Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 610554

Summary: <net-ftp/filezilla-3.25.2: vulnerable to integer overflow in ssh-agent due to bundled net-misc/putty
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c, voyageur
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://filezilla-project.org/versions.php
See Also: https://bugs.gentoo.org/show_bug.cgi?id=610552
Whiteboard: B2 [glsa cve]
Package list:
=dev-libs/libfilezilla-0.9.1 =net-ftp/filezilla-3.25.2
Runtime testing required: ---
Bug Depends on: 571888    
Bug Blocks:    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 12:40:10 UTC
net-ftp/filezilla bundles net-misc/putty and is therefore affected by

> integer overflow permits memory overwrite by forwarded ssh-agent connections

Please see bug 610552 for more details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 12:41:26 UTC
@ Maintainer(s): Can we already start stabilization of =net-ftp/filezilla-3.24.1?
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-02-22 13:44:38 UTC
Unfortunately it's not that easy to stabilize any newer filezilla.
Recent versions depend on dev-libs/libfilezilla which is not keyworded for all arches our current stable filezilla has KEYWORDS for.

So we have to:

- finish the re-keywording for dev-libs/libfilezilla and recent net-ftp/filezilla (bug #571888)
- do a stabilization request once the re-krewording is done.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-03-24 06:31:59 UTC
Putty CVE CVE-2017-6542 (assigning)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-06-03 06:50:53 UTC
Polyno(In reply to Lars Wendler (Polynomial-C) from comment #2)
> Unfortunately it's not that easy to stabilize any newer filezilla.
> Recent versions depend on dev-libs/libfilezilla which is not keyworded for
> all arches our current stable filezilla has KEYWORDS for.
> 
> So we have to:
> 
> - finish the re-keywording for dev-libs/libfilezilla and recent
> net-ftp/filezilla (bug #571888)
> - do a stabilization request once the re-krewording is done.

Lars, we can not be held in ransom by 3 non active arches and jeopardize the security of the distribution. Can you please call stabilization for all arches that have done this already (all but ia64 / ppc / sparc).
Comment 5 Bernard Cafarelli gentoo-dev 2017-06-03 08:14:53 UTC
As a matter of fact, we talked about stabling a newer filezilla anyways just yesterday

With gnutls and pugixml dependencies done, that leaves only ppc out.

amd/x86, please test and mark stable newer libfilezilla/filezilla mentioned in package list, thanks!
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-04 10:34:49 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-04 10:43:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 11:13:43 UTC
New GLSA request filed.
Comment 9 Bernard Cafarelli gentoo-dev 2017-06-04 11:21:27 UTC
Old versions cleaned (and bug #571888 notified for late arches)
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 08:59:52 UTC
This issue was resolved and addressed in
 GLSA 201706-09 at https://security.gentoo.org/glsa/201706-09
by GLSA coordinator Thomas Deutschmann (whissi).