Synopsis: ftpd setproctitle vulnerability
NetBSD versions: All
Thanks to: Itojun
Reported in NetBSD Security Advisory: SA2000-009

--- libexec/ftpd/ftpd.c 2000/05/11 10:14:37     1.61.2.2
+++ libexec/ftpd/ftpd.c 2000/07/08 18:58:10     1.61.2.3
@@ -712,7 +712,7 @@
                   "%s: anonymous/%.*s", remotehost,
                   (int) (sizeof(proctitle) - sizeof(remotehost) -
                   sizeof(": anonymous/")), passwd);
-               setproctitle(proctitle);
+               setproctitle("%s", proctitle);
#endif /* HASSETPROCTITLE */
               if (logging)
                       syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s, %s",
@@ -722,7 +722,7 @@
#ifdef HASSETPROCTITLE
               snprintf(proctitle, sizeof(proctitle),
                   "%s: %s", remotehost, pw->pw_name);
-               setproctitle(proctitle);
+               setproctitle("%s", proctitle);
#endif /* HASSETPROCTITLE */
               if (logging)
                       syslog(LOG_INFO, "FTP LOGIN FROM %s as %s",
@@ -1507,7 +1507,7 @@
       remotehost[sizeof(remotehost) - 1] = '\0';
#ifdef HASSETPROCTITLE
       snprintf(proctitle, sizeof(proctitle), "%s: connected", remotehost);
-       setproctitle(proctitle);
+       setproctitle("%s", proctitle);
#endif /* HASSETPROCTITLE */

       if (logging)

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.