35866 – lftp 2.6.10 released (with *security* fix)

Bug 35866 - lftp 2.6.10 released (with *security* fix)

Summary: lftp 2.6.10 released (with *security* fix)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	GLSA Errors (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://ftp.yars.free.net/pub/software...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-12-15 04:52 UTC by Marc Bevand
Modified:	2003-12-17 23:04 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Bevand 2003-12-15 04:52:28 UTC

Lftp 2.6.10 has been released.

Please not that it contains a security fix !

Reproducible: Always
Steps to Reproduce:

Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2003-12-15 10:55:21 UTC

from <http://lftp.yar.ru/news.html>:

Version 2.6.10 - 2003-12-11 

Some bugs fixed.
security fixes in html parsing code.
fxp between ftps session is now possible (unencrypted yet).
fixed a rare bug with access to freed memory in ftp.
fixed a bug in mirror, now it does not incorrectly append directory name when target directory is the root.
fixed compilation on AIX.
Polish translation updated.

Comment 2 Spider (RETIRED) gentoo-dev

2003-12-15 11:04:56 UTC

okay, updated.
removing all builds I can (safely) do. Testing in progress. Remove what remains as you release the advisory.

Comment 3 Spider (RETIRED) gentoo-dev

2003-12-15 12:18:55 UTC

tested on all arches that has it stable.  all old builds removed.

Comment 4 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2003-12-15 16:33:44 UTC

trance: can you look at why this is in the lftp changelog:

  11 Apr 2003; Graham Forest <vladimir@gentoo.org> lftp-2.5.4-r1.ebuild,
  lftp-2.6.2.ebuild, lftp-2.6.3.ebuild, lftp-2.6.4.ebuild, lftp-2.6.5.ebuild:
  -ppc'd until >=sys-devel/binutils-2.13.90.0.20 is ok on ppc

that version of binutils is still not stable on ppc.

Comment 5 Bartosch Pixa (RETIRED) gentoo-dev

2003-12-15 17:16:36 UTC

ppc is already way beyond that binutils version, lftp 2.6.10 works

Comment 6 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2003-12-17 23:04:20 UTC

glsa 200312-07 sent as:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200312-07
- --------------------------------------------------------------------------

GLSA:        200312-07
Package:     net-ftp/lftp
Summary:     Two buffer overflow problems found in lftp
Severity:    minimal
Gentoo bug:  35866
Date:        2003-12-16
CVE:         CAN-2003-0963
Exploit:     remote
Affected:    <=2.6.9
Fixed:       >=2.6.10


DESCRIPTION:

Two buffer overflow problems have been found in lftp, a multithreaded
command-line based FTP client. A specially created directory on a web
server could be used to execute arbitrary code on the connecting machine.
The user's machine has to connect to a malicious web server using HTTP or
HTTPS, then issue an "ls" or "rels" command.

Please see
<http://www.securityfocus.com/archive/1/347587/2003-12-13/2003-12-19/0>
for more details on this problem.


SOLUTION:

All machines which have net-ftp/lftp installed should be updated to use
version 2.6.10 or higher using these commands:

        emerge sync
        emerge -pv '>=net-ftp/lftp-2.6.10'
        emerge '>=net-ftp/lftp-2.6.10'
        emerge clean


// end

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/4U3Wnt0v0zAqOHYRAm7VAJsHDxrJLLQOU51blaP2VMCjkt/+dQCcC6zP
m/ELiJH0C0PukA++i1CfCmc=
=h16K
-----END PGP SIGNATURE-----