Contributed by jose on from the protect-your-stack-protector dept.
The OpenBSD ftp daemon does not use realpath(3) in a way that could be exploited, however a number of other system binaries also use the function. It is not currently known whether or not this bug results in an exploitable security hole on OpenBSD. Since the bug led to an exploitable hole in wu-ftpd, it is entirely possible that some program using realpath(3) under OpenBSD may be vulnerable to attack. For OpenBSD 3.3 and higher, the ProPolice stack protector should provide some protection from this bug, but this cannot be guaranteed.
This bug has been fixed in OpenBSD-current as well as the 3.2 and 3.3 -stable branches. Patches are available for OpenBSD 3.2 and 3.3.
Patch for OpenBSD 3.2: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.2/common/015_realpath.patch
Patch for OpenBSD 3.3: ftp://ftp.OpenBSD.org/pub/OpenBSD/patches/3.3/common/001_realpath.patch
For versions of OpenBSD prior to 3.2, users may simply fetch the current revision of realpath.c from: ftp://ftp.OpenBSD.org/pub/OpenBSD/src/lib/libc/stdlib/realpath.c then rebuild and install libc with the new realpath.c.
For more details, see the description of the wu-ftpd fp_realpath bug: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt
Make sure you're up to date!
(Comments are closed)