Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 81994 - net-ftp/gftp: Filename Directory Traversal Vulnerability
Summary: net-ftp/gftp: Filename Directory Traversal Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] vorlon
Depends on:
Reported: 2005-02-14 06:43 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-02-19 08:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-14 06:43:38 UTC
A vulnerability has been reported in gFTP, which can be exploited by malicious people to conduct directory traversal attacks.

The vulnerability is caused due to a missing input validation when handling filenames returned by FTP servers. This can be exploited via a directory traversal attack to create or overwrite arbitrary files by returning a specially crafted filename.

Update to version 2.0.18.
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-02-14 07:03:32 UTC
already bumped.

arch's please mark stable.
Comment 2 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-14 07:15:42 UTC
stable on amd64
Comment 3 Luke Macken (RETIRED) gentoo-dev 2005-02-14 07:32:28 UTC
uncalling archs, sorry :(

some outstanding issues with gftp need to be resolved before .18 gets marked stable.
Comment 4 foser (RETIRED) gentoo-dev 2005-02-14 08:09:48 UTC
added 2.0.18-r1 with a buildtime fix. reset all keywords to ~arch for the bump, marked x86 stable.
Comment 5 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-14 08:22:27 UTC
stable on amd64, again. :)
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2005-02-14 08:32:16 UTC
stable on ppc64
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-14 09:36:46 UTC
sparc stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-02-15 02:29:48 UTC
This is CAN-2005-0372
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2005-02-19 00:04:23 UTC
Marked ppc stable.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-19 02:45:16 UTC
GLSA drafted by vorlon and ready to go
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-19 08:45:12 UTC
GLSA 200502-27

Thanks everyone