From Debian Security Advisory DSA 510-1: jaguar@felinemenace.org discovered a vulnerability in jftpgw, an FTP proxy program, whereby a remote user could potentially cause arbitrary code to be executed with the privileges of the jftpgw server process. By default, the server runs as user "nobody". CAN-2004-0448: format string vulnerability via syslog(3) in log() function
maybe it's just me but i dont think 0.13.4 is vuln if you look at the patch for 0.13.1 that debian provides to fix this exploit, you'll find this: --- jftpgw-0.13.1.orig/log.c +++ jftpgw-0.13.1/log.c @@ -115,7 +115,7 @@ logtype = LOG_ERR; } vsnprintf(str, LOGSIZE - 1, fmt, args); - syslog(logtype, str); + syslog(logtype, "%s", str); } va_end(args); if you look through log.c in vanilla 0.13.4, you'll see that the calls to syslog are already exactly like this we havent had 0.13.1 in our tree for a long time so i say we just close this as INVALID ... unless i missed something ...