Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717726 (CVE-2019-5429) - <dev-libs/libfilezilla-0.20.2, <net-ftp/filezilla-3.47.2.1: Search path vulnerability (CVE-2019-5429)
Summary: <dev-libs/libfilezilla-0.20.2, <net-ftp/filezilla-3.47.2.1: Search path vulne...
Status: RESOLVED FIXED
Alias: CVE-2019-5429
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 717736
Blocks:
  Show dependency tree
 
Reported: 2020-04-16 14:27 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-27 01:37 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/libfilezilla-0.20.2 net-ftp/filezilla-3.47.2.1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-16 14:27:53 UTC 
CVE-2019-5429 (https://nvd.nist.gov/vuln/detail/CVE-2019-5429):
  Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacker to
  gain privileges via a malicious 'fzsftp' binary in the user's home
  directory.
Comment 1 Bernard Cafarelli gentoo-dev 2020-04-16 16:27:55 UTC 
Current stable version is vulnerable, let's stabilize last version it has been in tree for more than enough time even for normal stabling
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-26 23:48:08 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-05-11 16:45:28 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-11 16:54:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab30a50a40d3ede8ebab637b8b05c8acdb7737e7

commit ab30a50a40d3ede8ebab637b8b05c8acdb7737e7
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-05-11 16:53:43 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-05-11 16:54:10 +0000

    dev-libs/libfilezilla: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/717726
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 dev-libs/libfilezilla/Manifest                   |  5 ---
 dev-libs/libfilezilla/libfilezilla-0.15.1.ebuild | 31 -------------------
 dev-libs/libfilezilla/libfilezilla-0.18.2.ebuild | 39 ------------------------
 dev-libs/libfilezilla/libfilezilla-0.19.1.ebuild | 39 ------------------------
 dev-libs/libfilezilla/libfilezilla-0.19.3.ebuild | 39 ------------------------
 dev-libs/libfilezilla/libfilezilla-0.20.1.ebuild | 39 ------------------------
 6 files changed, 192 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d4946ecd38993270331289de258cb6d1771700f

commit 5d4946ecd38993270331289de258cb6d1771700f
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-05-11 16:52:37 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-05-11 16:54:09 +0000

    net-ftp/filezilla: cleanup vulnerable versions
    
    Bug: https://bugs.gentoo.org/717726
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-ftp/filezilla/Manifest                |  5 --
 net-ftp/filezilla/filezilla-3.39.0.ebuild | 78 ---------------------------
 net-ftp/filezilla/filezilla-3.44.2.ebuild | 86 ------------------------------
 net-ftp/filezilla/filezilla-3.45.1.ebuild | 86 ------------------------------
 net-ftp/filezilla/filezilla-3.46.3.ebuild | 86 ------------------------------
 net-ftp/filezilla/filezilla-3.47.1.ebuild | 87 -------------------------------
 6 files changed, 428 deletions(-)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-26 05:26:51 UTC 
GLSA vote: yes!
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 01:37:59 UTC 
This issue was resolved and addressed in
 GLSA 202007-51 at https://security.gentoo.org/glsa/202007-51
by GLSA coordinator Sam James (sam_c).