FileZilla: Buffer overflow — GLSA 201706-09

A vulnerability in a bundled copy of PuTTY in FileZilla might allow remote attackers to execute arbitrary code or cause a denial of service.

Affected Packages

net-ftp/filezilla on all architectures
Affected versions < 3.25.2
Unaffected versions >= 3.25.2

Background

FileZilla is an open source FTP client.

Description

FileZilla is affected by the same vulnerability as reported in “GLSA 201703-03” because the package included a vulnerable copy of PuTTY. Please read the GLSA for PuTTY referenced below for details.

Impact

A remote attacker, utilizing the SSH agent forwarding of an SSH server, could execute arbitrary code with the privileges of the user running FileZilla or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All FileZilla users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-ftp/filezilla-3.25.2"
 

References

Release Date
June 06, 2017

Latest Revision
June 06, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries