Date: Thu, 10 Jun 2010 14:40:58 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability * [2010-05-20 08:27:56 +0400] Solar Designer wrote: >On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote: >> Serving dot files is a neat trick indeed, I've overlooked that >> paragraph in the ocert advisory. Nevertheless I'm not convinced it's >> worth changing wget's default behavior in the proposed way. So I can >> understand upstream here. > >As far as I'm aware, at the time of the initial oCERT notification, the >wget upstream was represented by Micah Cowan, who was about to resign. >And he did: > >http://lists.gnu.org/archive/html/bug-wget/2010-04/msg00027.html > >oCERT has re-notified the new upstream shortly before publishing the >advisory (we decided this was not enough of a reason to introduce a >further pre-public-disclosure delay). I don't think the new wget >upstream has made a determination on this issue yet; at least I'm not >aware of that. > >... > >For those producing back-ports for lftp, the approach to take is to >download 4.0.5 and 4.0.6 from: > >http://ftp.yars.free.net/pub/source/lftp/old/ > >Then diff them with: > >diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6 Just to follow up on this, I did some work on this today and a patch is attached to our bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=591580 Also looking at it, this support was introduced in 3.4.7, so anyone shipping a version of lftp prior to that shouldn't have to worry about it. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ