Summary: | <net-ftp/tnftp-20141104: ftp client could be forced to execute arbitrary commands (CVE-2014-8517) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | goetzger, swegener |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1158286 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-10-29 08:51:14 UTC
fixed in 20141031 CVE-2014-8517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517): The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect. D'oh, this one has slipped by. Please stabilize: net-ftp/tnftp-20141104 Arches, please test and mark stable: =net-ftp/tnftp-20141104 Target Keywords : "amd64 ppc x86" Thank you! amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201611-05 at https://security.gentoo.org/glsa/201611-05 by GLSA coordinator Aaron Bauman (b-man). The GLSA 201611-05 is buggy in some way, see: https://bugs.gentoo.org/show_bug.cgi?id=599942 |