------------------------------------------------------------------------- Ticket 241 from Ian Willis pointed out that the \r\n is no longer passed to setproctitle since beta-13, so it does not need to attempt to strip. This change has been encorporated into this release. ----------------------------------------------------------------------------- Tickets 244, 246, 327, 329, 340, 354, 358, 359, 404 and 407 noted that I had made a mistake in the Makefile for the suppport libraries for AIX. I had put snprintf.c in the OBJS line where it should have been snprintf.o. There was a similiar problem in the Makefile for the server itself where I put sigfix.c in the OBJS line instead of sigfix.o. This last one whas benign since most compilier can cope with source file in the compile step if the result is an executable. These problems were reported by these users: ae@is.dal.ca, gilles_ciselet@be.ibm.com, wfp5p@tigger.itc.virginia.edu,nrjw@chevron.com, bozy@fiona.com.cy,dsf@frontiernet.net,fxa@boombox.micro.umn.edu,pguyot@cvf.fr, tkevans@eplrx7.es.dupont.com,chris@westnet.com ----------------------------------------------------------------------------- Ticket 247 from Ian Willis pointed out an error in how the instructions in ftpaccess are processed with respect to the compress and tar keywords. Once any class is permitted to use them, then all classes are. He provides a fix for this that is included in this release. ----------------------------------------------------------------------------- Tickets 248 from Alain Magloire , 295 from Alan J Rosenthal , 341 from Roger K. Winters , 347 from Eric Myers , 370 from P. Kearney III , 375 from Marty Schultz , 380 from Randall S. Winchester , 381 from Dale Ghent , 396 from Bob Beck , 398 from Shoichi Shibata , 409 from Paul Southworth , and 411 from Chun-Hsiung Chiu note various problems with compling wu-ftpd 2.4.2 beta 13 on SunOS 4.1.X machines. One problem is with snprintf.c in the support library. On some versions of SunOS 4.X, the size_t typedef is not pulled in with the include directives that are there. I have modified snprintf.c to include when an ANSI C compilier is used and when one is not used. Hopefully, that will catch a size_t definition. If not, let me know, but do be sure to include what OS release and what compiler you are using. Additionally, I had left "const" definitions in places where non-ANSI C compilers would encounter them. I have removed those. ----------------------------------------------------------------------------- Tickets 249 from Alain Magloire suggested that snprintf should be used now that there is good one for those systems that don't have it in the support library and for those that do have snprintf, it should be used where controlling the length of things is important. To that end a number of changes have been made in ftpd.c to use snprintf more widely. ----------------------------------------------------------------------------- Ticket 250 from Aidas Kasparas provided some code to deal with expired logins (when shadow passwords are used). This code is included in this release. ----------------------------------------------------------------------------- Ticket 253 from Ian Willis pointed out that ftpconversions and ftpgroup parsing was in a sad state. He offers a number of patches to fix the problems (some of which could cause bad things to happen if the these files were formatted badly). These fixes are included in this release. ----------------------------------------------------------------------------- Ticket 257 from George Staikos suggested that the default umask be 022 instead of 002. I agree. This change has been made for this release. ----------------------------------------------------------------------------- Ticket 267 from Frank Mogaddedi suggested that SPT_TYPE should be SPT_NONE for SGI IRIX to insure that the time stamps on things didn't get set to GMT. This change has been made, but is untested since I have no SGIs to test on. This will hopefully address the problem as it was reported as a bug in ticket 209 by Phil Ritzenthaler , ticket 218 from Chris Brown , ticket 271 by Wayne Rosen and ticket 356 from Tom Brister . ----------------------------------------------------------------------------- Ticket 276 from Ian Willis point out a logic problem when the socket call fails when trying to open a data socket. The close() was being made anyway and this would generate a "bad file number" error since the socket never was opened. This is fixed in this release. ----------------------------------------------------------------------------- Ticket 277 from Valter Cavecchia suggested that HAVE_STATVFS should be defined in the SGI IRIX configuration file. It is now. I have no way to know if this is correct. Hopefully others will let me know. ----------------------------------------------------------------------------- Ticket 285 from Miguel Mena suggested that a note be placed in the NOTES file about Digital Unix and C2 security. This has been done. ----------------------------------------------------------------------------- Ticket 289 from Ueber Sheep points up a problem when %U is used in a banner prior to the user performing a login. Before beta 14, this could cause a segmentation violation. Now, it will cause %U to print "[unknown]" since login has not been done as yet. ----------------------------------------------------------------------------- Ticket 294 from Alan Wyskowski suggested that the arguments for select() under HPUX may not have the same types as those found on other systems. I have encorporated his change, though I have no way to test it since I don't have an HPUX systems. ----------------------------------------------------------------------------- Ticket 297 from Andrey A. Chernov suggested a small change to newvers.sh to make it more POSIX compliant without affecting its operations on non-POSIX systems. It is included in this release. ----------------------------------------------------------------------------- Ticket 298 from Andrey A. Chernov notes that the configuration for FreeBSD support dirent.h and that sys/dir.h is being phased out. A change to the FreeBSD configuration header file has been made to use dirent.h in this release. ----------------------------------------------------------------------------- Ticket 302 from Ian Willis and ticket 307 from Pierre Belanger both noted problems when processing the %E macro. It becomes evident with the %E macro is used twice in an extended message. The entry information is not reset between calls. This can cause information to be printed twice. This is fixed in this release. ----------------------------------------------------------------------------- Ticket 304 from Gustavo Zacarias suggested some changes for C2 security with Digital Unix 4.X. These changes are made to the Digital Unix configuration. C2 is on by default. "./build dec" to get this. ----------------------------------------------------------------------------- Tickets 308 and 311 from from Philippe Langlois suggested that /usr/ucb/installbsd be used for installation on OSF/1. This has been done for this release. ----------------------------------------------------------------------------- Ticket 309 from P Kern suggested that the passive subroutine might be vunerable to attack because a user could attempt to start a passive connection without doing a login first. This is now checked in the passive connection. ----------------------------------------------------------------------------- Ticket 312 from Philippe Langlois suggested that a note be added to NOTES file about the conflict between using Virtual FTP and TCPWrappers. It has been included. ----------------------------------------------------------------------------- Ticket 315 from George H Richmond reports a bug in some of the debugging code where syslog is called without a printf format string. This causes the daemon to crash on some operating environments. This is fixed in this release. ----------------------------------------------------------------------------- Tickets 319 from Are Bryne suggested some cleanups in the ftpaccess file in the doc/examples directory. This has been done for this release. ----------------------------------------------------------------------------- Tickets 320 from Are Bryne , 388 from SethMeister G. and 394 from Perry Rovers pointed out an error in the ftpaccess.5 man page concerning the path-filter example. This is fixed in this release. ----------------------------------------------------------------------------- Ticket 323 from David Capshaw points out a problem in realpath that is exposed when it is called with a rooted path. It could attempt to access an uninitialized location. His fix has been encorporated into this release. ----------------------------------------------------------------------------- Ticket 325 from Alain Magloire suggested that the argv array be zeroed out before loading it. He also suggested a fix to insure that we didn't spill off the end of the argv array when filling it. This fix is included in this release. ----------------------------------------------------------------------------- Ticket 343 from Ian Willis contains a number of fixes for various memory leaks in the glob routines as well as some logic problem in the processing of the ABOR verb. These fixes are included in this release. ------------------------------------------------------------------------------ Ticket 344 from Farhad Anklesaria suggested a number of changes to the makefiles for A/UX. They are included in this release. ----------------------------------------------------------------------------- Tickets 349 from John F. Woods notes that there are a number of places in the software that are attempting to print out off_t values using printf selectors that can't handle the size. He suggests that these values be cast to fix. I have included his patch, but I intend to revamp this totally after this software goes to release. ----------------------------------------------------------------------------- Tickets 350 from Gunnar Helliesen and 379 from Randall S. Winchester notes that there is a benign syntax problem in access.c. This might cause some compilers to generate a warning. This has been fixed in this release. ----------------------------------------------------------------------------- Ticket 360 from Bas Meijer suggested a way to setup the "chroot" directory for wu-ftpd on IRIX. This has been included in the NOTES. ----------------------------------------------------------------------------- Ticket 361 from Timothy J. Luoma suggested that HAVE_REGEX_H be removed from the NeXTStep 3.X configuration. This has been done. ----------------------------------------------------------------------------- Ticket 362 from Philip Kearney III noted that the "deny" keyword when followed with a domainname glob did not work. An IP address or address glob does work on SunOS 4.1.X machines. This turns out to be an issue only if you are not running yp or if yp is not able to access DNS. To address this, I have added -lresolv to the SunOS 4.1 makefile. This can be removed if you are running yp with DNS enabled. ----------------------------------------------------------------------------- Ticket 365 from Ian Willis offered some fixes to make some of the 5XX responses associated with failed logins comply with RFC 959 and correct some logic that would cause the server to send two responses to a client when passwd-check is used and the user failed to enter a "valid" password when logging in anonymously. These fixes are included in this release. ----------------------------------------------------------------------------- Ticket 368 from Ian Willis suggested that a change made during the release of beta 12 changed how the upload option did filename matching to make it non-intuitive. This change has been reversed. He also offered a change to how the upload directive is parsed so that "no dirs" does allow directories to be created and "no some-other-string" does not. Previously it didn't work this way. ----------------------------------------------------------------------------- Ticket 378 Michael Brennen suggested that it's easy for folks to get confused setting up the anonymous login and use the /./ suffix on the home directory like that used for guestgroup. When done, it will make other functions (like upload) in the ftpaccess fail to work. He has suggested that processing of the two be done alike. He also supplied a nice patch. It is included in this release. This could be argued as a bug fix or an enhancement. Oh well. ----------------------------------------------------------------------------- Ticket 386 from Wyman Eric Miles reported a problem attempting to compile beta-13 with the Bellcore skey library. That's because it doesn't compile with that version. The version needed is the one from the logdaemon suite by Wietse Venema. I am updating the documentation to make this clear. ----------------------------------------------------------------------------- Ticket 387 from Alexander suggested that using the /var/tmp directory for storing the pids is a bad idea. I agree. All configurations have been changed not to do this. This was really only an issue on System V systems and older BSD systems. ----------------------------------------------------------------------------- Ticket 393 from Eli-Jean Leyssens pointed out another possible problem with ABOR verb processing with OOB data. This fix is included in this release. ----------------------------------------------------------------------------- Ticket 399 from Vadim M. Sapiro pointed out a problem with Solari 2.5.1 libraries when used in chrooted mode along with a dynamically linked "ls". Sun has assigned a bugid for this problem. See the NOTES file for more on this. ----------------------------------------------------------------------------- Ticket 400 from Luc Beurton reports that NetBSD/sparc uses an int64_t for that stbuf.st_size. This means that %qu should be used for a sprintf selector instead of %lu. ----------------------------------------------------------------------------- Ticket 403 from Rob Nichols suggested some changes to facilitate compilation on AIX. These changes are included in this release. ----------------------------------------------------------------------------- Ticket 415 from Andy Church suggested that the dependency on libc in the makefile for Linux be removed. I have done so. ----------------------------------------------------------------------------- Ticket 417 from Ian Willis noted that getspnam on Unixware 2.1 is not NIS aware, so the password read from the password file should not be overwritten should the call fail. This fix is included here. ----------------------------------------------------------------------------- Ticket 420 from Mike Handley has reported a problem in beta 13 under Unixware 2.1. Ian Willis has provided the fix in Ticket 423 which is included in this release. ----------------------------------------------------------------------------- Ticket 421 from Ernest Mueller supplied a number of suggestions for making wu-ftpd install smootly on IRIX 6.3. I have included these suggestions in this release. ----------------------------------------------------------------------------- Ticket 423 from Ian Willis noted that when wu-ftpd is used on Unixware, readdir in glob.c would not work as expected since the version picked up during the link is the one from the ucb library, not the regular C library. He suggested changing the UnixWare Makefile to link the regular C libarary before the ucb library. This has been done for this release.