CVE-2020-5204 (https://nvd.nist.gov/vuln/detail/CVE-2020-5204): In uftpd before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11
CVE-2020-5221: Description: "In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in version 2.11"
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68a97d4e5558e2a57608efc01c44f94a2abc25ad commit 68a97d4e5558e2a57608efc01c44f94a2abc25ad Author: Oz N Tiram <oz.tiram@gmail.com> AuthorDate: 2020-04-16 23:24:26 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-04-17 07:35:56 +0000 net-ftp/uftpd: drop old version uftpd-2.10 has known CVEs. Upstream supports only the latest version. Package-Manager: Portage-2.3.89, Repoman-2.3.20 Bug: https://bugs.gentoo.org/717718 Signed-off-by: Oz Tiram <oz.tiram@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/15378 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-ftp/uftpd/Manifest | 1 - net-ftp/uftpd/uftpd-2.10.ebuild | 22 ---------------------- 2 files changed, 23 deletions(-)
Thanks for the quick cleanup!
