Debian Security Advisory
DSA-087-1 wu-ftpd -- remote root exploit
- Date Reported:
- 03 Dec 2001
- Affected Packages:
- wu-ftpd
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 3581.
In Mitre's CVE dictionary: CVE-2001-0550.
CERT's vulnerabilities, advisories and incident notes: CA-2001-18, VU#886083. - More information:
-
CORE ST reports that an exploit has been found for a bug in the wu-ftpd
glob code (this is the code that handles filename wildcard expansion).
Any logged in user (including anonymous FTP users) can exploit the bug
to gain root privileges on the server.
This has been corrected in version 2.6.0-6 of the wu-ftpd package.
- Fixed in:
-
Debian GNU/Linux 2.2 (potato)
- Source:
- http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0-6.diff.gz
- http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0-6.dsc
- http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0.orig.tar.gz
- http://security.debian.org/dists/stable/updates/main/source/wu-ftpd_2.6.0-6.dsc
- Architecture-independent component:
- http://security.debian.org/dists/stable/updates/main/binary-all/wu-ftpd-academ_2.6.0-6_all.deb
- Alpha:
- http://security.debian.org/dists/stable/updates/main/binary-alpha/wu-ftpd_2.6.0-6_alpha.deb
- ARM:
- http://security.debian.org/dists/stable/updates/main/binary-arm/wu-ftpd_2.6.1-6_arm.deb
- Intel IA-32:
- http://security.debian.org/dists/stable/updates/main/binary-i386/wu-ftpd_2.6.0-6_i386.deb
- PowerPC:
- http://security.debian.org/dists/stable/updates/main/binary-powerpc/wu-ftpd_2.6.0-6_powerpc.deb
- Sun Sparc:
- http://security.debian.org/dists/stable/updates/main/binary-sparc/wu-ftpd_2.6.0-6_sparc.deb
MD5 checksums of the listed files are available in the original advisory.