Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

lftp: CVE-2018-10916: Exploit in reverse mirror job deletes cwd on source

Related Vulnerabilities: CVE-2018-10916  

Source

Debian Bug report logs - #905163
lftp: CVE-2018-10916: Exploit in reverse mirror job deletes cwd on source

version graph

Package: src:lftp; Maintainer for src:lftp is Noël Köthe <noel@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 1 Aug 2018 03:51:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions lftp/4.7.4-1, lftp/4.8.3-1

Fixed in version lftp/4.8.4-1

Done: Noël Köthe <noel@debian.org>

Forwarded to https://github.com/lavv17/lftp/issues/452

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Noël Köthe <noel@debian.org>:
Bug#905163; Package src:lftp. (Wed, 01 Aug 2018 03:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Noël Köthe <noel@debian.org>. (Wed, 01 Aug 2018 03:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lftp: CVE-2018-10916: Exploit in reverse mirror job deletes cwd on source
Date: Wed, 01 Aug 2018 05:46:55 +0200
Source: lftp
Version: 4.8.3-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/lavv17/lftp/issues/452

Hi,

The following vulnerability was published for lftp, were in cse revers
mirror option is used can lead on data loss on source.

CVE-2018-10916[0]:
Exploit in reverse mirror job deletes cwd on source

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10916
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916
[1] https://github.com/lavv17/lftp/issues/452
[2] https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Noël Köthe <noel@debian.org>:
Bug#905163; Package src:lftp. (Wed, 01 Aug 2018 07:33:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Noël Köthe <noel@debian.org>. (Wed, 01 Aug 2018 07:33:06 GMT) (full text, mbox, link).

Message #10 received at 905163@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 905163@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#905163: lftp: CVE-2018-10916: Exploit in reverse mirror job deletes cwd on source
Date: Wed, 1 Aug 2018 09:25:46 +0200
Control: found -1 4.7.4-1

Hi Noel,

On Wed, Aug 01, 2018 at 05:46:55AM +0200, Salvatore Bonaccorso wrote:
> Source: lftp
> Version: 4.8.3-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://github.com/lavv17/lftp/issues/452
> 
> Hi,
> 
> The following vulnerability was published for lftp, were in cse revers
> mirror option is used can lead on data loss on source.
> 
> CVE-2018-10916[0]:
> Exploit in reverse mirror job deletes cwd on source
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-10916
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10916
> [1] https://github.com/lavv17/lftp/issues/452
> [2] https://github.com/lavv17/lftp/commit/a27e07d90a4608ceaf928b1babb27d4d803e1992
> 
> Please adjust the affected versions in the BTS as needed.

We marked it as no-dsa for stretch, but a fix would still be great as
well for stable. Could you prepare an update for next point release
for stretch?

Regards,
Salvatore

Marked as found in versions lftp/4.7.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to 905163-submit@bugs.debian.org. (Wed, 01 Aug 2018 07:33:06 GMT) (full text, mbox, link).

Reply sent to Noël Köthe <noel@debian.org>:
You have taken responsibility. (Thu, 02 Aug 2018 04:51:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 02 Aug 2018 04:51:03 GMT) (full text, mbox, link).

Message #17 received at 905163-close@bugs.debian.org (full text, mbox, reply):

From: Noël Köthe <noel@debian.org>
To: 905163-close@bugs.debian.org
Subject: Bug#905163: fixed in lftp 4.8.4-1
Date: Thu, 02 Aug 2018 04:49:22 +0000
Source: lftp
Source-Version: 4.8.4-1

We believe that the bug you reported is fixed in the latest version of
lftp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905163@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Noël Köthe <noel@debian.org> (supplier of updated lftp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 02 Aug 2018 05:47:42 +0200
Source: lftp
Binary: lftp
Architecture: source amd64
Version: 4.8.4-1
Distribution: unstable
Urgency: high
Maintainer: Noël Köthe <noel@debian.org>
Changed-By: Noël Köthe <noel@debian.org>
Description:
 lftp       - Sophisticated command-line FTP/HTTP/BitTorrent client programs
Closes: 905163
Changes:
 lftp (4.8.4-1) unstable; urgency=high
 .
   * New upstream version 4.8.4 fixes CVE-2018-10916 closes: Bug#905163
   * updated Standards-Version; no changes needed
   * switched to debhelper 11
   * fix lintian warning about trailing whitespaces
   * updated signing key from Alexander V. Lukyanov <lav@yars.free.net>
Checksums-Sha1:
 2da3957370852fe96bc6dd87ed135351e18b7968 1992 lftp_4.8.4-1.dsc
 fa97429d4376c87dd0b6a9b27ed89184fb2a9149 1633444 lftp_4.8.4.orig.tar.xz
 bf814cfba676c0334c3f7d7280fa218806690b12 155 lftp_4.8.4.orig.tar.xz.asc
 005127b3897625ec3e815ea5e333b1a558ec1b97 21400 lftp_4.8.4-1.debian.tar.xz
 d3549fbb7491c9711d7eb72cc87d8bfed66797c7 3399668 lftp-dbgsym_4.8.4-1_amd64.deb
 73aa5f1dd78262e0ffab7fa2609ab78812783411 7000 lftp_4.8.4-1_amd64.buildinfo
 d9402d5c85e6c49745a93f1e1cb1d58751d2281d 723952 lftp_4.8.4-1_amd64.deb
Checksums-Sha256:
 3d22a0a4856c85f94419250694408dde6613bb9a5da656a6cb340e06e0b6e40e 1992 lftp_4.8.4-1.dsc
 4ebc271e9e5cea84a683375a0f7e91086e5dac90c5d51bb3f169f75386107a62 1633444 lftp_4.8.4.orig.tar.xz
 851013e7f5768083512e20236748f6c40db3583f922ef99c6cd5cd4eb4d991e5 155 lftp_4.8.4.orig.tar.xz.asc
 999238c6d75d66f9cfafdd84b636bbd65870917687caecff4c1ad5161769303f 21400 lftp_4.8.4-1.debian.tar.xz
 80a9ad76141c845710efb81fd6c2e322a1e11148aa655e2ad8aec27d7752d2fe 3399668 lftp-dbgsym_4.8.4-1_amd64.deb
 36a9d492cf77d57556f32132545d2986e5438125eeec85f35a67d35f741c9821 7000 lftp_4.8.4-1_amd64.buildinfo
 e3c275a343bd0c26391022a91eac317979cd2174f3486a6cfbdea28ae1f2b86a 723952 lftp_4.8.4-1_amd64.deb
Files:
 a9f58bec5e5aec16e29d3f5a3ed79ab6 1992 net optional lftp_4.8.4-1.dsc
 b75c43797e817529d486be640232d708 1633444 net optional lftp_4.8.4.orig.tar.xz
 f9118a67f41c6f7e93a13be1c5051b6a 155 net optional lftp_4.8.4.orig.tar.xz.asc
 80cd6e23b68f23ea124016b86c0ef00a 21400 net optional lftp_4.8.4-1.debian.tar.xz
 54d868364c30aef0668ba299c872a8df 3399668 debug optional lftp-dbgsym_4.8.4-1_amd64.deb
 e6d9f28950d53a02c243f2449c8f42b6 7000 net optional lftp_4.8.4-1_amd64.buildinfo
 2d6f2ff576ca92a8b07d83e38da7f783 723952 net optional lftp_4.8.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpF5AXAxsgPE/8VIXaMB4voj4DNoFAltiiG0ACgkQaMB4voj4
DNpVvw/9EaoRMArGxDhMHa9g9XfSJW6xtQmr0s14luKxYzBLD/4UroVgIz4v6+7e
dABvTDliJZF9ZskiQDdzdNjqJqxUj3Svu/9fHltwuxE5GWOja9OdbPBJWHHYNEef
YyRppvsl2TB4jTkm0zGfm1himsAPL2ofN5Mi7P2KhpNst1sbv8oNg9PDFDIxXnje
l71VNMhCHbzy/V8+7HH3dvau0DdINtU5EQ7QApNY/ANqYaS/FyQH+lT8rbv0kRN1
+IXL1YrySqxG+GIu79pmjh4AsktAjM9kPpCRKcN+XA9FGq7THt/PJCM2rywtkPqn
4I+HuxyPEiwqlCvgOyB8yWfIK62LB6WPPQqty1E3uUgxwG+7pm+ETjtPJEuBSrF7
6bXBiQykJ7VYWDDNyASXc0iRBrfJI6IWvAleNd13DW8euscWZTyIMlv5zMRNYZma
C5xuPIBely/DQd2E8+VP92Rv0C4BlYzfjnUHMHpFfyGAZoFUcCvnnRWPF0SZgqto
ZY77/y9E1l+1SwfTKdEPw0NiSc5XDvI+JSowy9UKRBzW68hqlu4H25VtK9YRFg5C
mFSsp/Pxoc+qOJOQfPvL4cd8Qux42gM6JmRIxmz6jZBIljuzLluOJjTwwGks1tbV
OyYwx74coeafsQFLAe04szC1nAVWLaHSvX8bIlC/dyGkcjkv1nI=
=NiAV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:53:48 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started