Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329939 (CVE-2010-2251) - <net-ftp/lftp-4.0.6 execution of arbitrary code (CVE-2010-2251)
Summary: <net-ftp/lftp-4.0.6 execution of arbitrary code (CVE-2010-2251)
Status: RESOLVED FIXED
Alias: CVE-2010-2251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
: 327979 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-07-26 15:40 UTC by Stefan Behte (RETIRED)
Modified: 2014-12-12 00:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:40:43 UTC 
CVE-2010-2251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2251):
  The get1 command, as used by lftpget, in LFTP before 4.0.6 does not
  properly validate a server-provided filename before determining the
  destination filename of a download, which allows remote servers to
  create or overwrite arbitrary files via a Content-Disposition header
  that suggests a crafted filename, and possibly execute arbitrary code
  as a consequence of writing to a dotfile in a home directory.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-07-26 15:41:01 UTC 
Please remove vulnerable versions.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-26 20:15:38 UTC 
(In reply to comment #1)
> Please remove vulnerable versions.

We're not done stabilising 4.0.9 yet (bug #327979).

Arches, please continue stabilising:
=net-ftp/lftp-4.0.9
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sparc x86"

Stable for PPC.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-26 20:15:58 UTC 
*** Bug 327979 has been marked as a duplicate of this bug. ***
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2010-07-31 16:15:21 UTC 
alpha/arm/ia64/s390/sparc stable
Comment 5 Brent Baude (RETIRED) gentoo-dev 2010-08-03 17:18:00 UTC 
ppc64 done
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-03 20:14:19 UTC 
Vulnerable version 4.0.5 is out of the tree.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-22 22:47:21 UTC 
jer: *never* change whiteboard, if you do not know the exact procedure. It's changed to glsa after we filed a glsa request only!

GLSA request filed.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:34:08 UTC 
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).