Re: [oCERT-2010-001] multiple http client unexpected download filename vulnerability

[Vincent Danen <vdanen () redhat com>]

* [2010-05-20 08:27:56 +0400] Solar Designer wrote:

> On Wed, May 19, 2010 at 03:28:18PM +0200, Ludwig Nussel wrote:
> > Serving dot files is a neat trick indeed, I've overlooked that
> > paragraph in the ocert advisory. Nevertheless I'm not convinced it's
> > worth changing wget's default behavior in the proposed way. So I can
> > understand upstream here.
>
> As far as I'm aware, at the time of the initial oCERT notification, the
> wget upstream was represented by Micah Cowan, who was about to resign.
> And he did:
>
> http://lists.gnu.org/archive/html/bug-wget/2010-04/msg00027.html
>
> oCERT has re-notified the new upstream shortly before publishing the
> advisory (we decided this was not enough of a reason to introduce a
> further pre-public-disclosure delay).  I don't think the new wget
> upstream has made a determination on this issue yet; at least I'm not
> aware of that.
>
> ...
>
> For those producing back-ports for lftp, the approach to take is to
> download 4.0.5 and 4.0.6 from:
>
> http://ftp.yars.free.net/pub/source/lftp/old/
>
> Then diff them with:
>
> diff -purx configure -x po -x 'Makefile*' -x '*.in' -x '*.in.h' -x m4 -x lib -x build-aux -x '*.m4' lftp-4.0.5 
> lftp-4.0.6

Just to follow up on this, I did some work on this today and a patch is
attached to our bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=591580

Also looking at it, this support was introduced in 3.4.7, so anyone
shipping a version of lftp prior to that shouldn't have to worry about
it.

--
Vincent Danen / Red Hat Security Response Team