      _________________________________________________________

          DePaul University Computer Security Response Team

                           C   S   R   T

                       <security@depaul.edu>
                   <http://security.depaul.edu/>
      _________________________________________________________


               Computer Security Vulnerability Alert

_____________________________________________________________________
15:59 -0500                                                2003-08-04


SUMMARY    ``Off-by-one'' error in realpath library.

SEVERITY   Medium

PLATFORM   FreeBSD RELENG_3, 
           FreeBSD RELENG_4_3 through RELENG_4_8
           FreeBSD RELENV_5_0
           FreeBSD 4-STABLE prior to 2003-05-22 17:11:44 -0000
           NetBSD-current prior to 2003-08-04
           NetBSD 1.5 through 1.6.1
           OpenBSD 3.2, 3.3 
           WU-FTPd 2.5.0 <= 2.6.2
           
           Other platforms running wu-ftpd by default. Also, this bug
           may impact the OpenSSH sftp-server and other applications if
           linked against a vulnerable version of realpath(3).

IMPACT     This bug may cause an exploitable hole in applications
           linked against realpath.

SCOPE      University computers running effected platforms above, or
           those running code linked against realpath.

DETAILS    An off-by-one error exists in a C library function named
           realpath(3). The realpath(3) library determines how a system 
           call is to discover the absolute pathname from a pathname
           containing "/", "/./", or "/../". If the pathname is 1024
           characters and contains two (2) directory seperators, a
           single NULL byte may be passed to, overwriting the buffer of
           realpath(3).

DAMAGE     Compromise of system privileges, remote code execution or
           denial of services.

EXPLOIT    A working exploit has been released for the wu-ftpd
           vulnerable daemon. CSRT will monitor activity and report if
           other exploits are found.

ALERTID    CSRT2003070804

REVISION   

  Id: csrt-va2003080401.txt,v 1.3 2003/08/04 20:59:21 epancer Exp 

______________________________________________________________________

MORE
INFO

o Copy of CSRT Alert

<http://security.depaul.edu/services/alerts/csrt-va2003080401.txt>

o CERT/CC Vulnerability Note VU#743092

<http://www.kb.cert.org/vuls/id/743092>

o FreeBSD Advisory

<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03%3A08.realpath.asc>

o FreeBSD Patch

<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:08/realpath.patch>

o NetBSD Advisory

<ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc>

o NetBSD Patch

<ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-011-realpath.patch>

o OpenBSD Errata Website

<http://www.openbsd.org/errata.html>

o OpenBSD 3.2 Patch

<ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch>

o OpenBSD 3.3 Patch

<ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch>          
o WU-FTPD Advisory

<http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt>

______________________________________________________________________
_____________________________END OF ALERT_____________________________