Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 527302 (CVE-2014-8517) - <net-ftp/tnftp-20141104: ftp client could be forced to execute arbitrary commands (CVE-2014-8517)
Summary: <net-ftp/tnftp-20141104: ftp client could be forced to execute arbitrary comm...
Status: RESOLVED FIXED
Alias: CVE-2014-8517
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-29 08:51 UTC by Agostino Sarubbo
Modified: 2016-11-16 08:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-10-29 08:51:14 UTC
From ${URL} :

It was reported that tnftp, an FTP client from NetBSD, could be forced to run arbitrary commands if 
an output file is not specified. Full details and a patch are available from the following:

http://seclists.org/oss-sec/2014/q4/459


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-11-01 08:45:43 UTC
fixed in 20141031
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 19:20:13 UTC
CVE-2014-8517 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517):
  The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD
  5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through
  6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe)
  character at the end of an HTTP redirect.
Comment 3 Sven Wegener gentoo-dev 2015-10-12 20:28:40 UTC
D'oh, this one has slipped by. Please stabilize: net-ftp/tnftp-20141104
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2015-10-12 21:49:36 UTC
Arches, please test and mark stable:

=net-ftp/tnftp-20141104

Target Keywords : "amd64 ppc x86"

Thank you!
Comment 5 Agostino Sarubbo gentoo-dev 2015-10-13 07:23:16 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-10-13 07:24:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-04 14:27:21 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-21 19:29:07 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-11-15 07:04:02 UTC
This issue was resolved and addressed in
 GLSA 201611-05 at https://security.gentoo.org/glsa/201611-05
by GLSA coordinator Aaron Bauman (b-man).
Comment 10 Heinrich Götzger 2016-11-16 08:03:46 UTC
The GLSA 201611-05 is buggy in some way, see: https://bugs.gentoo.org/show_bug.cgi?id=599942