| Summary: | <net-ftp/lftp-4.6.2 : saves unknown host's fingerprint in known_hosts without any prompt (CVE Requested) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | jer |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/lavv17/lftp/issues/116 | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 539640 | ||
"lftp does not ask the user asynchronously by design. I can make a setting to disable accessing unknown hosts by default." And also https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec but I'd rather wait until that is properly released. Development snapshot 4.6.1.20150401 should fix this but will not go stable. "lftp-4.6.2 has been released. Changes: * fixed a wildcard certificate validation vulnerability (CVE-2014-0139). * new settings fish:auto-confirm and sftp:auto-confirm. Arch teams, please test and mark stable: =net-ftp/lftp-4.6.2 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. amd64 stable x86 stable ppc64 stable ppc stable sparc stable alpha stable ia64 stable arm stable, all arches done. All done. Arches and Maintainer(s), Thank you for your work. CVE Requested here - http://seclists.org/oss-sec/2015/q1/819 Security Please Vote First GLSA Vote: No NO too, closing. |
From ${URL} : From the src/SSH_Access.cc file: 47: const char *y="(yes/no)?"; 73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) 74: { 75: pty_recv_buf->Put("yes\n"); 76: pty_send_buf->Put("yes\n"); 77: return m; 78: } Not only does it make a particular SFTP file transfer insecure, but also any future connection via any SSH client. After enabling debug (the "yes" answer generated automatically): #v+ $ lftp sftp://mszewczyk@localhost:22203 Password: lftp mszewczyk@localhost:~> debug lftp mszewczyk@localhost:~> ls ---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp) ---> sending a packet, length=5, type=1(INIT), id=0 <--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established. <--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d. <--- Are you sure you want to continue connecting (yes/no)? yes <--- <--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts. #v- --8<-- @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.