249242 – (CVE-2008-5275) www-apps/net2ftp-{0.96,0.97-beta} directory traversal vulnerabilities and code execution (CVE-2008-5275)

Bug 249242 (CVE-2008-5275) - www-apps/net2ftp-{0.96,0.97-beta} directory traversal vulnerabilities and code execution (CVE-2008-5275)

Summary: www-apps/net2ftp-{0.96,0.97-beta} directory traversal vulnerabilities and cod...

Status:	RESOLVED FIXED

Alias:	CVE-2008-5275

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://www.net2ftp.com/download/_CHAN...
Whiteboard:	~2 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2008-11-29 10:49 UTC by Stefan Behte (RETIRED)
Modified:	2009-01-05 22:11 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2008-11-29 10:49:06 UTC

CVE-2008-5275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5275):
  Multiple directory traversal vulnerabilities in the (a) "Unzip
  archive" and (b) "Upload files and archives" functionality in net2ftp
  0.96 stable and 0.97 beta allow remote attackers to create, read, or
  delete arbitrary files via a .. (dot dot) in a filename within a (1)
  TAR or (2) ZIP archive.  NOTE: this can be leveraged for code
  execution by creating a .php file.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-11-29 10:52:00 UTC

0.97 says: "This release includes a fix for a serious vulnerability in the Unzip functionality."

Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev

2008-12-03 10:48:39 UTC

Ebuild removed. webapps done.

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-01-05 22:11:26 UTC

Thanks, as we never had a stable ebuild, I'm closing this.