Directory traversal vulnerability in gftp 2.0.18 and earlier for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. (CAN-2005-0372) From Debian, "Albert Puigsech Galicia discovered a directory traversal vulnerability in a proprietary FTP client (CAN-2004-1376) which is also present in gftp, a GTK+ FTP client. A malicious server could provide a specially crafted filename that could cause arbitrary files to be overwritten or created by the client." According to US-CERT, this vulnerability affects gFTP 0.1, 0.2, 0.21, 1.0, 1.1-1.13, 2.0-2.0.17. RH 7.3 uses version gftp-2.0.11-2. RH 9.0 uses version gftp-2.0.14-2. FC 1 uses version gftp-2.0.17-0.FC1. Debian offers a fix for gftp-2.0.11, in DSA-686-1 @ <http://www.debian.org/security/2005/dsa-686> ------- Additional Comments From marcdeslauriers 2005-03-09 15:11:57 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA: Changelog: * Wed Mar 09 2005 Marc Deslauriers <marcdeslauriers> 2.0.11-2.1.legacy - - Added security patch for CAN-2005-0372 d02a92da6324852aa7eb814a70e70b852169d4d6 7.3/gftp-2.0.11-2.1.legacy.i386.rpm 0a45ce107dae5a1035941a17eeb37dbb36d4acde 7.3/gftp-2.0.11-2.1.legacy.src.rpm 5f26f62c1d9954fa5aa1717db9e9a0a6f60e9c81 9/gftp-2.0.14-2.1.legacy.i386.rpm a68107e8f49cbac4e82c3b6a1fbc62d745bfacc6 9/gftp-2.0.14-2.1.legacy.src.rpm 150e8af7b2000bc27accbd7336a9127c6114bef0 1/gftp-2.0.17-0.FC1.1.legacy.i386.rpm 2a69616570fd7b6391b28637fa6cc49487e8cfde 1/gftp-2.0.17-0.FC1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gftp-2.0.11-2.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gftp-2.0.11-2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gftp-2.0.14-2.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gftp-2.0.14-2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gftp-2.0.17-0.FC1.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gftp-2.0.17-0.FC1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCL57JLMAs/0C4zNoRAmn1AKCPYamgPclnXz9rwdECNZMLkcJJCgCdHfT8 wpyQsEulckzncqBCbbXGiyU= =xM6J -----END PGP SIGNATURE----- ------- Bug moved to this database by dkl 2005-03-30 18:31 ------- This bug previously known as bug 2440 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2440 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh - source integrity good - spec file changes minimal - the changes are identical to debian's patch, some version specific tuning was needed, though. +PUBLISH RHL73,RHL9,FC1 0a45ce107dae5a1035941a17eeb37dbb36d4acde gftp-2.0.11-2.1.legacy.src.rpm a68107e8f49cbac4e82c3b6a1fbc62d745bfacc6 gftp-2.0.14-2.1.legacy.src.rpm 2a69616570fd7b6391b28637fa6cc49487e8cfde gftp-2.0.17-0.FC1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCYTbHGHbTkzxSL7QRAtw5AJ9VAHiQLeP+xE7yUfhAh5gqWtDp6wCgwG8M OpsSlBu0VchL+HRqRgj428s= =LPwO -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
Tested on RHL9; signature OK, upgrade went well, gftp seemed to work OK after the upgrade.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RHL73 package verify. Signature OK, basic file transfer seems to work with both graphical and text client. +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCnA9bGHbTkzxSL7QRAocwAKDARVekWqHE9im/crlMMcJOBy7oNACghbW1 HBJrnYSO/vNKEKxJnRIU86o= =MoRB -----END PGP SIGNATURE-----
2 verifys, timeout is two weeks.
Timeout over, to be released.
Packages were officially released.