From joey@infodrom.org Thu Feb 17 20:54:07 2005 From: Martin Schulze Resent-From: list@murphy.debian.org (SmartList) To: bugtraq@securityfocus.com Date: Thu, 17 Feb 2005 16:57:56 +0100 (CET) Reply-To: listadmin@securityfocus.com Subject: [SECURITY] [DSA 686-1] New gftp packages fix directory traversal vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 686-1 security@debian.org http://www.debian.org/security/ Martin Schulze February 17th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : gftp Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-0372 Albert Puigsech Galicia discovered a directory traversal vulnerability in a proprietary FTP client (CAN-2004-1376) which is also present in gftp, a GTK+ FTP client. A malicious server could provide a specially crafted filename that could cause arbitrary files to be overwritten or created by the client. For the stable distribution (woody) this problem has been fixed in version 2.0.11-1woody1. For the unstable distribution (sid) this problem has been fixed in version 2.0.18-1. We recommend that you upgrade your gftp package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1.dsc Size/MD5 checksum: 631 980555d208281b3ac35069dd0119f98c http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1.diff.gz Size/MD5 checksum: 2760 15eff6342db5e2f2bee5c262618cf642 http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11.orig.tar.gz Size/MD5 checksum: 896320 3c63b5eed2faffe820bace112be2db8a Alpha architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_alpha.deb Size/MD5 checksum: 27350 39764c5e34ef08fce49bf59f887a0afa http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_alpha.deb Size/MD5 checksum: 234078 359126a5f2d1da940f1b6000c7ab9752 http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_alpha.deb Size/MD5 checksum: 252376 56405294ce7a01e84976c8fc6683f544 http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_alpha.deb Size/MD5 checksum: 86296 8ac8f60d39cf4c3db57dd04df0b11a53 ARM architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_arm.deb Size/MD5 checksum: 27360 9fea83142508e1b6c2790016c3395ca0 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_arm.deb Size/MD5 checksum: 234120 a4760d5de60e0a4a04be1c8dc75ec264 http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_arm.deb Size/MD5 checksum: 226588 71fb1b6d6603d5967c6714e7ca33f389 http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_arm.deb Size/MD5 checksum: 73906 60c748df56cbef3944079654553497ea Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_i386.deb Size/MD5 checksum: 27312 10aec83a3257a3bc22739e6087bc6ef2 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_i386.deb Size/MD5 checksum: 234056 57459c25bd9f96bd6f26e566468856ba http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_i386.deb Size/MD5 checksum: 219792 98beb285ca804a8fbbed4498a54268ff http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_i386.deb Size/MD5 checksum: 68360 f8fa329a81404c4d5392c285e50a5505 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_ia64.deb Size/MD5 checksum: 27348 6f32e2cb005ffe56e2803b860e0e4d74 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_ia64.deb Size/MD5 checksum: 234044 a2c3ff641d7b2e880456f1a8868b33fe http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_ia64.deb Size/MD5 checksum: 299582 b7c2e1ea7228f461235666d932361551 http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_ia64.deb Size/MD5 checksum: 110640 26995f700b8389fd9aad5b368f5faf7c HP Precision architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_hppa.deb Size/MD5 checksum: 27358 07b2d426543fd686ad3380e8bcd4805f http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_hppa.deb Size/MD5 checksum: 234094 322189d295ba47c91d2061309fa6a9fa http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_hppa.deb Size/MD5 checksum: 242482 44bb85b863ae217f2575835877041d4a http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_hppa.deb Size/MD5 checksum: 82608 e31d810b73f571088cc837958d7a2796 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_m68k.deb Size/MD5 checksum: 27358 faf8af474984da98e9d6f98f0918a261 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_m68k.deb Size/MD5 checksum: 234106 a8b2e05b710887903feed817016f5f97 http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_m68k.deb Size/MD5 checksum: 210554 7a532d25cb6840e69f97647b08d619c0 http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_m68k.deb Size/MD5 checksum: 64032 983b93b4e2aac1922e97a193220e18d4 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_mips.deb Size/MD5 checksum: 27362 103f10d9ae47826ee1957d14d556a46f http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_mips.deb Size/MD5 checksum: 234114 0667ca7e24f987e6002955093df95537 http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_mips.deb Size/MD5 checksum: 224722 0bdb6399f56a1cc4819c3ab883a53a68 http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_mips.deb Size/MD5 checksum: 77184 26288b5af19513a0cf09bd82ca7b9336 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_mipsel.deb Size/MD5 checksum: 27372 43c94486400ca12254c554cb4650fe01 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_mipsel.deb Size/MD5 checksum: 234188 94df73bb1fe62d21a665ee80380db772 http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_mipsel.deb Size/MD5 checksum: 224648 210416ce87866bab58f2b2c390f52ece http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_mipsel.deb Size/MD5 checksum: 77994 e1803d086deb47d61f2f79b62e22913e PowerPC architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_powerpc.deb Size/MD5 checksum: 27356 6426c00ec3364f72f0ec9481e5e89bb5 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_powerpc.deb Size/MD5 checksum: 234082 35a1396d45c42ee5b34045c23ae34b05 http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_powerpc.deb Size/MD5 checksum: 227890 8fb52949c02dc3c8a8bf39c86814da9b http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_powerpc.deb Size/MD5 checksum: 73356 8eba2f163e75f0716879c0320442c246 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_s390.deb Size/MD5 checksum: 27352 6e71f2937c2db84ed950583237308504 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_s390.deb Size/MD5 checksum: 234104 85637cf1e6794969be0cc35b6478f95b http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_s390.deb Size/MD5 checksum: 219246 1f4647d19f593d958c5653e1a6515c2d http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_s390.deb Size/MD5 checksum: 68090 f0a4483365820c67a7d875b21bc81734 Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gftp/gftp_2.0.11-1woody1_sparc.deb Size/MD5 checksum: 27356 f734ad981e036daed46044b6bd12f236 http://security.debian.org/pool/updates/main/g/gftp/gftp-common_2.0.11-1woody1_sparc.deb Size/MD5 checksum: 234102 4d9c016c8daefd7b20aefa37a193a6ce http://security.debian.org/pool/updates/main/g/gftp/gftp-gtk_2.0.11-1woody1_sparc.deb Size/MD5 checksum: 226774 e04c114438c2788155e43c6c32eb4683 http://security.debian.org/pool/updates/main/g/gftp/gftp-text_2.0.11-1woody1_sparc.deb Size/MD5 checksum: 74910 88a25c71729495ccbebaf4c98eee102d These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCFL8EW5ql+IAeqTIRAh86AJsG09wTgBE2liWU749noFHntWaHTACfeFfr bpWjExuQyO+zj3bqzOnvl2E= =Lbsq -----END PGP SIGNATURE-----