Package name
Advisory ID
Affected versions
8.2 i586 , 8.2 i586

Problem description

A vulnerability was discovered by Janusz Niewiadomski and Wojciech Purczynski in the wu-ftpd FTP server package. They found an off-by- one bug in the fb_realpath() function which could be used by a remote attacker to obtain root privileges on the server. This bug can only be successfully accomplished by using wu-ftpd binaries compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x kernels define PATH_MAX to be 4095 characters. wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are encouraged to upgrade to these patched packages.

Updated packages

8.2 i586

 283cf3a7797ca19c8e83ae22c0415fd5  ppc/8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.ppc.rpm
3fd974bd1e718accf048e489dbd52d55  ppc/8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm

8.2 i586

 77260fab82a32fd204e29160c11f1e30  8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.i586.rpm
3fd974bd1e718accf048e489dbd52d55  8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm