Date: Sun, 1 Nov 1998 12:00:00 -0500 (EST) From: Gregory A Lundbeg To: WU-FTPD Discussion List Subject: [VR10] More enhancements and bug fixes for beta-18 The VR10 patch set for WU-FTPD 2.4.2 (beta-18) is now available. SECURITY-UPDATE: This set includes the correction of a buffer overlow problem in the realpath() function discussed recently on the BUGTRAQ mailing list. The error in realpath() exists in all prior versions of WU-FTPD including 2.4, all Academ version 2.4.1 and 2.4.2 betas, all versions of NEWVIRT, BeroFTPD prior to version 1.2.0, and any packages derived from any of the above. There are no known exploits for this error. Users of all versions of WU-FTPD are strongly advised to upgrade. This set also includes additional features requested over the years by the user community and includes a number of bug fixes for both the base (beta-18) release and earlier VR patch sets. These are available as both patches and pre-patched tarballs at my ftp site: ftp://ftp.vr.net/pub/wu-ftpd/ If you take just the patch files, please remember: they are cumulative. you cannot apply fixes from one set without earlier sets already having been applied. The first set for BETA-18 is VR3; VR1 and VR2 were for BETA-17 only. Several pre-compiled binaries for VR9 are also available. These include: Sun/SunOS --------- sunos41x-ftpbin.tar.gz (FTP support executables, ls etc.) wu-ftpd-2.4.2-beta-18-vr10-SunOS-4.1.3_U1.tar.gz Sun/Solaris ----------- FTP242b18.wu-ftpd.2.4.2-beta18-VR10.SPARC.ULTRASparc.2.5.1.2.5.pkg.tar.Z FTP242b18.wu-ftpd.2.4.2-beta18-VR10.SPARC.ULTRASparc.2.5.1.2.5.pkg.tar.gz wu-ftpd-2.4.2-beta-18-vr10-Solaris-2.6.tar.gz Sun/NetBSD ---------- wu-ftpd-2.4.2-beta-18-vr10-NetBSD-sparc-1.3.2.tar.gz Sun/Linux --------- wu-ftpd-2.4.2-beta-18-vr10-linux-sparc.tar.gz SGI/IRIX -------- irix62-ftpbin.tar.gz (FTP support executables, ls etc.) wu-ftpd-2.4.2-beta-18-vr10-IRIX-6.2.tar.gz IBM/AIX ------- wu-ftpd-2.4.2-beta-18-vr10-AIX.3.2.5.tar.gz DEC/Unix -------- wu-ftpd-2.4.2-beta-18-vr10-OSF1-3.2-C2.tar.gz Intel/BSDI ---------- wu-ftpd-2.4.2-beta-18-vr10-BSDI-2.1.tar.gz wu-ftpd-2.4.2-beta-18-vr10-BSDI-3.1.tar.gz Intel/Linux ----------- wu-ftpd-2.4.2-beta-18-vr10.linux.i386.tar.gz Thanks to all those who helped with debugging and built the pre-compiled binaries. This is a list of fixes to BETA 18 with VR9 applied from lundberg@vr.net --------------------------------------------------------------------------- Wolfram Schmidt pointed out on July 22, 1994, the daemon does not use the correct method to choose the port for the data connection in PORT mode. More recently, Bernhard Rosenkraenzer added a -p option to BeroFTPD 1.0.12 which allows the port to be specified for the control connection. With this patch the daemon will look up the data port in /etc/services. Command-line options are also provided to allow both the data and control port numbers to be specified. Recent discussions have pointed out the need for some high-volume sites to bypass PID file processing. Testing the daemon as a normal user also points out the need for this. This patch adds the -Q command-line option to suppress access to the PID files. NOTE: Without PID files, the limit ftpaccess clause cannot determine the number of users in the given class. AUTH (ident) the remote user during login. Record the results in the syslog. Originally requested, with a suggested patch send to the mailing list by jlewis@inorganic5.fdt.net on Aug 24, 1997. See next patch. Nick Maclaren sent a private email to wu-ftpd-bugs, Bernard and me on Friday, October 16, 1998. He had made a set of patches to the base, beta-18, release which include a few bugfixes and some new features: - RFC-931 (AUTH/IDENT) was finished up. The log messages now show the RFC-931 user if one is known. - Support for some Hitachi flavors of Unix was added. - Major cleanup of build and the makefiles. This was long overdue. I have received several complaints that changing headers does not cause the code to recompile; he fixed that. He missed checking for changes in the support library, so I added that. Also, his changes presumed the user compiling the code was 'root' so I cleaned up so non-root can compile the daemon (this was mainly because I've cleaned up the file permissions in the release tarballs). - A number of minor fixes, mainly having to do with differences between ANSI/ISO and K&R C. His comments about C9X (the next C standard) are bogus but his changes either were good ideas or pointed out where the code needed a bit of work. I've added comments to his FIXES file where I've departed from his work. Stan's TODO item 21 calls for access control by remote username if this was authenticated using RFC-931. Results from RFC-931 should not be used for authentication. Cancelling this item. Stan's TODO item 3 calls for adding additional logging. This was done in easlier VR patch sets. There is no reason to change to another log file. Marking this item completed. BeroFTPD has 'ls' implemented internally. Marking Stan's TODO item 25 complete. ttsg@ttsg.com pointed out the Perl xferstats wasn't updated to match the new xferlog format with the new completion-code field on the end. A recent discussion on BUGTRAQ pointed out a buffer-overrun in the realpath function. Bernard imported the FreeBSD realpath() function to correct this error. This closes Stan's TODO item 1. -- Gregory A Lundberg Senior Partner, VRnet Company 1441 Elmdale Drive lundberg+wuftpd@vr.net Kettering, OH 45409-1615 USA 1-800-809-2195