CVE-2012-3292

Thanks, Mattias! Please see the instructions for contributors that need security sponsoring here:

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

I'll subscribe the ubuntu-security-sponsors team and get you in the queue.

Hi Mattias - Can you comment on the amount of testing that you've done? Thanks!

I've verified the patches against upstream changes and added patch tags. The debdiffs look good to me.

The packages are built in the security ppa and waiting to be copied over to the archive. I'm just waiting to hear about testing of the precise changes since it includes the more invasive compat patch.

The backward incompatibility consists in that plugins to the gridftp server compiled against an earlier version don't work with the 6.5-1 version in precise. The backward incompatibility was introduced with the release of version 6.5-1 and has since been fixed. First by applying a patch (debian release 6.5-6), and later in upstream which allowed the patch to be dropped (6.10-1). So the gridftp server version in ubuntus after precise can use plugins compiled against gridftp server versions before precise. It is just the version in precise that is not compatible with neither earlier nor later versions. So fixing the backward incompatibility in pricise also means fixing forward compatibility.

The fix for the backward incompatibliity was tested by developpers of gridftp server plugins and these developers were also very active in both providoing input to how it should be fixed and in providing confirmation that the applied fix was working. Admittedly this work was mostly done on Scientific Linux 5 (using the EPEL version of the gridftp server) and not with the Debian version, because SL is these developers' main development platform, and alse the most common deployment plotform for these plugins. The EPEL and Debian version of the globus packages are however very simimilar.

The process of this testing is documented in https://ggus.eu/tech/ticket_show.php?ticket=79541

There is not yet any package in Debian/Ubuntu that installs any plugins to the gridftp server.

ACK. Thanks for your work on this Mattias!

This bug was fixed in the package globus-gridftp-server - 6.5-1ubuntu0.1

---------------
globus-gridftp-server (6.5-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
    - debian/patches/globus-gridftp-server-compat.patch: backported
      backward compatibility fix from upstream
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 17:11:55 +0200

This bug was fixed in the package globus-gridftp-server - 3.17-2ubuntu0.1

---------------
globus-gridftp-server (3.17-2ubuntu0.1) lucid-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 16:28:47 +0200

This bug was fixed in the package globus-gridftp-server - 3.23-1ubuntu0.1

---------------
globus-gridftp-server (3.23-1ubuntu0.1) natty-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 07:07:16 +0200

This bug was fixed in the package globus-gridftp-server - 3.33-2ubuntu0.1

---------------
globus-gridftp-server (3.33-2ubuntu0.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Wrong user mapping on badly configured server
    (LP: #1027324)
    - debian/patches/globus-gridftp-server-pw195.patch: backported from
      upstream
    - CVE-2012-3292
 -- Mattias Ellert <email address hidden> Thu, 19 Jul 2012 16:48:38 +0200