Summary: | net-ftp/netkit-ftpd < 0.17-r7 fclose() on uninitialized streams (CVE-2007-{5769,6263}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | airsupply <airsupply> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system, thoger |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 201675 |
Description
airsupply
2007-11-15 08:19:54 UTC
Is there a fix available somewhere? As for ftp (client): Fedora / RHEL packages include one patch (netkit-ftp-0.17-segv.patch) which seems to address this issue. Patch was written by Alan Cox and is included in our ftp packages as of June 2004. Patch: http://cvs.fedora.redhat.com/viewcvs/rpms/ftp/F-8/netkit-ftp-0.17-segv.patch?view=auto VenusTech, can you please provide more information of how to reproduce ftp client crash so we can verify whether this problem is properly addressed by this patch? Thanks! (In reply to comment #2) > Fedora / RHEL packages include one patch (netkit-ftp-0.17-segv.patch) which > seems to address this issue. Patch was written by Alan Cox and is included in > our ftp packages as of June 2004. Oh well, that patch is included in ftp ebuilds and it actually seems to introduce the problem. Following patch was added few months ago: http://cvs.fedora.redhat.com/viewcvs/rpms/ftp/F-8/netkit-ftp-0.17-sigseg.patch?view=auto yep,this ftp client crash addressed by this patch. we public the adv in fd. http://seclists.org/fulldisclosure/2007/Dec/0174.html. The ftpd issue was assigned CVE-2007-6263 and it is still unfixed. The ftp issue is CVE-2007-5769 and a patch can be found in comment 3. Rerating B3 as this is only confirmed as DoS. base-system, can you apply the one patch and prepare a similar one for ftpd? Initializing and checking for NULL should do the trick. Thanks. (In reply to comment #6) > The ftpd issue was assigned CVE-2007-6263 and it is still unfixed. Patch is here: http://people.debian.org/~nion/nmu-diff/linux-ftpd-ssl-0.17.18+0.3-9_0.17.18+0.3-9.1.patch Base-system, please bump. base-system, are there plans on fixing these two issues? If not, we'll have a look. *netkit-ftpd-0.17-r7 (10 Jan 2008) 10 Jan 2008; Robert Buchholz <rbu@gentoo.org> +files/netkit-ftpd-0.17-fclose-CVE-2007-6263.patch, -netkit-ftpd-0.17-r6.ebuild, +netkit-ftpd-0.17-r7.ebuild: Security: Fix a double-fclose vulnerability in the dataconn function (CVE-2007-6263, #199206) *ftp-0.17-r7 (10 Jan 2008) 10 Jan 2008; Robert Buchholz <rbu@gentoo.org> +files/netkit-ftp-0.17-sigseg.patch, +ftp-0.17-r7.ebuild: Security: Fix a double-fclose() vulnerability in the getreply function (CVE-2007-5769, #199206) Arches, please test and mark stable net-ftp/netkit-ftpd-0.17-r7. Target keywords : "alpha amd64 arm ia64 ppc s390 sh sparc x86" The issue in ftp (not ftpd) is not considered to be a security vulnerability, as it only allows to crash a client program. It is fixed in net-ftp/ftp-0.17-r7, arches are free to stable that version as they prefer. ppc and ~ppc64 * Applying netkit-ftpd-0.17-fclose-CVE-2007-6263.patch ... * Failed Patch: netkit-ftpd-0.17-fclose-CVE-2007-6263.patch ! * ( /usr/portage/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-fclose-CVE-2007-6263.patch ) If USE=ssl is NOT set. Sorry, my fault. I fixed that in-place and dropped ppc. Brent, please keyword again. x86 stable Nothing to do here!? re-ppc'd amd64 done. arm/s390/sh done... http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-ftp/netkit-ftpd/netkit-ftpd-0.17-r7.ebuild?r1=1.7&r2=1.8 alpha/ia64/sparc stable mips doesn't have it keyworded GLSA vote. I'm in for a YES. I tend to vote YES. Since no one voted NO, this is a yes then :-) GLSA 200801-17 |