--- /var/tmp/portage/net-ftp/lftp-3.5.7/work/lftp-3.5.7/NEWS 2006-12-08 23:02:47.000000000 +1100 +++ /var/tmp/portage/net-ftp/lftp-3.5.9/work/lftp-3.5.9/NEWS 2007-01-09 17:04:06.000000000 +1100 @@ -1,3 +1,12 @@ +Version 3.5.9 - 2007-01-09 + +* fixed `mirror --script' which generated improperly quoted shell commands +(potential security vulnerability, when someone executes the resulting script). + nothing found in email list. Impact: A user could be provided a lftp script by a malicious person that could execute arbitary shell script. vulnerability is very a bit unlikely to exploit imho. net-ftp/lftp-3.5.9 and 3.5.10 in the tree lftp-3.5.10 fixes a few core dumps and has some library linking foo added. Recommend stabilizing this version. I checked the code and the vulnerability existed in latest stable version (3.4.6). Test plan for 3.5.10 - its a ftp client - treat it like one. lftp is a basic ftp client. To test try the following: $ lftp ftp://lftp.yar.ru/lftp/old cd ok, cwd=/lftp/old lftp lftp.yar.ru:/lftp/old> ls ... lftp lftp.yar.ru:/lftp/old> get lftp-3.4.5.tar.bz2.asc ... lftp lftp.yar.ru:/lftp/old> mget lftp-*.md5sum ... lftp lftp.yar.ru:/lftp/old> bye $
Thx Daniel. Arches please test and mark stable.
ia64 + x86 stable
3.5.10 stable on amd64
Stable for HPPA.
sparc stable.
ppc64 stable
alpha stable. +extra points to Daniel for providing instructions to test! you r0lz.
ppc stable
i'm late but i really don't consider this as a security issue when i'm reading the manpage. "Mirror --script" is not actually dangerous. Running "mirror --script" then run the generated script without reading it is stupid. BTW it'll be CVE-2007-2348
@falco: one thing is a script that executes FTP commands another is when it can execute arbitrary commands. Just because the script file is plaintext doesn't mean everybody will check it before running it.
Since there has been some discussion about wether this is a feature or a security issue, I'm calling a GLSA vote.
script seems only intended to run ftp commands. going further to arbitrary shell commands seems to be an unintentional priv escalation. Depending on the command given this could allow a remote shell in where there wasn't before. so i'm saying go glsa=yes.
This is either a non-issue or it hasn't been fixed, since you can already drop to a shell from the lftp script (append a line starting with ! and then your shell commands, confirmed on 3.5.10). There's essentially no difference between running an untrusted lftp script and running an untrusted bash script. Even without the shell commands, it would be pretty trivial for an untrusted lftp script to do things like overwrite local files (cron, .bash_profile, etc) to gain code execution as the user. There's not really any way around this that I see.
I vote no, by the way. :)
/vote NO.
Two NO votes -> closing with NO GLSA. Feel free to reopen if you disagree.
