Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 357001 (CVE-2011-0762) - <net-ftp/vsftpd-2.3.4: Remote Denial of Service (CVE-2011-0762)
Summary: <net-ftp/vsftpd-2.3.4: Remote Denial of Service (CVE-2011-0762)
Status: RESOLVED FIXED
Alias: CVE-2011-0762
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://securityreason.com/achievement...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-01 17:56 UTC by Wojciech Porczyk
Modified: 2011-10-10 20:41 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wojciech Porczyk 2011-03-01 17:56:38 UTC
vsftpd 2.3.4 is out, please bump

at the time of writing, current version is 2.3.2-r1, which features excessive CPU consumption bug caused by unlimited (but not infinite) recursion in pattern matching routine; see $URL for more info
Comment 1 Markos Chandras (RETIRED) gentoo-dev 2011-03-01 18:40:49 UTC
On tree. @Security feel free to call arches at any time. Seems like a simple bugfix release
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-03-01 21:52:36 UTC
(In reply to comment #1)
> On tree. @Security feel free to call arches at any time. Seems like a simple
> bugfix release
> 

Great, thank you.

Arches, please test and mark stable:
=net-ftp/vsftpd-2.3.4
Target keywords : "alpha amd64 arm ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Andreas Schürch gentoo-dev 2011-03-02 06:26:25 UTC
Looks good to go here on x86.
Comment 4 Johan Bergström 2011-03-02 06:35:52 UTC
As proxy maintainer I guess I should mention that a version bump (and changing epatch paths) works for me as well (tried amd64,x86).
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-03-02 10:17:08 UTC
amd64 done
Comment 6 Thomas Kahle (RETIRED) gentoo-dev 2011-03-03 10:40:36 UTC
x86 done. Thanks Andreas.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2011-03-05 12:31:35 UTC
ppc done
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-05 13:10:29 UTC
ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-03-05 16:41:55 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-03-05 21:21:12 UTC
Thanks, folks.

GLSA Vote: yes.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:01:47 UTC
CVE-2011-0762 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0762):
  The vsf_filename_passes_filter function in ls.c in vsftpd before 2.3.3
  allows remote authenticated users to cause a denial of service (CPU
  consumption and process slot exhaustion) via crafted glob expressions in
  STAT commands in multiple FTP sessions, a different vulnerability than
  CVE-2010-2632.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:54:30 UTC
Vote: YES. New GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-10 20:41:11 UTC
This issue was resolved and addressed in
 GLSA 201110-07 at http://security.gentoo.org/glsa/glsa-201110-07.xml
by GLSA coordinator Tobias Heinlein (keytoaster).