Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81994 - net-ftp/gftp: Filename Directory Traversal Vulnerability
Summary: net-ftp/gftp: Filename Directory Traversal Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/14147/
Whiteboard: A3 [glsa] vorlon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-14 06:43 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-02-19 08:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-14 06:43:38 UTC 
Description:
A vulnerability has been reported in gFTP, which can be exploited by malicious people to conduct directory traversal attacks.

The vulnerability is caused due to a missing input validation when handling filenames returned by FTP servers. This can be exploited via a directory traversal attack to create or overwrite arbitrary files by returning a specially crafted filename.

Solution:
Update to version 2.0.18.
http://www.gftp.org/
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-02-14 07:03:32 UTC 
already bumped.

arch's please mark stable.
Comment 2 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-14 07:15:42 UTC 
stable on amd64
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-02-14 07:32:28 UTC 
uncalling archs, sorry :(

some outstanding issues with gftp need to be resolved before .18 gets marked stable.
Comment 4 foser (RETIRED) gentoo-dev 2005-02-14 08:09:48 UTC 
added 2.0.18-r1 with a buildtime fix. reset all keywords to ~arch for the bump, marked x86 stable.
Comment 5 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-14 08:22:27 UTC 
stable on amd64, again. :)
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-02-14 08:32:16 UTC 
stable on ppc64
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-14 09:36:46 UTC 
sparc stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 02:29:48 UTC 
This is CAN-2005-0372
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2005-02-19 00:04:23 UTC 
Marked ppc stable.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-19 02:45:16 UTC 
GLSA drafted by vorlon and ready to go
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-19 08:45:12 UTC 
GLSA 200502-27

Thanks everyone