ports/net/fspd 281b3 is a very old fsp daemon which is slow and has some major
security issues, so nobody should run this junk anymore. You can get
newer version from http://fsp.sourceforge.net/ and repackage it.
Current version is autoconfed. There will be fsp281b19 shortly which
has my 2-line patch for clean bsd compile.
It has two major security problem:
1) root escape
2) buffer overflow when checking paths
remove old junk asap from mirrors, upgrade port. Take a rest. FSP is a very usefull
thing, my ISP do not counts UDP in my month quota. FSP is about 3x slower
current maintainer of fsp protocol suite
How-To-Repeat: You can get independant fsp protocol stacks from fsp.sf.net and write
a nice exploits. FSPD can not be exploited using standard tools provided
with fsp of by fspclient. I had fsp exploit before, but after Debian group
update their fsp distribution, i have deleted them. I have send my exploit
to packetstormsecurity and Debian security team in December,
but they do not published it nor made announcement. I have no experience
with dealing with security holes but i had surpriced that both groups
ignored this problem.
These funny path for root escape looks like /../../z/y/z. If i remmember
correctly fspd rejects pathes starting with dot so ../.. do not works.
Over to maintainer
New fspd with fixed security hole is in ports system now.
This ticket should be closed and fspd removed from vuxml.
Closed on request of originator.