Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 239047 (CVE-2008-4247)

Summary: net-ftp/netkit-ftpd Cross-Site Request Forgery Vulnerability (CVE-2008-4247)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://securitytracker.com/alerts/2008/Sep/1020945.html
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
netkit-ftpd-0.17-CVE-2008-4247.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-29 13:59:13 UTC
CVE-2008-4247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4247):
  ftpd in OpenBSD 4.3, FreeBSD 7.0, and NetBSD 4.0 interprets long
  commands from an FTP client as multiple commands, which allows remote
  attackers to conduct cross-site request forgery (CSRF) attacks and
  execute arbitrary FTP commands via a long ftp:// URI that leverages
  an existing session from the FTP client implementation in a web
  browser.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-22 20:31:32 UTC
Created attachment 169490 [details, diff]
netkit-ftpd-0.17-CVE-2008-4247.patch

CVS commits backported to netkit
Comment 3 SpanKY gentoo-dev 2008-10-26 05:43:36 UTC
added with netkit-ftpd-0.17-r8
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-26 09:15:02 UTC
Arches, please test and mark stable:
=net-ftp/netkit-ftpd-0.17-r8
Target keywords : "alpha amd64 arm ia64 ppc s390 sh sparc x86"
Comment 5 Markus Meier gentoo-dev 2008-10-26 18:39:52 UTC
amd64/x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-10-28 10:32:53 UTC
alpha/ia64/sparc stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-30 19:09:41 UTC
ppc stable
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-31 21:33:15 UTC
Ready for vote, I vote YES.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 18:57:32 UTC
I vote NO on this issue, exploit scenarios are unlikely.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-11-26 22:30:30 UTC
voting NO too, and closing.