USN-984-1: LFTP vulnerability

Ubuntu Security Notice USN-984-1

7th September, 2010

lftp vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.04 LTS
  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.04 LTS

Software description

  • lftp

Details

It was discovered that LFTP incorrectly filtered filenames suggested
by Content-Disposition headers. If a user or automated system were tricked
into downloading a file from a malicious site, a remote attacker could
create the file with an arbitrary name, such as a dotfile, and possibly run
arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 10.04 LTS:
lftp 4.0.2-1ubuntu0.1
Ubuntu 9.10:
lftp 3.7.15-1ubuntu2.1
Ubuntu 9.04:
lftp 3.7.8-1ubuntu0.1
Ubuntu 8.04 LTS:
lftp 3.6.1-1ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

ATTENTION: This update changes previous behaviour by ignoring the filename
supplied by servers in Content-Disposition headers. To re-enable previous
behaviour, use the new xfer:auto-rename setting.

References

CVE-2010-2251