Fedora LFTP Update: 2023-057 Critical Buffer Overflow Risk

LFTP is a sophisticated ftp/http file transfer program. Like bash, it

has job control and uses the readline library for input. It has

bookmarks, built-in mirroring, and can transfer several files in

parallel. It is designed with reliability in mind.

Ulf Härnhammar found a remotely-triggerable buffer overflow in lftp.

An attacker could create a carefully crafted directory on a website

such that, if a user connects to that directory using the lftp client

and subsequently issues a 'ls' or 'rels' command, the attacker could

execute arbitrary code on the users machine. The Common

Vulnerabilities and Exposures project (cve.mitre.org) has assigned

the name CAN-2003-0963 to this issue.

Users of lftp are advised to upgrade to these erratum packages, which

upgrade lftp to a version which is not vulnerable to this issue.

Red Hat would like to thank Ulf Härnhammar for discovering and

alerting us to this issue.

- update to 2.6.10, which folds in the previous patches

- configure with --with-debug so that we get useful debug info

* Tue Dec 09 2003 Nalin Dahyabhai <nalin@RedHat.com> 2.6.9-1

- include patch based on patch from Ulf Härnhammar to fix unsafe use of

sscanf when reading http directory listings (CAN-2003-0963)

- include patch based on patch from Ulf Härnhammar to fix compile warnings

modified based on input from Solar Designer

* Mon Dec 08 2003 Nalin Dahyabhai <nalin@RedHat.com>

- update to 2.6.9

b36e31c19e088ee086afc9c42dacd471 SRPMS/lftp-2.6.10-1.src.rpm

1a6ab3a0b3df685cc1354bf4740a7201 i386/lftp-2.6.10-1.i386.rpm

7c70562d0c91db1b15d21d0f56f32ea0 i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

This update can also be installed with the Update Agent; you can

launch the Update Agent with the 'up2date' command.