Debian Bug report logs -
#928282
filezilla: CVE-2019-5429
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#928282; Package src:filezilla.
(Wed, 01 May 2019 07:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Adrien Cunin <adri2000@ubuntu.com>.
(Wed, 01 May 2019 07:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: filezilla
Version: 3.39.0-2
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for filezilla.
CVE-2019-5429[0]:
| Untrusted search path in FileZilla before 3.41.0-rc1 allows an
| attacker to gain privileges via a malicious 'fzsftp' binary in the
| user's home directory.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5429
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1704602
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#928282; Package src:filezilla.
(Fri, 07 Jun 2019 13:39:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Kentaro Hayashi <hayashi@clear-code.com>:
Extra info received and forwarded to list. Copy sent to Adrien Cunin <adri2000@ubuntu.com>.
(Fri, 07 Jun 2019 13:39:10 GMT) (full text, mbox, link).
Message #10 received at 928282@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I'm not a user of filezilla, but I've picked it up fixing RC bug as a challenge.
I've attached debdiff to fix CVE-2019-5429 using tracker information as a hint.
I hope it will help to close this bug.
Regards,
[debdiff-filezilla.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Kentaro Hayashi <hayashi@clear-code.com>
to control@bugs.debian.org.
(Sun, 09 Jun 2019 04:12:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Adrien Cunin <adri2000@ubuntu.com>:
Bug#928282; Package src:filezilla.
(Sun, 09 Jun 2019 04:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Kentaro Hayashi <hayashi@clear-code.com>:
Extra info received and forwarded to list. Copy sent to Adrien Cunin <adri2000@ubuntu.com>.
(Sun, 09 Jun 2019 04:27:03 GMT) (full text, mbox, link).
Message #17 received at 928282@bugs.debian.org (full text, mbox, reply):
On Fri, 7 Jun 2019 22:20:45 +0900 Kentaro Hayashi <hayashi@clear-code.com> wrote:
> Hi,
>
> I'm not a user of filezilla, but I've picked it up fixing RC bug as a challenge.
> I've attached debdiff to fix CVE-2019-5429 using tracker information as a hint.
>
> I hope it will help to close this bug.
I've added +patch tag for this bug and Cc: for notification.
Regards,
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:31:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon