CVE-2012-3292 Information

Description

The GridFTP in Globus Toolkit (GT) before 5.2.2 when certain autoconf macros are defined does not properly check the return value from the getpwnam_r function which might allow remote attackers to gain privileges by logging in with a user that does not exist which causes GridFTP to run as the last user in the password file.

Reference

http://jira.globus.org/browse/GT-195 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081787.html http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081791.html http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081797.html http://www.debian.org/security/2012/dsa-2523