GLSA Bodhisattva
Joined: 17 Apr 2002 Posts: 2602 Location: Baltimore, MD
|
Posted: Fri Feb 18, 2005 4:09 pm Post subject: [ GLSA 200502-26 ] GProFTPD: gprostats format string vulnera |
|
|
Gentoo Linux Security Advisory
Title: GProFTPD: gprostats format string vulnerability (GLSA 200502-26)
Severity: normal
Exploitable: remote
Date: February 18, 2005
Updated: May 22, 2006
Bug(s): #81894
ID: 200502-26
Synopsis
gprostats, distributed with GProFTPD, is vulnerable to a format string vulnerability, potentially leading to the execution of arbitrary code.
Background
GProFTPD is a GTK+ administration tool for the ProFTPD server. GProFTPD is distributed with gprostats, a utility to parse ProFTPD transfer logs.
Affected Packages
Package: net-ftp/gproftpd
Vulnerable: < 8.1.9
Unaffected: >= 8.1.9
Architectures: All supported architectures
Description
Tavis Ormandy of the Gentoo Linux Security Audit Team has identified a format string vulnerability in the gprostats utility.
Impact
An attacker could exploit the vulnerability by performing a specially crafted FTP transfer, the resulting ProFTPD transfer log could potentially trigger the execution of arbitrary code when parsed by GProFTPD.
Workaround
There is no known workaround at this time.
Resolution
All GProFTPD users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/gproftpd-8.1.9" |
References
CVE-2005-0484
Last edited by GLSA on Mon May 22, 2006 4:18 am; edited 2 times in total |
|