Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717726 (CVE-2019-5429)

Summary: <dev-libs/libfilezilla-0.20.2, <net-ftp/filezilla-3.47.2.1: Search path vulnerability (CVE-2019-5429)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: polynomial-c, voyageur
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa+ cve]
Package list:
dev-libs/libfilezilla-0.20.2 net-ftp/filezilla-3.47.2.1
 Runtime testing required: ---
Bug Depends on: 717736    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-16 14:27:53 UTC 
CVE-2019-5429 (https://nvd.nist.gov/vuln/detail/CVE-2019-5429):
  Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacker to
  gain privileges via a malicious 'fzsftp' binary in the user's home
  directory.
Comment 1 Bernard Cafarelli gentoo-dev 2020-04-16 16:27:55 UTC 
Current stable version is vulnerable, let's stabilize last version it has been in tree for more than enough time even for normal stabling
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-26 23:48:08 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-05-11 16:45:28 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-11 16:54:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab30a50a40d3ede8ebab637b8b05c8acdb7737e7

commit ab30a50a40d3ede8ebab637b8b05c8acdb7737e7
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-05-11 16:53:43 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-05-11 16:54:10 +0000

    dev-libs/libfilezilla: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/717726
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 dev-libs/libfilezilla/Manifest                   |  5 ---
 dev-libs/libfilezilla/libfilezilla-0.15.1.ebuild | 31 -------------------
 dev-libs/libfilezilla/libfilezilla-0.18.2.ebuild | 39 ------------------------
 dev-libs/libfilezilla/libfilezilla-0.19.1.ebuild | 39 ------------------------
 dev-libs/libfilezilla/libfilezilla-0.19.3.ebuild | 39 ------------------------
 dev-libs/libfilezilla/libfilezilla-0.20.1.ebuild | 39 ------------------------
 6 files changed, 192 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d4946ecd38993270331289de258cb6d1771700f

commit 5d4946ecd38993270331289de258cb6d1771700f
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-05-11 16:52:37 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-05-11 16:54:09 +0000

    net-ftp/filezilla: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/717726
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-ftp/filezilla/Manifest                |  5 --
 net-ftp/filezilla/filezilla-3.39.0.ebuild | 78 ---------------------------
 net-ftp/filezilla/filezilla-3.44.2.ebuild | 86 ------------------------------
 net-ftp/filezilla/filezilla-3.45.1.ebuild | 86 ------------------------------
 net-ftp/filezilla/filezilla-3.46.3.ebuild | 86 ------------------------------
 net-ftp/filezilla/filezilla-3.47.1.ebuild | 87 -------------------------------
 6 files changed, 428 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:26:51 UTC 
GLSA vote: yes!
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 01:37:59 UTC 
This issue was resolved and addressed in
 GLSA 202007-51 at https://security.gentoo.org/glsa/202007-51
by GLSA coordinator Sam James (sam_c).