1161667 – (CVE-2020-5221) VUL-0: CVE-2020-5221: In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem

Bug 1161667 (CVE-2020-5221) - VUL-0: CVE-2020-5221: In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem

Summary: VUL-0: CVE-2020-5221: In uftpd before 2.11, it is possible for an unauthentic...

Status:	RESOLVED FIXED

Alias:	CVE-2020-5221

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.1
Hardware:	Other Other

Priority:	P2 - High Severity: Major (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/251566/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-01-23 09:08 UTC by Wolfgang Frisch
Modified:	2020-01-27 09:47 UTC (History)
CC List:	0 users

See Also:	CVE-2020-5204
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Frisch 2020-01-23 09:08:13 UTC

CVE-2020-5221

In uftpd before 2.11, it is possible for an unauthenticated user to perform a
directory traversal attack using multiple different FTP commands and read and
write to arbitrary locations on the filesystem due to the lack of a well-written
chroot jail in compose_abspath(). This has been fixed in version 2.11

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5221
https://github.com/troglobit/uftpd/security/advisories/GHSA-wmx8-v7mx-6x9h
https://github.com/troglobit/uftpd/commit/455b47d3756aed162d2d0ef7f40b549f3b5b30fe
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5221

Comment 1 Martin Hauke 2020-01-23 21:01:05 UTC

Should be fixed already.
See: https://bugzilla.opensuse.org/show_bug.cgi?id=1160199

Comment 2 Wolfgang Frisch 2020-01-27 09:47:25 UTC

Fixed.

(In reply to Martin Hauke from comment #1)
> Leap 15.1 - fixed with SR#763707 (update to new upstream version 2.11)
> https://build.opensuse.org/request/show/763707
> 
> Leap 15.2 - with SR#763576 (update to new upstream version 2.11)
> https://build.opensuse.org/request/show/763576
> 
> Factory ships already version 2.11
> https://build.opensuse.org/package/show/openSUSE:Factory/uftpd