CVE-2012-3292
Published: 7 June 2012
The GridFTP in Globus Toolkit (GT) before 5.2.2, when certain autoconf macros are defined, does not properly check the return value from the getpwnam_r function, which might allow remote attackers to gain privileges by logging in with a user that does not exist, which causes GridFTP to run as the last user in the password file.
Notes
Author | Note |
---|---|
sbeattie | it affects releases older than 5.2 if threading was enabled note 6.5-1 was when 5.2.0 toolkit was introduced |
Priority
Status
Package | Release | Status |
---|---|---|
globus-gridftp-server Launchpad, Ubuntu, Debian |
upstream |
Released
(5.2.0, 6.10-2)
|
hardy |
Does not exist
|
|
lucid |
Released
(3.17-2ubuntu0.1)
|
|
natty |
Released
(3.23-1ubuntu0.1)
|
|
oneiric |
Released
(3.33-2ubuntu0.1)
|
|
precise |
Released
(6.5-1ubuntu0.1)
|
|
quantal |
Not vulnerable
(6.10-2)
|
|
Patches: vendor: http://www.debian.org/security/2012/dsa-2523 |
||
globus-gridftp-server-control Launchpad, Ubuntu, Debian |
upstream |
Released
(2.5-2)
|
hardy |
Does not exist
|
|
lucid |
Released
(0.36-1ubuntu0.1)
|
|
natty |
Released
(0.43-1ubuntu0.1)
|
|
oneiric |
Released
(0.46-1ubuntu0.1)
|
|
precise |
Released
(2.3-1ubuntu0.1)
|
|
quantal |
Not vulnerable
(2.5-2)
|
|
Patches: vendor: http://www.debian.org/security/2012/dsa-2523 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3292
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081797.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081791.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081787.html
- http://jira.globus.org/browse/GT-195
- NVD
- Launchpad
- Debian