diff -u wzdftpd-0.8.1/debian/patches/00list wzdftpd-0.8.1/debian/patches/00list --- wzdftpd-0.8.1/debian/patches/00list +++ wzdftpd-0.8.1/debian/patches/00list @@ -2,0 +3,2 @@ +90_CVE-2007-5300_off_by_one_fix +91_CVE-2007-0428-hash_c_DoS_fix diff -u wzdftpd-0.8.1/debian/changelog wzdftpd-0.8.1/debian/changelog --- wzdftpd-0.8.1/debian/changelog +++ wzdftpd-0.8.1/debian/changelog @@ -1,3 +1,25 @@ +wzdftpd (0.8.1-2ubuntu0.1) feisty-security; urgency=low + + * SECURITY UPDATE: Off-by-one error in the do_login_loop function in i + libwzd-core/wzd_login.c in wzdftpd 0.8.2 and earlier allows remote attackers + to cause a denial of service (daemon crash) via a long USER command + that triggers a stack-based buffer overflow. NOTE: some of these details are + obtained from third party information. (CVE-2007-5300) + * SECURITY UPDATE: Unspecified vulnerability in the chtbl_lookup function in hash.c for + WzdFTPD 8.0 and earlier allows remote attackers to cause a denial of service via + a crafted FTP command, probably due to a NULL pointer dereference. (CVE-2007-0428) + * debian/patches/90_CVE-2007-5300_off_by_one_fix.dpatch: + - Applied fix by Nico Golde + * debian/patches/91_CVE-2007-0428-hash_c_DoS_fix.dpatch: + - Applied fix to fix this issue (checked key variable in func chtbl_lookup, + backported from 0.8.2 version) + * References: + CVE-2007-5300 + CVE-2007-0428 + http://security-tracker.debian.net/tracker/source-package/wzdftpd + + -- Stephan Hermann Fri, 12 Oct 2007 22:32:26 +0200 + wzdftpd (0.8.1-2) unstable; urgency=high * Fix assertion failed in avahi module (Closes: #416402) only in patch2: unchanged: --- wzdftpd-0.8.1.orig/debian/patches/90_CVE-2007-5300_off_by_one_fix.dpatch +++ wzdftpd-0.8.1/debian/patches/90_CVE-2007-5300_off_by_one_fix.dpatch @@ -0,0 +1,33 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 90_CVE-2007-5300_off_by_one_fix.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wzdftpd-0.8.1~/libwzd-core/wzd_login.c wzdftpd-0.8.1/libwzd-core/wzd_login.c +--- wzdftpd-0.8.1~/libwzd-core/wzd_login.c 2006-12-08 14:59:04.000000000 +0100 ++++ wzdftpd-0.8.1/libwzd-core/wzd_login.c 2007-10-12 22:30:12.000000000 +0200 +@@ -333,7 +333,7 @@ + } + + /* this replace the memset (bzero ?) some lines before */ +- buffer[ret] = '\0'; ++ buffer[ret-1] = '\0'; + + if (buffer[0]=='\0') continue; + +diff -urNad wzdftpd-0.8.1~/libwzd-core/wzd_protocol.c wzdftpd-0.8.1/libwzd-core/wzd_protocol.c +--- wzdftpd-0.8.1~/libwzd-core/wzd_protocol.c 2006-12-05 15:18:34.000000000 +0100 ++++ wzdftpd-0.8.1/libwzd-core/wzd_protocol.c 2007-10-12 22:30:26.000000000 +0200 +@@ -84,8 +84,8 @@ + char buf[4]; + if (!token || (length=strlen(token))==0) + return TOK_UNKNOWN; +- memcpy(buf,token,4); +- ascii_lower(buf,length); ++ memcpy(buf,token,sizeof(buf)); ++ ascii_lower(buf,sizeof(buf)); + + /* TODO order the following by probability order */ + if (length <= 4) { only in patch2: unchanged: --- wzdftpd-0.8.1.orig/debian/patches/91_CVE-2007-0428-hash_c_DoS_fix.dpatch +++ wzdftpd-0.8.1/debian/patches/91_CVE-2007-0428-hash_c_DoS_fix.dpatch @@ -0,0 +1,18 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 91_CVE-2007-0428-hash_c_DoS_fix.dpatch by Stephan Hermann +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad wzdftpd-0.8.1~/libwzd-base/hash.c wzdftpd-0.8.1/libwzd-base/hash.c +--- wzdftpd-0.8.1~/libwzd-base/hash.c 2007-10-14 14:00:32.000000000 +0200 ++++ wzdftpd-0.8.1/libwzd-base/hash.c 2007-10-14 14:05:47.000000000 +0200 +@@ -171,6 +171,7 @@ + CHTBL_Elmnt *entry; + unsigned int index; + ++ if (key == NULL) return -1; + + index = htab->h(key) % htab->containers; +