Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-406-1 lftp -- buffer overflow

Date Reported:

05 Jan 2004

Affected Packages:

lftp

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 9210.
In Mitre's CVE dictionary: CVE-2003-0963.

More information:

Ulf Härnhammar discovered a buffer overflow in lftp, a set of sophisticated command-line FTP/HTTP client programs. An attacker could create a carefully crafted directory on a website so that the execution of an 'ls' or 'rels' command would lead to the execution of arbitrary code on the client machine.

For the stable distribution (woody) this problem has been fixed in version 2.4.9-1woody2.

For the unstable distribution (sid) this problem has been fixed in version 2.6.10-1.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.dsc

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2.diff.gz

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9.orig.tar.gz

Alpha:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_alpha.deb

ARM:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_arm.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_ia64.deb

HPPA:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_hppa.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_m68k.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/l/lftp/lftp_2.4.9-1woody2_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

This page is also available in the following languages:

dansk Deutsch español français 日本語 (Nihongo) polski Português Русский (Russkij) svenska

How to set the default document language