Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Jun 2010 14:40:58 -0600
From: Vincent Danen <>
Subject: Re: [oCERT-2010-001] multiple http client unexpected
 download filename vulnerability

* [2010-05-20 08:27:56 +0400] Solar Designer wrote:

>On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote:
>> Serving dot files is a neat trick indeed, I've overlooked that
>> paragraph in the ocert advisory. Nevertheless I'm not convinced it's
>> worth changing wget's default behavior in the proposed way. So I can
>> understand upstream here.
>As far as I'm aware, at the time of the initial oCERT notification, the
>wget upstream was represented by Micah Cowan, who was about to resign.
>And he did:
>oCERT has re-notified the new upstream shortly before publishing the
>advisory (we decided this was not enough of a reason to introduce a
>further pre-public-disclosure delay).  I don't think the new wget
>upstream has made a determination on this issue yet; at least I'm not
>aware of that.
>For those producing back-ports for lftp, the approach to take is to
>download 4.0.5 and 4.0.6 from:
>Then diff them with:
>diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6

Just to follow up on this, I did some work on this today and a patch is
attached to our bugzilla:

Also looking at it, this support was introduced in 3.4.7, so anyone
shipping a version of lftp prior to that shouldn't have to worry about

Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.