From ${URL} : It was reported that tnftp, an FTP client from NetBSD, could be forced to run arbitrary commands if an output file is not specified. Full details and a patch are available from the following: http://seclists.org/oss-sec/2014/q4/459 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
fixed in 20141031
CVE-2014-8517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517): The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
D'oh, this one has slipped by. Please stabilize: net-ftp/tnftp-20141104
Arches, please test and mark stable: =net-ftp/tnftp-20141104 Target Keywords : "amd64 ppc x86" Thank you!
amd64 stable
x86 stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201611-05 at https://security.gentoo.org/glsa/201611-05 by GLSA coordinator Aaron Bauman (b-man).
The GLSA 201611-05 is buggy in some way, see: https://bugs.gentoo.org/show_bug.cgi?id=599942