Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 329939 (CVE-2010-2251)

Summary: <net-ftp/lftp-4.0.6 execution of arbitrary code (CVE-2010-2251)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dragonheart, jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=602836
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:40:43 UTC 
CVE-2010-2251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2251):
  The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
  properly validate a server-provided filename before determining the
  destination filename of a download, which allows remote servers to
  create or overwrite arbitrary files via a Content-Disposition header
  that suggests a crafted filename, and possibly execute arbitrary code
  as a consequence of writing to a dotfile in a home directory.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:41:01 UTC 
Please remove vulnerable versions.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-26 20:15:38 UTC 
(In reply to comment #1)
> Please remove vulnerable versions.

We're not done stabilising 4.0.9 yet (bug #327979).

Arches, please continue stabilising:
=net-ftp/lftp-4.0.9
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"

Stable for PPC.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-26 20:15:58 UTC 
*** Bug 327979 has been marked as a duplicate of this bug. ***
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2010-07-31 16:15:21 UTC 
alpha/arm/ia64/s390/sparc stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2010-08-03 17:18:00 UTC 
ppc64 done
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-03 20:14:19 UTC 
Vulnerable version 4.0.5 is out of the tree.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-22 22:47:21 UTC 
jer: *never* change whiteboard, if you do not know the exact procedure. It's changed to glsa after we filed a glsa request only!

GLSA request filed.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:34:08 UTC 
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).