Bug#446192: CVE-2007-5300 remote denial of service

Thu, 11 Oct 2007 07:26:29 -0700 

tags 446192 + patch
Hi,
I intend to NMU this bug.
Attached is a patch to fix this problem.
Feel free to use the patch in your own package before the 
NMU.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/wzdftpd-0.8.2-2_0.8.2-2.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u wzdftpd-0.8.2/debian/changelog wzdftpd-0.8.2/debian/changelog
--- wzdftpd-0.8.2/debian/changelog
+++ wzdftpd-0.8.2/debian/changelog
@@ -1,3 +1,11 @@
+wzdftpd (0.8.2-2.1) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Fix off-by-one in wzd_login.c which leads to a remote
+    denial of service vulnerability (CVE-2007-5300) (Closes: #446192).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Thu, 11 Oct 2007 13:03:42 +0200
+
 wzdftpd (0.8.2-2) unstable; urgency=low
 
   * Set default homedir for user wzdftpd to / (Closes: #438183)
diff -u wzdftpd-0.8.2/debian/patches/00list wzdftpd-0.8.2/debian/patches/00list
--- wzdftpd-0.8.2/debian/patches/00list
+++ wzdftpd-0.8.2/debian/patches/00list
@@ -3,0 +4 @@
+CVE-2007-5300.dpatch
only in patch2:
unchanged:
--- wzdftpd-0.8.2.orig/debian/patches/CVE-2007-5300.dpatch
+++ wzdftpd-0.8.2/debian/patches/CVE-2007-5300.dpatch
@@ -0,0 +1,33 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2007-5300.dpatch by Nico Golde <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
[EMAIL PROTECTED]@
+diff -urNad wzdftpd-0.8.2~/libwzd-core/wzd_login.c wzdftpd-0.8.2/libwzd-core/wzd_login.c
+--- wzdftpd-0.8.2~/libwzd-core/wzd_login.c	2007-04-26 09:22:02.000000000 +0200
++++ wzdftpd-0.8.2/libwzd-core/wzd_login.c	2007-10-11 16:14:33.000000000 +0200
+@@ -333,7 +333,7 @@
+     }
+ 
+     /* this replace the memset (bzero ?) some lines before */
+-    buffer[ret] = '\0';
++    buffer[ret-1] = '\0';
+ 
+     if (buffer[0]=='\0') continue;
+ 
+diff -urNad wzdftpd-0.8.2~/libwzd-core/wzd_protocol.c wzdftpd-0.8.2/libwzd-core/wzd_protocol.c
+--- wzdftpd-0.8.2~/libwzd-core/wzd_protocol.c	2007-06-14 12:58:05.000000000 +0200
++++ wzdftpd-0.8.2/libwzd-core/wzd_protocol.c	2007-10-11 16:16:34.000000000 +0200
+@@ -87,8 +87,8 @@
+   char buf[4];
+   if (!token || (length=strlen(token))==0)
+     return TOK_UNKNOWN;
+-  memcpy(buf,token,4);
+-  ascii_lower(buf,length);
++  memcpy(buf,token,sizeof(buf));
++  ascii_lower(buf,sizeof(buf));
+ 
+   /* TODO order the following by probability order */
+   if (length <= 4) {

Attachment: pgp2LnYu0TOBd.pgp
Description: PGP signature

Reply via email to