Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 479880 - <net-ftp/filezilla-3.7.2 : SSH Handshake Integer Overflow Vulnerabilities (CVE-2013-4852)
Summary: <net-ftp/filezilla-3.7.2 : SSH Handshake Integer Overflow Vulnerabilities (CV...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-05 23:26 UTC by Chris Reffett (RETIRED)
Modified: 2013-09-15 04:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Reffett (RETIRED) gentoo-dev Security 2013-08-05 23:26:54 UTC
From ${URL}:

See the advisory [1] for details referring to putty commit [2].
AFAICS filezilla embedding putty in vulnerable version is used in
build for fzsftp. See [3] for the corresponding bugreport for putty
itself.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-4852
[1] http://www.search-lab.hu/advisories/secadv-20130722
[2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896
[3] http://bugs.debian.org/718779

In summary, filezilla is also affected by CVE-2013-4852. Nothing from upstream yet.
Comment 1 Bernard Cafarelli gentoo-dev 2013-08-07 08:40:29 UTC
Upstream released 3.7.2 to address the vulnerability, I just added it to portage

Arches, please test and mark stable =net-ftp/filezilla-3.7.2, thanks!

Special test: if anyone has a system with gnutls-2.x, a FTPES server with TLS to test filezilla against, it would be great (to confirm gnutls-3.x is not needed anymore for this case, see #431404)
If not, this should not block stabilization (I can add a warning for it in the ebuild)
Comment 2 Agostino Sarubbo gentoo-dev 2013-08-07 13:15:25 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2013-08-08 12:30:04 UTC
sparc stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-08 12:34:55 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-08-08 12:38:05 UTC
x86 stable
Comment 6 Bernard Cafarelli gentoo-dev 2013-08-09 08:08:39 UTC
Additional CVEs came in the wake of this one: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208

filezilla-3.7.3 was released to address these (just added to tree), should we stabilize it in this bug or start a new one? (sorry arches for the double stabilization)
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-23 14:36:13 UTC
If those CVEs were released as a group, please file a separate bug. GLSA request filed for this one.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-09-15 04:50:37 UTC
This issue was resolved and addressed in
 GLSA 201309-08 at http://security.gentoo.org/glsa/glsa-201309-08.xml
by GLSA coordinator Chris Reffett (creffett).