Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @


From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More


** WHITE information - Unlimited distribution allowed                       **  

** see for distribution restrictions **


Title:       EGI SVG Advisory 'Low' RISK - Gridftp CVE-201203292
Date:        2012-12-20



A vulnerability was found in gridftp in the case where users mapped to a 
non-existent user id in grid-mapfile may run as the last user in /etc/passwd

This was fixed by globus in May 2012 and this advisory is issued because 
versions in the EGI UMD are no longer vulnerable. 


The vulnerability was found in GridFTP 5.2.1.
Users whose DN is mapped to a non-existent unix user id in a grid-mapfile
may be mapped to the last user in /etc/passwd. 

Globus announced this and provided a fix in May 2012.

Risk category

This issue has been assessed as 'Low' risk by the EGI SVG Risk Assessment Team 

Affected software

Version GridFTP 5.2.1 provided by Globus is affected.
It is not clear whether earlier versions of gridftp are vulnerable.

This is fixed in GridFTP version 5.2.2 or later.  

Component installation information

The official repository for the distribution of grid middleware for EGI sites is which contains the EGI Unified Middleware Distribution (UMD).

This is fixed in UMD 1 update 1.9.1

This is fixed in UMD 2 update 2.3.1


Sites are recommended to update relevant components in due course.


Vulnerability found by Doug Strain and Neha Sharma. 

EGI SVG was alerted to this vulnerability by Romain Wartel, Leif Nixon and 
David O'Callaghan.


[R 1] globus advisory


2012-05-?? Vulnerability found by Doug Strain and Neha Sharma. 
           Issue fixed by globus.
2012-05-22 SVG alerted to the Vulnerability by  Romain Wartel, 
            Leif Nixon and David O'callaghan
2012-05-22 Acknowledgement from the EGI SVG to the alerter

2012-05-29 Assessment by the EGI Software Vulnerability Group reported to
           the EGI DMSU 
2012-12-17 Updated packages available in the EGI UMD 2
2012-12-19 Updated packages available in the EGI UMD 1
2012-12-20 Public disclosure