Bug 152908

Summary: gftp: Directory traversal vulnerability (CAN-2005-0372)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: gftpAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0372
Whiteboard: 1, LEGACY, QA, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-07-10 21:28:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:31:43 UTC 
Directory traversal vulnerability in gftp 2.0.18 and earlier for GTK+ allows
remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences
in filenames returned from a LIST command.  (CAN-2005-0372)

From Debian, "Albert Puigsech Galicia discovered a directory traversal
vulnerability in a proprietary FTP client (CAN-2004-1376) which is also present
in gftp, a GTK+ FTP client.  A malicious server could provide a specially
crafted filename that could cause arbitrary files to be overwritten or created
by the client."  According to US-CERT, this vulnerability affects gFTP 0.1, 0.2,
0.21, 1.0, 1.1-1.13, 2.0-2.0.17.

RH 7.3 uses version gftp-2.0.11-2.
RH 9.0 uses version gftp-2.0.14-2.
FC 1   uses version gftp-2.0.17-0.FC1.

Debian offers a fix for gftp-2.0.11, in DSA-686-1 @
    <http://www.debian.org/security/2005/dsa-686>



------- Additional Comments From marcdeslauriers 2005-03-09 15:11:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

Changelog:
* Wed Mar 09 2005 Marc Deslauriers <marcdeslauriers> 2.0.11-2.1.legacy
- - Added security patch for CAN-2005-0372


d02a92da6324852aa7eb814a70e70b852169d4d6  7.3/gftp-2.0.11-2.1.legacy.i386.rpm
0a45ce107dae5a1035941a17eeb37dbb36d4acde  7.3/gftp-2.0.11-2.1.legacy.src.rpm
5f26f62c1d9954fa5aa1717db9e9a0a6f60e9c81  9/gftp-2.0.14-2.1.legacy.i386.rpm
a68107e8f49cbac4e82c3b6a1fbc62d745bfacc6  9/gftp-2.0.14-2.1.legacy.src.rpm
150e8af7b2000bc27accbd7336a9127c6114bef0  1/gftp-2.0.17-0.FC1.1.legacy.i386.rpm
2a69616570fd7b6391b28637fa6cc49487e8cfde  1/gftp-2.0.17-0.FC1.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/gftp-2.0.11-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/gftp-2.0.11-2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gftp-2.0.14-2.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gftp-2.0.14-2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gftp-2.0.17-0.FC1.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gftp-2.0.17-0.FC1.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCL57JLMAs/0C4zNoRAmn1AKCPYamgPclnXz9rwdECNZMLkcJJCgCdHfT8
wpyQsEulckzncqBCbbXGiyU=
=xM6J
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:31 -------

This bug previously known as bug 2440 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2440
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Pekka Savola 2005-04-16 16:02:32 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh
 - source integrity good
 - spec file changes minimal
 - the changes are identical to debian's patch, some version specific tuning
   was needed, though.

+PUBLISH RHL73,RHL9,FC1

0a45ce107dae5a1035941a17eeb37dbb36d4acde  gftp-2.0.11-2.1.legacy.src.rpm
a68107e8f49cbac4e82c3b6a1fbc62d745bfacc6  gftp-2.0.14-2.1.legacy.src.rpm
2a69616570fd7b6391b28637fa6cc49487e8cfde  gftp-2.0.17-0.FC1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCYTbHGHbTkzxSL7QRAtw5AJ9VAHiQLeP+xE7yUfhAh5gqWtDp6wCgwG8M
OpsSlBu0VchL+HRqRgj428s=
=LPwO
-----END PGP SIGNATURE-----
Comment 2 Marc Deslauriers 2005-05-06 02:09:09 UTC 
Packages were pushed to updates-testing
Comment 3 Pekka Savola 2005-05-11 07:19:35 UTC 
Tested on RHL9; signature OK, upgrade went well, gftp seemed to work OK after
the upgrade.
Comment 4 Pekka Savola 2005-05-31 07:18:23 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
RHL73 package verify.  Signature OK, basic file transfer seems to work
with both graphical and text client.
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCnA9bGHbTkzxSL7QRAocwAKDARVekWqHE9im/crlMMcJOBy7oNACghbW1
HBJrnYSO/vNKEKxJnRIU86o=
=MoRB
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-06-16 12:40:15 UTC 
2 verifys, timeout is two weeks.
Comment 6 Pekka Savola 2005-07-01 18:39:00 UTC 
Timeout over, to be released.
Comment 7 Marc Deslauriers 2005-07-10 21:28:19 UTC 
Packages were officially released.