CVE-2010-2251

Description

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Affected products

• alexander_v._lukyanov / lftp4.0.5
• alexander_v._lukyanov / lftp2.0.0 – 2.0.0
• alexander_v._lukyanov / lftp2.0.1 – 2.0.1
• alexander_v._lukyanov / lftp2.0.2 – 2.0.2
• alexander_v._lukyanov / lftp2.0.3 – 2.0.3
• alexander_v._lukyanov / lftp2.0.4 – 2.0.4
• alexander_v._lukyanov / lftp2.0.5 – 2.0.5
• alexander_v._lukyanov / lftp2.1.0 – 2.1.0
• alexander_v._lukyanov / lftp2.1.1 – 2.1.1
• alexander_v._lukyanov / lftp2.1.2 – 2.1.2
• alexander_v._lukyanov / lftp2.1.3 – 2.1.3
• alexander_v._lukyanov / lftp2.1.4 – 2.1.4
• alexander_v._lukyanov / lftp2.1.5 – 2.1.5
• alexander_v._lukyanov / lftp2.1.6 – 2.1.6
• alexander_v._lukyanov / lftp2.1.7 – 2.1.7
• alexander_v._lukyanov / lftp2.1.8 – 2.1.8
• alexander_v._lukyanov / lftp2.1.9 – 2.1.9
• alexander_v._lukyanov / lftp2.1.10 – 2.1.10
• alexander_v._lukyanov / lftp2.2.0 – 2.2.0
• alexander_v._lukyanov / lftp2.2.0a – 2.2.0a
• alexander_v._lukyanov / lftp2.2.1 – 2.2.1
• alexander_v._lukyanov / lftp2.2.2 – 2.2.2
• alexander_v._lukyanov / lftp2.2.3 – 2.2.3
• alexander_v._lukyanov / lftp2.2.4 – 2.2.4
• alexander_v._lukyanov / lftp2.2.5 – 2.2.5
• alexander_v._lukyanov / lftp2.2.6 – 2.2.6
• alexander_v._lukyanov / lftp2.3 – 2.3
• alexander_v._lukyanov / lftp2.3.0 – 2.3.0
• alexander_v._lukyanov / lftp2.3.1 – 2.3.1
• alexander_v._lukyanov / lftp2.3.2 – 2.3.2
• alexander_v._lukyanov / lftp2.3.3 – 2.3.3
• alexander_v._lukyanov / lftp2.3.4 – 2.3.4
• alexander_v._lukyanov / lftp2.3.5 – 2.3.5
• alexander_v._lukyanov / lftp2.3.6 – 2.3.6
• alexander_v._lukyanov / lftp2.3.7 – 2.3.7
• alexander_v._lukyanov / lftp2.3.8 – 2.3.8
• alexander_v._lukyanov / lftp2.3.9 – 2.3.9
• alexander_v._lukyanov / lftp2.3.10 – 2.3.10
• alexander_v._lukyanov / lftp2.3.11 – 2.3.11
• alexander_v._lukyanov / lftp2.4.0 – 2.4.0
• alexander_v._lukyanov / lftp2.4.1 – 2.4.1
• alexander_v._lukyanov / lftp2.4.2 – 2.4.2
• alexander_v._lukyanov / lftp2.4.3 – 2.4.3
• alexander_v._lukyanov / lftp2.4.5 – 2.4.5
• alexander_v._lukyanov / lftp2.4.6 – 2.4.6
• alexander_v._lukyanov / lftp2.4.7 – 2.4.7
• alexander_v._lukyanov / lftp2.4.8 – 2.4.8
• alexander_v._lukyanov / lftp2.4.9 – 2.4.9
• alexander_v._lukyanov / lftp2.4.10 – 2.4.10
• alexander_v._lukyanov / lftp2.4.10a – 2.4.10a
• alexander_v._lukyanov / lftp2.5.0 – 2.5.0
• alexander_v._lukyanov / lftp2.5.1 – 2.5.1
• alexander_v._lukyanov / lftp2.5.2 – 2.5.2
• alexander_v._lukyanov / lftp2.5.3 – 2.5.3
• alexander_v._lukyanov / lftp2.5.4 – 2.5.4
• alexander_v._lukyanov / lftp2.6.0 – 2.6.0
• alexander_v._lukyanov / lftp2.6.1 – 2.6.1
• alexander_v._lukyanov / lftp2.6.2 – 2.6.2
• alexander_v._lukyanov / lftp2.6.3 – 2.6.3
• alexander_v._lukyanov / lftp2.6.4 – 2.6.4
• alexander_v._lukyanov / lftp2.6.5 – 2.6.5
• alexander_v._lukyanov / lftp2.6.6 – 2.6.6
• alexander_v._lukyanov / lftp2.6.7 – 2.6.7
• alexander_v._lukyanov / lftp2.6.8 – 2.6.8
• alexander_v._lukyanov / lftp2.6.9 – 2.6.9
• alexander_v._lukyanov / lftp2.6.10 – 2.6.10
• alexander_v._lukyanov / lftp2.6.11 – 2.6.11
• alexander_v._lukyanov / lftp2.6.12 – 2.6.12
• alexander_v._lukyanov / lftp3.0.0 – 3.0.0
• alexander_v._lukyanov / lftp3.0.1 – 3.0.1
• alexander_v._lukyanov / lftp3.0.2 – 3.0.2
• alexander_v._lukyanov / lftp3.0.3 – 3.0.3
• alexander_v._lukyanov / lftp3.0.4 – 3.0.4
• alexander_v._lukyanov / lftp3.0.5 – 3.0.5
• alexander_v._lukyanov / lftp3.0.6 – 3.0.6
• alexander_v._lukyanov / lftp3.0.7 – 3.0.7
• alexander_v._lukyanov / lftp3.0.8 – 3.0.8
• alexander_v._lukyanov / lftp3.0.9 – 3.0.9
• alexander_v._lukyanov / lftp3.0.10 – 3.0.10
• alexander_v._lukyanov / lftp3.0.11 – 3.0.11
• alexander_v._lukyanov / lftp3.0.12 – 3.0.12
• alexander_v._lukyanov / lftp3.0.13 – 3.0.13
• alexander_v._lukyanov / lftp3.1.0 – 3.1.0
• alexander_v._lukyanov / lftp3.1.1 – 3.1.1
• alexander_v._lukyanov / lftp3.1.2 – 3.1.2
• alexander_v._lukyanov / lftp3.1.3 – 3.1.3
• alexander_v._lukyanov / lftp3.2.0 – 3.2.0
• alexander_v._lukyanov / lftp3.2.1 – 3.2.1
• alexander_v._lukyanov / lftp3.3.0 – 3.3.0
• alexander_v._lukyanov / lftp3.3.1 – 3.3.1
• alexander_v._lukyanov / lftp3.3.2 – 3.3.2
• alexander_v._lukyanov / lftp3.3.3 – 3.3.3
• alexander_v._lukyanov / lftp3.3.4 – 3.3.4
• alexander_v._lukyanov / lftp3.3.5 – 3.3.5
• alexander_v._lukyanov / lftp3.4.0 – 3.4.0
• alexander_v._lukyanov / lftp3.4.1 – 3.4.1
• alexander_v._lukyanov / lftp3.4.2 – 3.4.2
• alexander_v._lukyanov / lftp3.4.3 – 3.4.3
• alexander_v._lukyanov / lftp3.4.4 – 3.4.4
• alexander_v._lukyanov / lftp3.4.5 – 3.4.5
• alexander_v._lukyanov / lftp3.4.6 – 3.4.6
• alexander_v._lukyanov / lftp3.4.7 – 3.4.7
• alexander_v._lukyanov / lftp3.5.0 – 3.5.0
• alexander_v._lukyanov / lftp3.5.1 – 3.5.1
• alexander_v._lukyanov / lftp3.5.2 – 3.5.2
• alexander_v._lukyanov / lftp3.5.3 – 3.5.3
• alexander_v._lukyanov / lftp3.5.4 – 3.5.4
• alexander_v._lukyanov / lftp3.5.5 – 3.5.5
• alexander_v._lukyanov / lftp3.5.6 – 3.5.6
• alexander_v._lukyanov / lftp3.5.7 – 3.5.7
• alexander_v._lukyanov / lftp3.5.8 – 3.5.8
• alexander_v._lukyanov / lftp3.5.9 – 3.5.9
• alexander_v._lukyanov / lftp3.5.10 – 3.5.10
• alexander_v._lukyanov / lftp3.5.11 – 3.5.11
• alexander_v._lukyanov / lftp3.5.12 – 3.5.12
• alexander_v._lukyanov / lftp3.5.13 – 3.5.13
• alexander_v._lukyanov / lftp3.5.14 – 3.5.14
• alexander_v._lukyanov / lftp3.5.15 – 3.5.15
• alexander_v._lukyanov / lftp3.6.0 – 3.6.0
• alexander_v._lukyanov / lftp3.6.1 – 3.6.1
• alexander_v._lukyanov / lftp3.6.2 – 3.6.2
• alexander_v._lukyanov / lftp3.6.3 – 3.6.3
• alexander_v._lukyanov / lftp3.7.0 – 3.7.0
• alexander_v._lukyanov / lftp3.7.1 – 3.7.1
• alexander_v._lukyanov / lftp3.7.2 – 3.7.2
• alexander_v._lukyanov / lftp3.7.3 – 3.7.3
• alexander_v._lukyanov / lftp3.7.4 – 3.7.4
• alexander_v._lukyanov / lftp3.7.5 – 3.7.5
• alexander_v._lukyanov / lftp3.7.6 – 3.7.6
• alexander_v._lukyanov / lftp3.7.7 – 3.7.7
• alexander_v._lukyanov / lftp3.7.8 – 3.7.8
• alexander_v._lukyanov / lftp3.7.9 – 3.7.9
• alexander_v._lukyanov / lftp3.7.10 – 3.7.10
• alexander_v._lukyanov / lftp3.7.11 – 3.7.11
• alexander_v._lukyanov / lftp3.7.12 – 3.7.12
• alexander_v._lukyanov / lftp3.7.13 – 3.7.13
• alexander_v._lukyanov / lftp3.7.14 – 3.7.14
• alexander_v._lukyanov / lftp4.0.0 – 4.0.0
• alexander_v._lukyanov / lftp4.0.1 – 4.0.1
• alexander_v._lukyanov / lftp4.0.2 – 4.0.2
• alexander_v._lukyanov / lftp4.0.3 – 4.0.3
• alexander_v._lukyanov / lftp4.0.4 – 4.0.4

References

• MAILING_LISThttp://marc.info/?l=oss-security&m=127411372529485&w=2
• VENDOR_ADVISORYhttp://wiki.rpath.com/Advisories:rPSA-2010-0073
• MISChttps://bugzilla.redhat.com/show_bug.cgi?id=602836
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/1654
• MAILING_LISThttp://marc.info/?l=oss-security&m=127611288927500&w=2
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-June/043597.html
• VENDOR_ADVISORYhttp://www.ocert.org/advisories/ocert-2010-001.html
• MISChttps://bugzilla.redhat.com/show_bug.cgi?id=591580
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/40400
• VENDOR_ADVISORYhttp://www.debian.org/security/2010/dsa-2085
• MISChttp://www.securityfocus.com/archive/1/514499/100/0/threaded
• MISChttp://lftp.yar.ru/news.html
• MAILING_LISThttp://marc.info/?l=oss-security&m=127432968701342&w=2
• MAILING_LISThttp://marc.info/?l=oss-security&m=127620248914170&w=2