-= CVE-2003-0466 =-

Vulnerable versions: wu-ftpd 2.5.0 - 2.6.2
File(s): src/realpath.c
Download from:
  ftp://ftp.wu-ftpd.org/pub/wu-ftpd-attic/wu-ftpd-2.5.0.tar.gz

Domain: FTP Server

_ Vulnerable Functions and Buffers _

The buffer resolved[], which is an input to fb_realpath(), can be
overflowed. This buffer can be filled with up to MAXPATHLEN bytes by a
call to getcwd(). A slash ("/") and another buffer, wbuf[], can then
be appended to resolved[] using strcat. The bounds check is wrong ---
it should be saying that we need more room if we copy in a slash, but
it says that we need more if we *don't*. Hence there's an off-by-one
error if we do copy the salsh in.

The patch involves adding a single exclamation point. ;-)

fb_realpath() does some heavy string manipulations on the way to these
calls, and makes calls to the filesystem (which we model with
nondeterminism). For every decomposed program but the most simple one,
SatAbs gets a lot of timeouts.

_ Decomposed Programs _

wu-ftpd.h

fb_realpath/
  simple_bad.c
  almost_simple_bad.c
  istrrchr_bad.c
  no_symlinks_bad.c
  symlinks_bad.c
