Summary: | <net-ftp/proftpd-1.3.3c: stack overflow and write access vulnerabilities (CVE-2010-{3867,4221}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Bernd Lommerzheim <bernd> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | alexanderyt, dennis, gentoo, net-ftp, proxy-maint | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.proftpd.org | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Bernd Lommerzheim
2010-10-30 15:22:07 UTC
Created attachment 252583 [details, diff]
proftpd initd patch (against proftpd.initd)
Thanks a lot for the report! For init script, Bernd, can you upload the diff in unified format (-u option) to bug #314055 ? We'll fix that there @security, I've added 1.3.3c in tree, with the same ebuild as current stable 1.3.3a. We have a stack overflow, and write access outside the writable directory in some cases Target keywords: alpha, amd64, hppa, ppc, ppc64, sparc, x86 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability. Arches, please test and mark stable: =net-ftp/proftpd-1.3.3c Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" x86 stable amd64 done ppc64 done Stable for HPPA. Stable for PPC. alpha/sparc stable All arches done, all versions except new stable 1.3.3c removed from tree (first vulnerability has been present since proftpd-1.2.0pre10) Thanks, folks. GLSA request filed. This issue was resolved and addressed in GLSA 201309-15 at http://security.gentoo.org/glsa/glsa-201309-15.xml by GLSA coordinator Sean Amoss (ackle). |