Date: Thu, 10 Jun 2010 14:40:58 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability * [2010-05-20 08:27:56 +0400] Solar Designer wrote: >On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote: >> Serving dot files is a neat trick indeed, I've overlooked that >> paragraph in the ocert advisory. Nevertheless I'm not convinced it's >> worth changing wget's default behavior in the proposed way. So I can >> understand upstream here. > >As far as I'm aware, at the time of the initial oCERT notification, the >wget upstream was represented by Micah Cowan, who was about to resign. >And he did: > >http://lists.gnu.org/archive/html/bug-wget/2010-04/msg00027.html > >oCERT has re-notified the new upstream shortly before publishing the >advisory (we decided this was not enough of a reason to introduce a >further pre-public-disclosure delay). I don't think the new wget >upstream has made a determination on this issue yet; at least I'm not >aware of that. > >... > >For those producing back-ports for lftp, the approach to take is to >download 4.0.5 and 4.0.6 from: > >http://ftp.yars.free.net/pub/source/lftp/old/ > >Then diff them with: > >diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x build-aux -x '*.m4' lftp-4.0.5 lftp-4.0.6 Just to follow up on this, I did some work on this today and a patch is attached to our bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=591580 Also looking at it, this support was introduced in 3.4.7, so anyone shipping a version of lftp prior to that shouldn't have to worry about it. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.