blob: 11005966094e77969ee0e66ef90e1f941c4bb27f [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200502-27">
<title>gFTP: Directory traversal vulnerability</title>
gFTP is vulnerable to directory traversal attacks, possibly leading to the
creation or overwriting of arbitrary files.
<product type="ebuild">gFTP</product>
<announced>February 19, 2005</announced>
<revised>February 19, 2005: 01</revised>
<package name="net-ftp/gftp" auto="yes" arch="*">
<unaffected range="ge">2.0.18-r1</unaffected>
<vulnerable range="lt">2.0.18-r1</vulnerable>
gFTP is a GNOME based, multi-threaded file transfer client.
gFTP lacks input validation of filenames received by remote
<impact type="normal">
An attacker could entice a user to connect to a malicious FTP
server and conduct a directory traversal attack by making use of
specially crafted filenames. This could lead to arbitrary files being
created or overwritten.
There is no known workaround at this time.
All gFTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=net-ftp/gftp-2.0.18-r1&quot;</code>
<uri link="">gFTP Announcement</uri>
<uri link="">CAN-2005-0372</uri>
<metadata tag="requester" timestamp="Wed, 16 Feb 2005 19:28:38 +0000">
<metadata tag="submitter" timestamp="Thu, 17 Feb 2005 20:30:31 +0000">
<metadata tag="bugReady" timestamp="Sat, 19 Feb 2005 10:43:51 +0000">