CVE-2018-10916 (https://nvd.nist.gov/vuln/detail/CVE-2018-10916): It has been discovered that lftp up to and including version 4.8.3 does not properly sanitize remote file names, leading to a loss of integrity on the local system when reverse mirroring is used. A remote attacker may trick a user to use reverse mirroring on an attacker controlled FTP server, resulting in the removal of all files in the current working directory of the victim's system.
Upstream issue: https://github.com/lavv17/lftp/issues/452 Upstream patch: https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
@arches, please stabilize.
An automated check of this bug failed - the following atom is unknown: net-lftp/lftp-4.8.4-r1 Please verify the atom list.
?
An automated check of this bug succeeded - the previous repoman errors are now resolved.
amd64 stable
x86 stable
sparc stable
ia64 stable
ppc64 stable
ppc stable
arm stable
alpha stable
hppa stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93ce6a29b012ae8e10039e4f9a02c71bc8745e39 commit 93ce6a29b012ae8e10039e4f9a02c71bc8745e39 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2019-05-03 08:26:24 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2019-05-03 08:26:50 +0000 net-ftp/lftp: Old Package-Manager: Portage-2.3.66, Repoman-2.3.12 Bug: https://bugs.gentoo.org/show_bug.cgi?id=662882 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-ftp/lftp/Manifest | 1 - .../lftp/files/lftp-4.7.5-libdir-configure.patch | 10 -- net-ftp/lftp/files/lftp-4.7.5-libdir-libidn.patch | 10 -- net-ftp/lftp/files/lftp-4.7.5-libdir-openssl.patch | 18 ---- net-ftp/lftp/files/lftp-4.7.5-libdir-zlib.patch | 28 ------ net-ftp/lftp/lftp-4.7.5.ebuild | 98 -------------------- net-ftp/lftp/lftp-4.8.4.ebuild | 101 --------------------- 7 files changed, 266 deletions(-)
Data loss... downgrading.