|Summary:||net-ftp/lftp <3.5.9 user assisted code execution (CVE-2007-2348)|
|Product:||Gentoo Security||Reporter:||Daniel Black (RETIRED) <dragonheart>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B2? [noglsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Daniel Black (RETIRED) 2007-04-06 01:55:11 UTC
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-04-11 11:00:05 UTC
Thx Daniel. Arches please test and mark stable.
Comment 2 Raúl Porcel (RETIRED) 2007-04-11 12:27:34 UTC
ia64 + x86 stable
Comment 3 Peter Weller (RETIRED) 2007-04-11 13:12:32 UTC
3.5.10 stable on amd64
Comment 4 Jeroen Roovers (RETIRED) 2007-04-11 13:28:41 UTC
Stable for HPPA.
Comment 5 Gustavo Zacarias (RETIRED) 2007-04-11 14:10:19 UTC
Comment 6 Markus Rothe (RETIRED) 2007-04-11 14:23:13 UTC
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) 2007-04-11 16:38:14 UTC
alpha stable. +extra points to Daniel for providing instructions to test! you r0lz.
Comment 8 Tobias Scherbaum (RETIRED) 2007-04-11 22:39:13 UTC
Comment 9 Raphael Marichez (Falco) (RETIRED) 2007-04-27 20:29:24 UTC
i'm late but i really don't consider this as a security issue when i'm reading the manpage. "Mirror --script" is not actually dangerous. Running "mirror --script" then run the generated script without reading it is stupid. BTW it'll be CVE-2007-2348
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2007-04-30 08:32:22 UTC
@falco: one thing is a script that executes FTP commands another is when it can execute arbitrary commands. Just because the script file is plaintext doesn't mean everybody will check it before running it.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-02 11:36:11 UTC
Since there has been some discussion about wether this is a feature or a security issue, I'm calling a GLSA vote.
Comment 12 Daniel Black (RETIRED) 2007-05-02 12:37:30 UTC
script seems only intended to run ftp commands. going further to arbitrary shell commands seems to be an unintentional priv escalation. Depending on the command given this could allow a remote shell in where there wasn't before. so i'm saying go glsa=yes.
Comment 13 Matt Drew (RETIRED) 2007-05-02 12:56:08 UTC
This is either a non-issue or it hasn't been fixed, since you can already drop to a shell from the lftp script (append a line starting with ! and then your shell commands, confirmed on 3.5.10). There's essentially no difference between running an untrusted lftp script and running an untrusted bash script. Even without the shell commands, it would be pretty trivial for an untrusted lftp script to do things like overwrite local files (cron, .bash_profile, etc) to gain code execution as the user. There's not really any way around this that I see.
Comment 14 Matt Drew (RETIRED) 2007-05-03 11:29:50 UTC
I vote no, by the way. :)
Comment 15 Pierre-Yves Rofes (RETIRED) 2007-05-03 18:47:51 UTC
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-03 18:55:13 UTC
Two NO votes -> closing with NO GLSA. Feel free to reopen if you disagree.