CVE-2019-5429 (https://nvd.nist.gov/vuln/detail/CVE-2019-5429): Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacker to gain privileges via a malicious 'fzsftp' binary in the user's home directory.
Current stable version is vulnerable, let's stabilize last version it has been in tree for more than enough time even for normal stabling
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab30a50a40d3ede8ebab637b8b05c8acdb7737e7 commit ab30a50a40d3ede8ebab637b8b05c8acdb7737e7 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-05-11 16:53:43 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-05-11 16:54:10 +0000 dev-libs/libfilezilla: cleanup vulnerable versions Bug: https://bugs.gentoo.org/717726 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> dev-libs/libfilezilla/Manifest | 5 --- dev-libs/libfilezilla/libfilezilla-0.15.1.ebuild | 31 ------------------- dev-libs/libfilezilla/libfilezilla-0.18.2.ebuild | 39 ------------------------ dev-libs/libfilezilla/libfilezilla-0.19.1.ebuild | 39 ------------------------ dev-libs/libfilezilla/libfilezilla-0.19.3.ebuild | 39 ------------------------ dev-libs/libfilezilla/libfilezilla-0.20.1.ebuild | 39 ------------------------ 6 files changed, 192 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d4946ecd38993270331289de258cb6d1771700f commit 5d4946ecd38993270331289de258cb6d1771700f Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2020-05-11 16:52:37 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2020-05-11 16:54:09 +0000 net-ftp/filezilla: cleanup vulnerable versions Bug: https://bugs.gentoo.org/717726 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-ftp/filezilla/Manifest | 5 -- net-ftp/filezilla/filezilla-3.39.0.ebuild | 78 --------------------------- net-ftp/filezilla/filezilla-3.44.2.ebuild | 86 ------------------------------ net-ftp/filezilla/filezilla-3.45.1.ebuild | 86 ------------------------------ net-ftp/filezilla/filezilla-3.46.3.ebuild | 86 ------------------------------ net-ftp/filezilla/filezilla-3.47.1.ebuild | 87 ------------------------------- 6 files changed, 428 deletions(-)
GLSA vote: yes!
This issue was resolved and addressed in GLSA 202007-51 at https://security.gentoo.org/glsa/202007-51 by GLSA coordinator Sam James (sam_c).