Debian Bug report logs - #97184
gftp from DSA-055-1 displays passwords in plain text on the screen

version graph

Package: gftp; Maintainer for gftp is Cleto Martín <cleto.martin@gmail.com>; Source for gftp is src:gftp.

Reported by: Stephane Gaudreault <gaudrs@iro.umontreal.ca>

Date: Fri, 11 May 2001 19:09:01 UTC

Severity: critical

Tags: fixed, potato

Found in version 2.0.6a

Done: Josip Rodin <joy@cibalia.gkvk.hr>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <jrodin@jagor.srce.hr>:
Bug#97184; Package gftp. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@cibalia.gkvk.hr>:
New Bug report received and forwarded. Copy sent to Josip Rodin <jrodin@jagor.srce.hr>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@cibalia.gkvk.hr>
To: submit@bugs.debian.org
Subject: gftp from DSA-055-1 displays passwords in plain text on the screen
Date: Fri, 11 May 2001 21:06:05 +0200
Package: gftp
Severity: critical
Tags: potato
Version: 2.0.6a

Shit.

----- Forwarded message from Stephane Gaudreault <gaudrs@iro.umontreal.ca> -----

Date: Fri, 11 May 2001 08:48:41 -0400 (EDT)
From: Stephane Gaudreault <gaudrs@iro.umontreal.ca>
To: Debian Bug Tracking System <owner@bugs.debian.org>
Subject: Re: ([SECURITY] [DSA-055-1] gftp remote exploit)

Package : gftp
Version : 2.0.6a

there is also a security bug with gftp 2.0.6a
(from gftp_2.0.6a-3.1_i386.deb). When I connect to a server, it write my
password to the screen. For exemple :

220 silvercloud FTP server (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT
2000) ready.
USER sgaudreault

331 Password required for sgaudreault.
PASS a43K/"&daGfsB1B2

230 User sgaudreault logged in.
TYPE I

200 Type set to I.
PWD

257 "/home/user/sgaudreault" is current directory.
PASV

227 Entering Passive Mode (216,218,2,130,213,138)

Where is a43g/"&daasd12 my password for this server (I had change it ... ;-)

I think this is fixed in 2.0.8.


Stéphane Gaudreault
Étudiant au B.Sc. spécialisé en informatique, 
Université de Montréal

«L'infini c'est long, surtout vers la fin»

----- End forwarded message -----

-- 
Digital Electronic Being Intended for Assassination and Nullification



Bug closed, send any further explanations to Josip Rodin <joy@cibalia.gkvk.hr> Request was from Josip Rodin <joy@cibalia.gkvk.hr> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator set to Stephane Gaudreault <gaudrs@iro.umontreal.ca>. Request was from Josip Rodin <joy@cibalia.gkvk.hr> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <jrodin@jagor.srce.hr>:
Bug#97184; Package gftp. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@cibalia.gkvk.hr>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <jrodin@jagor.srce.hr>. Full text and rfc822 format available.

Message #14 received at 97184@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@cibalia.gkvk.hr>
To: team@security.debian.org, Colin Phipps <cph@cph.demon.co.uk>
Cc: 97184@bugs.debian.org
Subject: gftp was broken by the security advisory changes
Date: Mon, 16 Jul 2001 00:03:07 +0200
Hi,

Check this out:

     * #97184: gftp from DSA-055-1 displays passwords in plain text on the
       screen
       Package: gftp; Severity: critical; Reported by: Stephane Gaudreault
       <gaudrs@iro.umontreal.ca>; Tags: potato; 65 days old.

The fix for the format string bug has caused another security bug, as the
gftp author explained in the last message to bug #94394. He hinted at the
solution for that, too.

Someone please fix it, I don't think I can. :|

-- 
Digital Electronic Being Intended for Assassination and Nullification



Reply sent to Josip Rodin <joy@cibalia.gkvk.hr>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stephane Gaudreault <gaudrs@iro.umontreal.ca>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 97184-done@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@cibalia.gkvk.hr>
To: 97184-done@bugs.debian.org
Subject: Fixed
Date: Fri, 19 Oct 2001 19:18:26 +0200
Hi,

Martin Schulze released a new security advisory with a fixed package.

Thanks for reporting.

-- 
     2. That which causes joy or happiness.



Tags added: fixed Request was from Martin Schulze <joey@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Martin Schulze <joey@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:35:28 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.