Gentoo Logo

Heimdal: ftpd root escalation


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200409-19 / heimdal
Release Date September 16, 2004
Latest Revision September 16, 2004: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
app-crypt/heimdal < 0.6.3 >= 0.6.3 All supported architectures

Related bugreports: #61412


Several bugs exist in the Heimdal ftp daemon which could allow a remote attacker to gain root privileges.

2.  Impact Information


Heimdal is an implementation of Kerberos 5.


Przemyslaw Frasunek discovered several flaws in lukemftpd, which also apply to Heimdal ftpd's out-of-band signal handling code.

Additionally, a potential vulnerability that could lead to Denial of Service by the Key Distribution Center (KDC) has been fixed in this version.


A remote attacker could be able to run arbitrary code with escalated privileges, which can result in a total compromise of the server.

3.  Resolution Information


There is no known workaround at this time.


All Heimdal users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync
# emerge -pv ">=app-crypt/heimdal-0.6.3"
# emerge ">=app-crypt/heimdal-0.6.3"

4.  References


Page updated September 16, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.