Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 81994

Summary: net-ftp/gftp: Filename Directory Traversal Vulnerability
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://secunia.com/advisories/14147/
Whiteboard: A3 [glsa] vorlon
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-14 06:43:38 UTC 
Description:
A vulnerability has been reported in gFTP, which can be exploited by malicious people to conduct directory traversal attacks.

The vulnerability is caused due to a missing input validation when handling filenames returned by FTP servers. This can be exploited via a directory traversal attack to create or overwrite arbitrary files by returning a specially crafted filename.

Solution:
Update to version 2.0.18.
http://www.gftp.org/
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-02-14 07:03:32 UTC 
already bumped.

arch's please mark stable.
Comment 2 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-14 07:15:42 UTC 
stable on amd64
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-02-14 07:32:28 UTC 
uncalling archs, sorry :(

some outstanding issues with gftp need to be resolved before .18 gets marked stable.
Comment 4 foser (RETIRED) gentoo-dev 2005-02-14 08:09:48 UTC 
added 2.0.18-r1 with a buildtime fix. reset all keywords to ~arch for the bump, marked x86 stable.
Comment 5 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-14 08:22:27 UTC 
stable on amd64, again. :)
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-02-14 08:32:16 UTC 
stable on ppc64
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-14 09:36:46 UTC 
sparc stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 02:29:48 UTC 
This is CAN-2005-0372
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2005-02-19 00:04:23 UTC 
Marked ppc stable.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-19 02:45:16 UTC 
GLSA drafted by vorlon and ready to go
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-19 08:45:12 UTC 
GLSA 200502-27

Thanks everyone