[gentoo-announce] [ GLSA 201611-05 ] tnftp: Arbitrary code execution - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201611-05 ] tnftp: Arbitrary code execution
Date:	Tue, 15 Nov 2016 07:04:53
Message-Id:	`b0c8eed7-c7fd-e628-bf85-dc1742c1fea2@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201611-05

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: tnftp: Arbitrary code execution

9

     Date: November 15, 2016

10

     Bugs: #527302

11

       ID: 201611-05

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

tnftp is vulnerable to remote code execution if output file is not

19

specified.

20

21

Background

22

==========

23

24

tnftp is a NetBSD FTP client with several advanced features.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-ftp/tnftp               < 20141104               >= 20141104

33

34

Description

35

===========

36

37

The fetch_url function in usr.bin/ftp/fetch.c allows remote attackers

38

to execute arbitrary commands via a | (pipe) character at the end of an

39

HTTP redirect.

40

41

Impact

42

======

43

44

A remote attacker could possibly execute arbitrary code with the

45

privileges of the process.

46

47

Workaround

48

==========

49

50

There is no known workaround at this time.

51

52

Resolution

53

==========

54

55

All tnftp users should upgrade to the latest version:

56

57

<code>

58

# emerge --sync

59

# emerge --ask --verbose --oneshot ">=net-ftp/tnftp-20141104"

60

61

References

62

==========

63

64

[ 1 ] CVE-2014-8517

65

      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517

66

67

Availability

68

============

69

70

This GLSA and any updates to it are available for viewing at

71

the Gentoo Security Website:

72

73

 https://security.gentoo.org/glsa/201611-05

74

75

Concerns?

76

=========

77

78

Security is a primary focus of Gentoo Linux and ensuring the

79

confidentiality and security of our users' machines is of utmost

80

importance to us. Any security concerns should be addressed to

81

security@g.o or alternatively, you may file a bug at

82

https://bugs.gentoo.org.

83

84

License

85

=======

86

87

Copyright 2016 Gentoo Foundation, Inc; referenced text

88

belongs to its owner(s).

89

90

The contents of this document are licensed under the

91

Creative Commons - Attribution / Share Alike license.

92

93

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201611-05
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: tnftp: Arbitrary code execution
9	Date: November 15, 2016
10	Bugs: #527302
11	ID: 201611-05
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	tnftp is vulnerable to remote code execution if output file is not
19	specified.
20
21	Background
22	==========
23
24	tnftp is a NetBSD FTP client with several advanced features.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-ftp/tnftp < 20141104 >= 20141104
33
34	Description
35	===========
36
37	The fetch_url function in usr.bin/ftp/fetch.c allows remote attackers
38	to execute arbitrary commands via a \| (pipe) character at the end of an
39	HTTP redirect.
40
41	Impact
42	======
43
44	A remote attacker could possibly execute arbitrary code with the
45	privileges of the process.
46
47	Workaround
48	==========
49
50	There is no known workaround at this time.
51
52	Resolution
53	==========
54
55	All tnftp users should upgrade to the latest version:
56
57	<code>
58	# emerge --sync
59	# emerge --ask --verbose --oneshot ">=net-ftp/tnftp-20141104"
60
61	References
62	==========
63
64	[ 1 ] CVE-2014-8517
65	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517
66
67	Availability
68	============
69
70	This GLSA and any updates to it are available for viewing at
71	the Gentoo Security Website:
72
73	https://security.gentoo.org/glsa/201611-05
74
75	Concerns?
76	=========
77
78	Security is a primary focus of Gentoo Linux and ensuring the
79	confidentiality and security of our users' machines is of utmost
80	importance to us. Any security concerns should be addressed to
81	security@g.o or alternatively, you may file a bug at
82	https://bugs.gentoo.org.
83
84	License
85	=======
86
87	Copyright 2016 Gentoo Foundation, Inc; referenced text
88	belongs to its owner(s).
89
90	The contents of this document are licensed under the
91	Creative Commons - Attribution / Share Alike license.
92
93	http://creativecommons.org/licenses/by-sa/2.5