Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536036 - <net-ftp/lftp-4.6.2 : saves unknown host's fingerprint in known_hosts without any prompt (CVE Requested)
Summary: <net-ftp/lftp-4.6.2 : saves unknown host's fingerprint in known_hosts without...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Blocks: CVE-2014-0139
  Show dependency tree
Reported: 2015-01-08 15:33 UTC by Agostino Sarubbo
Modified: 2015-06-30 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-08 15:33:28 UTC
From ${URL} :

From the src/ file:
47: const char *y="(yes/no)?";
73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
74: {
75: pty_recv_buf->Put("yes\n");
76: pty_send_buf->Put("yes\n");
77: return m;
78: }

Not only does it make a particular SFTP file transfer insecure, but also
any future connection via any SSH client.

After enabling debug (the "yes" answer generated automatically):
$ lftp sftp://mszewczyk@localhost:22203
lftp mszewczyk@localhost:~> debug
lftp mszewczyk@localhost:~> ls
---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp)
---> sending a packet, length=5, type=1(INIT), id=0
<--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established.
<--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d.
<--- Are you sure you want to continue connecting (yes/no)? yes
<--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-19 12:04:58 UTC
"lftp does not ask the user asynchronously by design. I can make a setting to disable accessing unknown hosts by default."

And also

but I'd rather wait until that is properly released.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-02 05:50:54 UTC
Development snapshot should fix this but will not go stable.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-16 15:49:44 UTC
"lftp-4.6.2 has been released. Changes:

* fixed a wildcard certificate validation vulnerability (CVE-2014-0139).
* new settings fish:auto-confirm and sftp:auto-confirm.

Arch teams, please test and mark stable:
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-17 05:02:07 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2015-04-17 07:19:58 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-04-17 07:20:40 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-04-17 12:45:21 UTC
ppc64 stable
Comment 8 Pacho Ramos gentoo-dev 2015-04-21 19:18:31 UTC
ppc stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-04-25 15:14:54 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-28 07:30:18 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-04-28 07:47:05 UTC
ia64 stable
Comment 12 Markus Meier gentoo-dev 2015-05-21 16:34:04 UTC
arm stable, all arches done.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-25 05:30:36 UTC
All done.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-06-06 14:55:44 UTC
Arches and Maintainer(s), Thank you for your work.

CVE Requested here -

Security Please Vote
First GLSA Vote: No
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 22:37:24 UTC
NO too, closing.