--- /var/tmp/portage/net-ftp/lftp-3.5.7/work/lftp-3.5.7/NEWS 2006-12-08 23:02:47.000000000 +1100
+++ /var/tmp/portage/net-ftp/lftp-3.5.9/work/lftp-3.5.9/NEWS 2007-01-09 17:04:06.000000000 +1100
@@ -1,3 +1,12 @@
+Version 3.5.9 - 2007-01-09
+* fixed `mirror --script' which generated improperly quoted shell commands
+(potential security vulnerability, when someone executes the resulting script).
nothing found in email list.
Impact: A user could be provided a lftp script by a malicious person that could execute arbitary shell script.
vulnerability is very a bit unlikely to exploit imho.
net-ftp/lftp-3.5.9 and 3.5.10 in the tree
lftp-3.5.10 fixes a few core dumps and has some library linking foo added. Recommend stabilizing this version.
I checked the code and the vulnerability existed in latest stable version (3.4.6).
Test plan for 3.5.10 - its a ftp client - treat it like one.
lftp is a basic ftp client. To test try the following:
$ lftp ftp://lftp.yar.ru/lftp/old
cd ok, cwd=/lftp/old
lftp lftp.yar.ru:/lftp/old> ls
lftp lftp.yar.ru:/lftp/old> get lftp-3.4.5.tar.bz2.asc
lftp lftp.yar.ru:/lftp/old> mget lftp-*.md5sum
lftp lftp.yar.ru:/lftp/old> bye
Arches please test and mark stable.
ia64 + x86 stable
3.5.10 stable on amd64
Stable for HPPA.
+extra points to Daniel for providing instructions to test! you r0lz.
i'm late but i really don't consider this as a security issue when i'm reading the manpage. "Mirror --script" is not actually dangerous. Running "mirror --script" then run the generated script without reading it is stupid.
BTW it'll be CVE-2007-2348
@falco: one thing is a script that executes FTP commands another is when it can execute arbitrary commands. Just because the script file is plaintext doesn't mean everybody will check it before running it.
Since there has been some discussion about wether this is a feature or a security issue, I'm calling a GLSA vote.
script seems only intended to run ftp commands. going further to arbitrary shell commands seems to be an unintentional priv escalation. Depending on the command given this could allow a remote shell in where there wasn't before. so i'm saying go glsa=yes.
This is either a non-issue or it hasn't been fixed, since you can already drop
to a shell from the lftp script (append a line starting with ! and then your
shell commands, confirmed on 3.5.10). There's essentially no difference
between running an untrusted lftp script and running an untrusted bash script.
Even without the shell commands, it would be pretty trivial for an untrusted
lftp script to do things like overwrite local files (cron, .bash_profile, etc)
to gain code execution as the user. There's not really any way around this
that I see.
I vote no, by the way. :)
Two NO votes -> closing with NO GLSA. Feel free to reopen if you disagree.