Advisory from securesoftware@list.cr.yp.to: Date: 15 Dec 2004 08:21:28 -0000 From: "D. J. Bernstein" <djb@cr.yp.to> Subject: [remote] [control] junkie 0.3.1 gui_popup_view_fly does not check for nasty +characters; ftp_retr does not check for directory escapes To: securesoftware@list.cr.yp.to, thepin@users.sourceforge.net X-HELOcheck: OK: FQDN Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Mail-Followup-To: securesoftware@list.cr.yp.to, thepin@users.sourceforge.net Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. Yosef Klein, a student in my Fall 2004 UNIX Security Holes course, has discovered two remotely exploitable security holes in junkie, an FTP client, version 0.3.1 (current). I'm publishing this notice, but all the discovery credits should be assigned to Klein. You are at risk if you use junkie to ``View'' or ``Download'' a batch of files from an FTP server. Anyone who provides an FTP response to junkie (not necessarily the legitimate server administrator; an attacker can modify FTP responses passing through the network) then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. The first bug is triggered by the server sending a file name such as hello;:>x. The gui_popup_view_fly() function in gui_tview_popup.c * takes the user's txtviewer, which is "xterm -e vim %f" by default; * changes the %f to the file name /tmp/hello;:>x, producing the string "xterm -e vim /tmp/hello;:>x"; and * arranges for that string to be run as a command, with the unauthorized result of creating a file named x. The second bug is triggered by the server sending a file name such as ../.cshrc. The ftp_retr() function in ftp_cmd.c blindly uses the server's file name (ent->file) as a local file name (localfile); users normally expect file-transfer programs to check for escapes from the current directory. Klein comments that the FTP response can append to existing files ``due to a bug where junkie fails to account for the fact that it may receive a "502 not implemented" response to a "REST" request.'' ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
no maintainer, package commited in 3/2003 which is still the latest version on SourceForge too seo you committed the ebuild, pls verify/advise Might consider removing the ebuild, if upstream seems to be abandoned.
seo is not a dev anymore, so removing him from CC
Last message from upstream : " Version 0.3.2 to be released soon thepin - 2003-05-14 05:34" At this date, 0.3.1 is still the latest version. No metadata, original maintainer is dead, upstream is in coma. This should be masked... without GLSA.
====================================================== Candidate: CAN-2004-1280 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1280 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/junkie.txt The gui_popup_view_fly function in gui_tview_popup.c for junkie 0.3.1 allows remote malicious FTP servers to execute arbitrary commands via shell metacharacters in a filename. ====================================================== Candidate: CAN-2004-1281 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1281 Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/junkie.txt The ftp_retr function in junkie 0.3.1 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in a filename. ======================================================
Security-masked, no maskglsa
No maintainer have stepped up. I think we should remove the package.
I vote for removal as well.
Package removed
