Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 188252 - net-ftp/gftp < 2.0.18-r6 uses vulnerable fsplib code (CVE-2007-3961, CVE-2007-3962)
Summary: net-ftp/gftp < 2.0.18-r6 uses vulnerable fsplib code (CVE-2007-3961, CVE-2007...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2007-08-09 18:08 UTC by Matt Fleming (RETIRED)
Modified: 2007-11-01 23:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-09 18:08:13 UTC
Some vulnerabilities have been reported in gFTP, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to the use of vulnerable fsplib code, which may allow the execution of arbitrary code.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-09 18:10:38 UTC
CC'ing maintainer and setting whiteboard status.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-08 22:06:35 UTC
There is no patched version out, I looked on other distribution's bug databases and found...nothing.
Comment 3 Matt Fleming (RETIRED) gentoo-dev 2007-09-09 13:04:12 UTC
These are the security fixes between fsplib 0.8 and 0.9

and a fix for that was in fsplib-0.8 which isn't in the gftp-2.0.18 (it is in CVS).

Here's the changelog for 0.9 and 0.8 of fsplib,

	Solaris compile fix by Brian Masney
	fix possible security hole if MAXNAMLEN>256 reported by
	  Kalle Olavi Niemitalo
	add terminating \0 if directory entry is MAXNAMELEN long
	check if server sends ASCIIZ terminated filenames
	  reported by Kalle Olavi Niemitalo
	fixed possible buffer overflow on systems not defining dirent.d_name
	  long enough. Reported by Kalle Olavi Niemitalo
	Security bugfix release
	off by one error, found by David Binderman
Comment 4 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-09-21 20:09:31 UTC
I've bumped to gftp-2.0.18-r6 with all of those fixes in.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2007-09-21 20:51:27 UTC
Arches, please stabilize net-ftp/gftp-2.0.18-r6, targets are: "alpha amd64 ppc ppc64 sparc x86".
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-21 23:21:02 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-09-22 11:02:31 UTC
alpha stable
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-09-22 15:24:14 UTC
ppc64 stable
Comment 9 Wulf Krueger (RETIRED) gentoo-dev 2007-09-22 17:32:32 UTC
Marked stable on amd64.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-09-25 14:55:32 UTC
sparc stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-09-25 17:01:50 UTC
ppc stable, ready for glsa
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-26 07:30:46 UTC
glsa request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-01 23:13:54 UTC
GLSA 200711-01, sorry for the delay.