current-users: Re: NetBSD Security Advisory 2004-009: ftpd root escalation

Subject: Re: NetBSD Security Advisory 2004-009: ftpd root escalation
To: Gilbert Fernandes <gilbertf@netbsd-fr.org>
From: David Maxwell <david@crlf.net>
List: current-users
Date: 08/18/2004 11:00:16

On Tue, 17 Aug 2004, Gilbert Fernandes wrote:
> On Tue, Aug 17, 2004 at 01:48:16PM -0400, NetBSD Security-Officer wrote:
> 
> > 	To update from CVS, re-build, and re-install ftpd:
> > 		# cd src
>                      ^^
> 
>                   cd /usr

Depends. The advisories are worded that way because storing sources in
/usr is not mandated by anything in the system, and is simply an
historical convention.

> > 		# cvs update -d -P src/libexec/ftpd
> > 		# cd src/libexec/ftpd

What's actually wrong is that the cvs and cd commands here should be
relative to the src directory, rather than its parent. I'll make that
correction. Thanks.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me