Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610554 - <net-ftp/filezilla-3.25.2: vulnerable to integer overflow in ssh-agent due to bundled net-misc/putty
Summary: <net-ftp/filezilla-3.25.2: vulnerable to integer overflow in ssh-agent due to...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://filezilla-project.org/version...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 571888
Blocks:
  Show dependency tree
 
Reported: 2017-02-22 12:40 UTC by Thomas Deutschmann
Modified: 2017-06-06 09:00 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/libfilezilla-0.9.1 =net-ftp/filezilla-3.25.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-02-22 12:40:10 UTC
net-ftp/filezilla bundles net-misc/putty and is therefore affected by

> integer overflow permits memory overwrite by forwarded ssh-agent connections

Please see bug 610552 for more details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-02-22 12:41:26 UTC
@ Maintainer(s): Can we already start stabilization of =net-ftp/filezilla-3.24.1?
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2017-02-22 13:44:38 UTC
Unfortunately it's not that easy to stabilize any newer filezilla.
Recent versions depend on dev-libs/libfilezilla which is not keyworded for all arches our current stable filezilla has KEYWORDS for.

So we have to:

- finish the re-keywording for dev-libs/libfilezilla and recent net-ftp/filezilla (bug #571888)
- do a stabilization request once the re-krewording is done.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-03-24 06:31:59 UTC
Putty CVE CVE-2017-6542 (assigning)
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2017-06-03 06:50:53 UTC
Polyno(In reply to Lars Wendler (Polynomial-C) from comment #2)
> Unfortunately it's not that easy to stabilize any newer filezilla.
> Recent versions depend on dev-libs/libfilezilla which is not keyworded for
> all arches our current stable filezilla has KEYWORDS for.
> 
> So we have to:
> 
> - finish the re-keywording for dev-libs/libfilezilla and recent
> net-ftp/filezilla (bug #571888)
> - do a stabilization request once the re-krewording is done.

Lars, we can not be held in ransom by 3 non active arches and jeopardize the security of the distribution. Can you please call stabilization for all arches that have done this already (all but ia64 / ppc / sparc).
Comment 5 Bernard Cafarelli gentoo-dev 2017-06-03 08:14:53 UTC
As a matter of fact, we talked about stabling a newer filezilla anyways just yesterday

With gnutls and pugixml dependencies done, that leaves only ppc out.

amd/x86, please test and mark stable newer libfilezilla/filezilla mentioned in package list, thanks!
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-04 10:34:49 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-04 10:43:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-06-04 11:13:43 UTC
New GLSA request filed.
Comment 9 Bernard Cafarelli gentoo-dev 2017-06-04 11:21:27 UTC
Old versions cleaned (and bug #571888 notified for late arches)
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 08:59:52 UTC
This issue was resolved and addressed in
 GLSA 201706-09 at https://security.gentoo.org/glsa/201706-09
by GLSA coordinator Thomas Deutschmann (whissi).