Those of you who monitor 'other' security lists may have caught a "we know
something about wu-ftpd" message came across not too long ago.  And today,
RedHat released some updated wu-ftpd RPMs.  So, in order to learn the
details of the bug, I grabbed the SRPM and took a peek.

Included in the SRPM is wu-ftpd-2.6.1-sec.patch, which is dated Nov 21.
This looks like a winner.  The pertinent parts of the patch are:


--- wu-ftpd/src/glob.c.sec      Thu May 31 09:30:36 2001
+++ wu-ftpd/src/glob.c  Wed Nov 21 18:22:17 2001
@@ -309,7 +309,7 @@
        if (lm >= restbufend)
            return (0);
     }
-    for (pe = ++p; *pe; pe++)
+    for (pe = ++p; *pe; pe++) {
        switch (*pe) {

        case '{':
@@ -325,11 +325,19 @@
        case '[':
            for (pe++; *pe && *pe != ']'; pe++)
                continue;
+           if (!*pe) {
+               globerr = "Missing ]";
+               return (0);
+           }
            continue;
        }
+    }
   pend:
-    brclev = 0;
-    for (pl = pm = p; pm <= pe; pm++)
+    if (brclev || !*pe) {
+       globerr = "Missing }";
+       return (0);
+    }
+    for (pl = pm = p; pm <= pe; pm++) {
        switch (*pm & (QUOTE | TRIM)) {

        case '{':
@@ -365,19 +373,18 @@
                return (1);
            sort();
            pl = pm + 1;
-           if (brclev)
-               return (0);
            continue;

        case '[':
            for (pm++; *pm && *pm != ']'; pm++)
                continue;
-           if (!*pm)
-               pm--;
+           if (!*pm) {
+               globerr = "Missing ]";
+               return (0);
+           }
            continue;
        }
-    if (brclev)
-       goto doit;
+    }
     return (0);
 }

@@ -429,11 +436,10 @@
                else if (scc == (lc = cc))
                    ok++;
            }
-           if (cc == 0)
-               if (ok)
-                   p--;
-               else
-                   return 0;
+           if (cc == 0) {
+               globerr = "Missing ]";
+               return (0);
+           }
            continue;

        case '*':



So it appears that by leaving off closing ']' and '}' characters, it's
possible to get the glob function to construct a long string.  Odds are
this is being used in conjuction with a gzip 1.2.4 filename overflow,
which has also been talked about lately on other lists as well (see the
"New bugs discovered!" thread archived at:
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/ )

I also don't know if the globbing code uses a static buffer, thus it could
be more of a plain-type overflow.

Regardless, this is enough info to better assess possible risk.  The above
patch should patch against the recent wu-ftpd source branches (Redhat
includes 2.7.0 in the SRPM).

Enjoy,
- rfp