Support / Security / Advisories / Mandriva Linux 2007.1 / MDVSA-2008:018

Package name: gftp
Date: 2008-01-21
Advisory ID: MDVSA-2008:018
Affected versions: 2007.1 i586 , 2007.1 x86_64

Problem description

Kalle Olavi Niemitalo found two boundary errors in the fsplib library,
a copy of which is included in gFTP source. A remote attacer could
trigger these vulnerabilities by enticing a user to download a file
with a specially crafted directory or file name, possibly resulting in
the execution of arbitrary code (CVE-2007-3962) or a denial of service
(CVE-2007-3961).

The updated packages have been patched to correct these issues.

Updated packages

2007.1 i586

 1d5b5e54af8934d289c0eddd0e5c6221  2007.1/i586/gftp-2.0.18-9.1mdv2007.1.i586.rpm 
 79d7fd2135d0be8dae40ef9ea5399f99  2007.1/SRPMS/gftp-2.0.18-9.1mdv2007.1.src.rpm

2007.1 x86_64

 57edc8f9a10c18605fc6fadcdc7b8618  2007.1/x86_64/gftp-2.0.18-9.1mdv2007.1.x86_64.rpm 
 79d7fd2135d0be8dae40ef9ea5399f99  2007.1/SRPMS/gftp-2.0.18-9.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3961
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3962