The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
properly validate a server-provided filename before determining the
destination filename of a download, which allows remote servers to
create or overwrite arbitrary files via a Content-Disposition header
that suggests a crafted filename, and possibly execute arbitrary code
as a consequence of writing to a dotfile in a home directory.
Please remove vulnerable versions.
(In reply to comment #1)
> Please remove vulnerable versions.
We're not done stabilising 4.0.9 yet (bug #327979).
Arches, please continue stabilising:
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"
Stable for PPC.
*** Bug 327979 has been marked as a duplicate of this bug. ***
Vulnerable version 4.0.5 is out of the tree.
jer: *never* change whiteboard, if you do not know the exact procedure. It's changed to glsa after we filed a glsa request only!
GLSA request filed.
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).