MDKSA-2003:080
- Package name
- wu-ftpd
- Date
- 2003-07-31
- Advisory ID
- MDKSA-2003:080
- Affected versions
- 8.2 i586 , 8.2 i586
Problem description
A vulnerability was discovered by Janusz Niewiadomski and Wojciech Purczynski in the wu-ftpd FTP server package. They found an off-by- one bug in the fb_realpath() function which could be used by a remote attacker to obtain root privileges on the server. This bug can only be successfully accomplished by using wu-ftpd binaries compiled on Linux 2.0.x and later 2.4.x kernels because the 2.2.x and earlier 2.4.x kernels define PATH_MAX to be 4095 characters. wu-ftpd is no longer shipped with Mandrake Linux, however Mandrake Linux 8.2 did come with wu-ftpd. If you use wu-ftpd, you are encouraged to upgrade to these patched packages.
Updated packages
8.2 i586
283cf3a7797ca19c8e83ae22c0415fd5 ppc/8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.ppc.rpm 3fd974bd1e718accf048e489dbd52d55 ppc/8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm
8.2 i586
77260fab82a32fd204e29160c11f1e30 8.2/RPMS/wu-ftpd-2.6.2-1.1mdk.i586.rpm 3fd974bd1e718accf048e489dbd52d55 8.2/SRPMS/wu-ftpd-2.6.2-1.1mdk.src.rpm