Candidate: CVE-2012-3292
PublicDate: 2012-06-07 20:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3292
 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081797.html
 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081791.html
 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081787.html
 http://jira.globus.org/browse/GT-195
Description:
 The GridFTP in Globus Toolkit (GT) before 5.2.2, when certain autoconf
 macros are defined, does not properly check the return value from the
 getpwnam_r function, which might allow remote attackers to gain privileges
 by logging in with a user that does not exist, which causes GridFTP to run
 as the last user in the password file.
Ubuntu-Description:
Notes:
 sbeattie> it affects releases older than 5.2 if threading was enabled
 sbeattie> note 6.5-1 was when 5.2.0 toolkit was introduced
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/globus-gridftp-server/+bug/1027324
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_globus-gridftp-server:
 vendor: http://www.debian.org/security/2012/dsa-2523
upstream_globus-gridftp-server: released (5.2.0, 6.10-2)
hardy_globus-gridftp-server: DNE
lucid_globus-gridftp-server: released (3.17-2ubuntu0.1)
natty_globus-gridftp-server: released (3.23-1ubuntu0.1)
oneiric_globus-gridftp-server: released (3.33-2ubuntu0.1)
precise_globus-gridftp-server: released (6.5-1ubuntu0.1)
devel_globus-gridftp-server: not-affected (6.10-2)

Patches_globus-gridftp-server-control:
 vendor: http://www.debian.org/security/2012/dsa-2523
upstream_globus-gridftp-server-control: released (2.5-2)
hardy_globus-gridftp-server-control: DNE
lucid_globus-gridftp-server-control: released (0.36-1ubuntu0.1)
natty_globus-gridftp-server-control: released (0.43-1ubuntu0.1)
oneiric_globus-gridftp-server-control: released (0.46-1ubuntu0.1)
precise_globus-gridftp-server-control: released (2.3-1ubuntu0.1)
devel_globus-gridftp-server-control: not-affected (2.5-2)