oss-sec mailing list archives
Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 10 Jun 2010 14:40:58 -0600
* [2010-05-20 08:27:56 +0400] Solar Designer wrote:
On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote:Serving dot files is a neat trick indeed, I've overlooked that paragraph in the ocert advisory. Nevertheless I'm not convinced it's worth changing wget's default behavior in the proposed way. So I can understand upstream here.As far as I'm aware, at the time of the initial oCERT notification, the wget upstream was represented by Micah Cowan, who was about to resign. And he did: http://lists.gnu.org/archive/html/bug-wget/2010-04/msg00027.html oCERT has re-notified the new upstream shortly before publishing the advisory (we decided this was not enough of a reason to introduce a further pre-public-disclosure delay). I don't think the new wget upstream has made a determination on this issue yet; at least I'm not aware of that. ... For those producing back-ports for lftp, the approach to take is to download 4.0.5 and 4.0.6 from: http://ftp.yars.free.net/pub/source/lftp/old/ Then diff them with: diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6
Just to follow up on this, I did some work on this today and a patch is attached to our bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=591580 Also looking at it, this support was introduced in 3.4.7, so anyone shipping a version of lftp prior to that shouldn't have to worry about it. --Vincent Danen / Red Hat Security Response Team
Current thread:
- [oCERT-2010-001] multiple http client unexpected download filename vulnerability Daniele Bianco (May 17)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Florian Weimer (May 17)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Ludwig Nussel (May 18)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Solar Designer (May 18)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Ludwig Nussel (May 19)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Solar Designer (May 19)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Vincent Danen (Jun 10)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Solar Designer (May 20)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Solar Designer (May 20)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Ludwig Nussel (May 18)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Florian Weimer (May 17)
- Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability Steven M. Christey (Jun 09)