Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 168584 - net-misc/ssh: SFTP restriction evasion (CVE-2006-0705)
Summary: net-misc/ssh: SFTP restriction evasion (CVE-2006-0705)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
Whiteboard: C2 [masked] Falco
Depends on: 139969
  Show dependency tree
Reported: 2007-02-27 15:07 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2008-11-20 04:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

patch-lib::sshfilexfer::sshfilexfers.c (patch-lib::sshfilexfer::sshfilexfers.c,1.13 KB, patch)
2007-10-09 22:13 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 15:07:57 UTC

there has been a vulnerability since early 2006 for that package with upstream dead.

This package is p.pasked waiting for a solution.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 15:09:10 UTC
calling a vote for a maskglsa, i vote yes since it seems, according to HumpBack, that there are actually some users using it.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-05 21:03:08 UTC
Comment 3 Gustavo Felisberto (RETIRED) gentoo-dev 2007-04-15 17:25:37 UTC
It seems *BSD has a possible fix:
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-08 22:52:38 UTC
(In reply to comment #3)
> It seems *BSD has a possible fix:

 So will you apply it or will it be masked and removed eventually?
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-08 07:09:37 UTC
FYI it was GLSA 200703-13
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-10-09 22:13:17 UTC
Created attachment 133031 [details, diff]

Patch as shipped by FreeBSD
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-10-09 22:15:11 UTC
Humpback, the patch looks really simple. Please review and apply, then we could unmask this again.
Comment 8 Gustavo Felisberto (RETIRED) gentoo-dev 2007-10-10 13:50:34 UTC
Removed older -r1 and added keyworded -r2 that has the patch. You guys are free to unmask it as soon as the glsa is announced.
Comment 9 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2008-11-20 04:50:01 UTC
removed from tree -> WONTFIX