Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 527302 (CVE-2014-8517)

Summary: <net-ftp/tnftp-20141104: ftp client could be forced to execute arbitrary commands (CVE-2014-8517)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: goetzger, swegener
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-10-29 08:51:14 UTC
From ${URL} :

It was reported that tnftp, an FTP client from NetBSD, could be forced to run arbitrary commands if 
an output file is not specified. Full details and a patch are available from the following:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-11-01 08:45:43 UTC
fixed in 20141031
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 19:20:13 UTC
CVE-2014-8517 (
  The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD
  5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through
  6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe)
  character at the end of an HTTP redirect.
Comment 3 Sven Wegener gentoo-dev 2015-10-12 20:28:40 UTC
D'oh, this one has slipped by. Please stabilize: net-ftp/tnftp-20141104
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-10-12 21:49:36 UTC
Arches, please test and mark stable:


Target Keywords : "amd64 ppc x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2015-10-13 07:23:16 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-10-13 07:24:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-04 14:27:21 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-21 19:29:07 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-11-15 07:04:02 UTC
This issue was resolved and addressed in
 GLSA 201611-05 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Heinrich Götzger 2016-11-16 08:03:46 UTC
The GLSA 201611-05 is buggy in some way, see: