CVE-2012-3292

Bug #1027324 reported by Mattias Ellert
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
globus-gridftp-server (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

The CVE has been fixed in the latest debian version (6.10-2) that is imported to quantal.

The fix needs to be backported to the other supported releases: lucid, natty, oneiric and precise.

Revision history for this message
Mattias Ellert (mattias-ellert-fysast) wrote :
Revision history for this message
Mattias Ellert (mattias-ellert-fysast) wrote :
Revision history for this message
Mattias Ellert (mattias-ellert-fysast) wrote :
Revision history for this message
Mattias Ellert (mattias-ellert-fysast) wrote :
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks, Mattias! Please see the instructions for contributors that need security sponsoring here:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

I'll subscribe the ubuntu-security-sponsors team and get you in the queue.

Changed in globus-gridftp-server (Ubuntu):
status: New → Confirmed
visibility: private → public
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Mattias - Can you comment on the amount of testing that you've done? Thanks!

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've verified the patches against upstream changes and added patch tags. The debdiffs look good to me.

The packages are built in the security ppa and waiting to be copied over to the archive. I'm just waiting to hear about testing of the precise changes since it includes the more invasive compat patch.

Revision history for this message
Mattias Ellert (mattias-ellert-fysast) wrote :

The backward incompatibility consists in that plugins to the gridftp server compiled against an earlier version don't work with the 6.5-1 version in precise. The backward incompatibility was introduced with the release of version 6.5-1 and has since been fixed. First by applying a patch (debian release 6.5-6), and later in upstream which allowed the patch to be dropped (6.10-1). So the gridftp server version in ubuntus after precise can use plugins compiled against gridftp server versions before precise. It is just the version in precise that is not compatible with neither earlier nor later versions. So fixing the backward incompatibility in pricise also means fixing forward compatibility.

The fix for the backward incompatibliity was tested by developpers of gridftp server plugins and these developers were also very active in both providoing input to how it should be fixed and in providing confirmation that the applied fix was working. Admittedly this work was mostly done on Scientific Linux 5 (using the EPEL version of the gridftp server) and not with the Debian version, because SL is these developers' main development platform, and alse the most common deployment plotform for these plugins. The EPEL and Debian version of the globus packages are however very simimilar.

The process of this testing is documented in https://ggus.eu/tech/ticket_show.php?ticket=79541

There is not yet any package in Debian/Ubuntu that installs any plugins to the gridftp server.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ACK. Thanks for your work on this Mattias!

Changed in globus-gridftp-server (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package globus-gridftp-server - 6.5-1ubuntu0.1

---------------
globus-gridftp-server (6.5-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
    - debian/patches/globus-gridftp-server-compat.patch: backported
      backward compatibility fix from upstream
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 17:11:55 +0200

Changed in globus-gridftp-server (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package globus-gridftp-server - 3.17-2ubuntu0.1

---------------
globus-gridftp-server (3.17-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 16:28:47 +0200

Changed in globus-gridftp-server (Ubuntu Lucid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package globus-gridftp-server - 3.23-1ubuntu0.1

---------------
globus-gridftp-server (3.23-1ubuntu0.1) natty-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 07:07:16 +0200

Changed in globus-gridftp-server (Ubuntu Natty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package globus-gridftp-server - 3.33-2ubuntu0.1

---------------
globus-gridftp-server (3.33-2ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 16:48:38 +0200

Changed in globus-gridftp-server (Ubuntu Oneiric):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers