SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   LFTP Vendors:   Lukyanov, Alexander
(Slackware Issues Fix) LFTP Buffer Overflow in Processing HTTP Responses May Allow Remote Code Execution
SecurityTracker Alert ID:  1008465
SecurityTracker URL:  http://securitytracker.com/id/1008465
CVE Reference:   CVE-2003-0963   (Links to External Site)
Updated:  Dec 16 2003
Original Entry Date:  Dec 14 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.6.10
Description:   A buffer overflow vulnerability was reported in LFTP. A remote server may be able to cause arbitrary code to be executed on a connected client.

It is reported that LFTP contains buffer overflows that can be triggered by a remote user. The flaws reside in the try_netscape_proxy() and try_squid_eplf() functions in 'HttpDir.cc'. A remote user operating a web server can reportedly create a specially crafted directory so that when a target user connects to the web server (secure or non-secure) with the LFTP client and issues the "ls" or "rels" command, arbitrary code will be executed on the target user's system.

Ulf Harnhammar is credited with discovering the bugs.

Impact:   A remote server can cause arbitrary code to be executed on the target user's LFTP client when the client connects to the server and issues an "ls" or "rels" command.
Solution:   Slackware has issued a fix.

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/lftp-2.6.10-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/lftp-2.6.10-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/lftp-2.6.10-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/lftp-2.6.10-i486-1.tgz

The MD5 signatures are:

Slackware 8.1 package:
1e7eae2a8279491d439f4494c8733aa2 lftp-2.6.10-i386-1.tgz

Slackware 9.0 package:
af80878951917a6683bc3076947f2632 lftp-2.6.10-i386-1.tgz

Slackware 9.1 package:
e053a1641f1f16de8d2659e70ca81c04 lftp-2.6.10-i486-1.tgz

Slackware -current package:
07e76203820f54983cbc4591cc830b97 lftp-2.6.10-i486-1.tgz

Vendor URL:  lftp.yar.ru/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Slackware)
Underlying OS Comments:  8.1, 9.0, 9.1

Message History:   This archive entry is a follow-up to the message listed below.
Dec 14 2003 LFTP Buffer Overflow in Processing HTTP Responses May Allow Remote Code Execution



 Source Message Contents

Subject:  [slackware-security] lftp security update (SSA:2003-346-01)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  lftp security update (SSA:2003-346-01)

lftp is a file transfer program that connects to other hosts
using FTP, HTTP, and other protocols.

A security problem with lftp has been corrected with the release
of lftp-2.6.10.  New packages are available for Slackware 8.1,
9.0, 9.1, and -current.  Any sites using lftp should upgrade to
the new packages.


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Fri Dec 12 11:12:05 PST 2003
patches/packages/lftp-2.6.10-i486-1.tgz:  Upgraded to lftp-2.6.10.
  According to the NEWS file, this includes "security fixes in html
  parsing code" which could cause a compromise when using lftp to
  access an untrusted site.
  (* Security fix *)
+--------------------------+


WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+

Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/lftp-2.6.10-i386-1.tgz

Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/lftp-2.6.10-i386-1.tgz

Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/lftp-2.6.10-i486-1.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/lftp-2.6.10-i486-1.tgz


MD5 SIGNATURES:
+-------------+

Slackware 8.1 package:
1e7eae2a8279491d439f4494c8733aa2  lftp-2.6.10-i386-1.tgz

Slackware 9.0 package:
af80878951917a6683bc3076947f2632  lftp-2.6.10-i386-1.tgz

Slackware 9.1 package:
e053a1641f1f16de8d2659e70ca81c04  lftp-2.6.10-i486-1.tgz

Slackware -current package:
07e76203820f54983cbc4591cc830b97  lftp-2.6.10-i486-1.tgz


INSTALLATION INSTRUCTIONS:
+------------------------+

Upgrade the package as root:
# upgradepkg lftp-2.6.10-i486-1.tgz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/2hdTakRjwEAQIjMRAmHbAKCQtw9UN4ItGNph3ca4CqtfJDZiyACfV5gc
0uX5KSFnwEb2k0tucmkKWzI=
=SQlB
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC