Tymm Twillman [tymm@COE.MISSOURI.EDU]
Sent: Friday, September 17, 1999 2:15 PM
Subject: proftpd 1.2.0pre6 patch

Before I release the exploit, I'd like to give people a chance to fix
the problem.  Here's the patch.  Note that there are other potential
problems; I've been in contact with MacGyver and a new version fixing
this and other stuff should be out within a few days (at this point I
really have no clue if there are exploits possible for the other issues
that might allow breakins; please keep up to date and upgrade as soon as
the new version is available).

Anyhow, here's the patch:

<cut>
--- proftpd-1.2.0pre6.old/src/main.c	Fri Sep 10 15:49:32 1999
+++ proftpd-1.2.0pre6/src/main.c	Thu Sep 16 01:50:43 1999
@@ -379,7 +379,7 @@
 #if PF_ARGV_TYPE == PF_ARGV_WRITEABLE
   /* We can overwrite individual argv[] arguments.  Semi-nice.
    */
-  snprintf(Argv[0], maxlen, statbuf);
+  snprintf(Argv[0], maxlen, "%s", statbuf);
   p = &Argv[0][i];

   while(p < LastArgv)
</cut>

-- that's it.  Amazing how much these little things matter.

-Tymm