Bug 646171 (CVE-2009-5012)

Summary: CVE-2009-5012 pyftpdlib: Ability to list the root directory via an FTP session
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:28:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 646178    
Bug Blocks:    

Description Jan Lieskovsky 2010-10-24 19:09:41 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5012 to
the following vulnerability:

ftpserver.py in pyftpdlib before 0.5.2 does not require the l
permission for the MLST command, which allows remote authenticated
users to bypass intended access restrictions and list the root
directory via an FTP session.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5012
[2] http://code.google.com/p/pyftpdlib/issues/detail?id=114
[3] http://code.google.com/p/pyftpdlib/source/browse/trunk/HISTORY
[4] http://code.google.com/p/pyftpdlib/source/detail?r=596
[5] http://code.google.com/p/pyftpdlib/source/diff?spec=svn596&r=596&format=side&path=/trunk/pyftpdlib/ftpserver.py

Affected versions:
This issue affects the version of the pyftpdlib package, as shipped
with Fedora release of 12.

This issue does NOT affect the version of the pyftpdlib package, as
shipped with Fedora release of 13 (relevant code part is already
updated).
Comment 1 Jan Lieskovsky 2010-10-24 19:44:10 UTC 
Created pyftpdlib tracking bugs for this issue

Affects: fedora-12 [bug 646178]