Summary: | <net-ftp/atftp-0.7.5: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | martin.dummer, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/ | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 814803 | ||
Bug Blocks: |
Description
John Helmert III
2021-09-14 19:37:28 UTC
Hi, did not know that. There is already a github PR for this: https://github.com/gentoo/gentoo/pull/22287 The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3434fdb7c1eba3721771dece9523b70d9775bbe1 commit 3434fdb7c1eba3721771dece9523b70d9775bbe1 Author: Martin Dummer <martin.dummer@gmx.net> AuthorDate: 2021-09-13 23:27:44 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2021-09-14 20:15:04 +0000 net-ftp/atftp: version bump to 0.7.5 Version 0.7.5 (Bugfix, Security Fix Release) fix many bugs, fix denial-of-service buffer overflow CVE-2021-41054 new feature: add an option to prevent the Sorcerer's Apprentice Syndrome Closes: https://bugs.gentoo.org/813079 Package-Manager: Portage-3.0.20, Repoman-3.0.3 Signed-off-by: Martin Dummer <martin.dummer@gmx.net> Signed-off-by: Tobias Klausmann <klausman@gentoo.org> net-ftp/atftp/Manifest | 1 + net-ftp/atftp/atftp-0.7.5.ebuild | 66 ++++++++++++++++++++++++++++ net-ftp/atftp/files/atftp-0.7.5-CFLAGS.patch | 32 ++++++++++++++ 3 files changed, 99 insertions(+) (In reply to Martin Dummer from comment #1) > Hi, did not know that. > > There is already a github PR for this: > https://github.com/gentoo/gentoo/pull/22287 No worries and thanks! Please file a stablereq to block this bug when ready. Stablereq can be a dependency, we want to be notified when the stablereq is finished. Not sure if bugzie notifies us when a see also'd bug is finished. Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99b10149133d44a4e5c41905c8f88427c10bc6a6 commit 99b10149133d44a4e5c41905c8f88427c10bc6a6 Author: Tobias Klausmann <klausman@gentoo.org> AuthorDate: 2021-10-02 09:22:27 +0000 Commit: Tobias Klausmann <klausman@gentoo.org> CommitDate: 2021-10-02 09:22:38 +0000 net-ftp/atftp: Remove old (vulnerable) v0.7.4 Bug: https://bugs.gentoo.org/show_bug.cgi?id=813079 Package-Manager: Portage-3.0.23, Repoman-3.0.3 Signed-off-by: Tobias Klausmann <klausman@gentoo.org> net-ftp/atftp/Manifest | 1 - net-ftp/atftp/atftp-0.7.4.ebuild | 66 ---------------------------------------- 2 files changed, 67 deletions(-) CVE-2021-46671 (https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5): options.c in atftp before 0.7.5 reads past the end of an array, and consequently discloses server-side /etc/group data to a remote client. |