Bug 173524 - net-ftp/lftp <3.5.9 user assisted code execution (CVE-2007-2348)
|
Bug#:
173524
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: dragonheart@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://lftp.yar.ru/
|
|
Summary: net-ftp/lftp <3.5.9 user assisted code execution (CVE-2007-2348)
|
|
Keywords:
|
|
Status Whiteboard: B2? [noglsa] jaervosz
|
|
Opened: 2007-04-06 01:55 0000
|
--- /var/tmp/portage/net-ftp/lftp-3.5.7/work/lftp-3.5.7/NEWS 2006-12-08
23:02:47.000000000 +1100
+++ /var/tmp/portage/net-ftp/lftp-3.5.9/work/lftp-3.5.9/NEWS 2007-01-09
17:04:06.000000000 +1100
@@ -1,3 +1,12 @@
+Version 3.5.9 - 2007-01-09
+
+* fixed `mirror --script' which generated improperly quoted shell commands
+(potential security vulnerability, when someone executes the resulting
script).
+
nothing found in email list.
Impact: A user could be provided a lftp script by a malicious person that could
execute arbitary shell script.
vulnerability is very a bit unlikely to exploit imho.
net-ftp/lftp-3.5.9 and 3.5.10 in the tree
lftp-3.5.10 fixes a few core dumps and has some library linking foo added.
Recommend stabilizing this version.
I checked the code and the vulnerability existed in latest stable version
(3.4.6).
Test plan for 3.5.10 - its a ftp client - treat it like one.
lftp is a basic ftp client. To test try the following:
$ lftp ftp://lftp.yar.ru/lftp/old
cd ok, cwd=/lftp/old
lftp lftp.yar.ru:/lftp/old> ls
...
lftp lftp.yar.ru:/lftp/old> get lftp-3.4.5.tar.bz2.asc
...
lftp lftp.yar.ru:/lftp/old> mget lftp-*.md5sum
...
lftp lftp.yar.ru:/lftp/old> bye
$
Thx Daniel.
Arches please test and mark stable.
alpha stable.
+extra points to Daniel for providing instructions to test! you r0lz.
i'm late but i really don't consider this as a security issue when i'm reading
the manpage. "Mirror --script" is not actually dangerous. Running "mirror
--script" then run the generated script without reading it is stupid.
BTW it'll be CVE-2007-2348
@falco: one thing is a script that executes FTP commands another is when it can
execute arbitrary commands. Just because the script file is plaintext doesn't
mean everybody will check it before running it.
Since there has been some discussion about wether this is a feature or a
security issue, I'm calling a GLSA vote.
script seems only intended to run ftp commands. going further to arbitrary
shell commands seems to be an unintentional priv escalation. Depending on the
command given this could allow a remote shell in where there wasn't before. so
i'm saying go glsa=yes.
This is either a non-issue or it hasn't been fixed, since you can already drop
to a shell from the lftp script (append a line starting with ! and then your
shell commands, confirmed on 3.5.10). There's essentially no difference
between running an untrusted lftp script and running an untrusted bash script.
Even without the shell commands, it would be pretty trivial for an untrusted
lftp script to do things like overwrite local files (cron, .bash_profile, etc)
to gain code execution as the user. There's not really any way around this
that I see.
I vote no, by the way. :)
Two NO votes -> closing with NO GLSA. Feel free to reopen if you disagree.
