Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 168584

Summary: net-misc/ssh: SFTP restriction evasion (CVE-2006-0705)
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: enhancement CC: fauli, humpback
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C2 [masked] Falco
Package list:
Runtime testing required: ---
Bug Depends on: 139969    
Bug Blocks:    
Description Flags
patch-lib::sshfilexfer::sshfilexfers.c none

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 15:07:57 UTC

there has been a vulnerability since early 2006 for that package with upstream dead.

This package is p.pasked waiting for a solution.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 15:09:10 UTC
calling a vote for a maskglsa, i vote yes since it seems, according to HumpBack, that there are actually some users using it.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-05 21:03:08 UTC
Comment 3 Gustavo Felisberto (RETIRED) gentoo-dev 2007-04-15 17:25:37 UTC
It seems *BSD has a possible fix:
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-08 22:52:38 UTC
(In reply to comment #3)
> It seems *BSD has a possible fix:

 So will you apply it or will it be masked and removed eventually?
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-08 07:09:37 UTC
FYI it was GLSA 200703-13
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-10-09 22:13:17 UTC
Created attachment 133031 [details, diff]

Patch as shipped by FreeBSD
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-10-09 22:15:11 UTC
Humpback, the patch looks really simple. Please review and apply, then we could unmask this again.
Comment 8 Gustavo Felisberto (RETIRED) gentoo-dev 2007-10-10 13:50:34 UTC
Removed older -r1 and added keyworded -r2 that has the patch. You guys are free to unmask it as soon as the glsa is announced.
Comment 9 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2008-11-20 04:50:01 UTC
removed from tree -> WONTFIX