Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 811159 (CVE-2021-36370) - <app-misc/mc-4.8.27: lacking sftp server validation (CVE-2021-36370)
Summary: <app-misc/mc-4.8.27: lacking sftp server validation (CVE-2021-36370)
Status: RESOLVED FIXED
Alias: CVE-2021-36370
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://midnight-commander.org/ticket...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 811414
Blocks:
  Show dependency tree
 
Reported: 2021-08-30 20:50 UTC by John Helmert III
Modified: 2021-10-01 12:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-30 20:50:41 UTC 
CVE-2021-36370:

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.


Fixed in 4.8.27 according to https://midnight-commander.org/wiki/NEWS-4.8.27.
Please remember to file security bugs when there are security issues in
changelogs!

Please stabilize 4.8.27.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 13:24:03 UTC 
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2021-10-01 09:43:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf490bf9bec287e3927af2df506fa63a9e245f1

commit 7bf490bf9bec287e3927af2df506fa63a9e245f1
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-10-01 09:42:55 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-10-01 09:42:55 +0000

    app-misc/mc: Security cleanup
    
    Bug: https://bugs.gentoo.org/811159
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 app-misc/mc/Manifest                           |   1 -
 app-misc/mc/files/mc-4.8.26-file-seccomp.patch | 142 -------------------------
 app-misc/mc/files/mc-4.8.26-shadow-crash.patch |  39 -------
 app-misc/mc/mc-4.8.26-r4.ebuild                | 125 ----------------------
 app-misc/mc/mc-4.8.26-r5.ebuild                | 131 -----------------------
 5 files changed, 438 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-01 12:55:52 UTC 
Very low impact, no GLSA. Thanks Lars!