发布日期：2003-12-12
更新日期：2003-12-25

受影响系统：

Alexander V. Lukyanov lftp 2.6.9
Alexander V. Lukyanov lftp 2.6.8
Alexander V. Lukyanov lftp 2.6.7
Alexander V. Lukyanov lftp 2.6.6
Alexander V. Lukyanov lftp 2.6.5
Alexander V. Lukyanov lftp 2.6.4
Alexander V. Lukyanov lftp 2.6.3
Alexander V. Lukyanov lftp 2.6.0
Alexander V. Lukyanov lftp 2.5.2
Alexander V. Lukyanov lftp 2.3
Alexander V. Lukyanov lftp 2.4.9
    - Mandrake Linux 8.2
    - RedHat Linux 7.3
    - RedHat Linux 7.2

不受影响系统：

Alexander V. Lukyanov lftp 2.6.10

描述：

---

BUGTRAQ  ID: 9212
CVE(CAN) ID: CVE-2003-0963

lftp是一款支持多平台，支持多模式(ftp、ftps、http、https、hftp等)的基于命令行FTP客户端。

lftp在接收到从远程HTTP服务器返回的内容时不正确处理部分目录信息，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以lftp进程权限在系统上执行任意指令。

问题存在于src/HttpDir.cc文件中的try_squid_eplf()函数中，由于lftp在使用HTTP或者HTTPS进行WEB服务器连接，并使用lftp的"ls"或"rels"命令对特殊目录进行浏览时，调用的sscanf()函数对数据输入处理缺少充分的边界缓冲区检查，精心构建目录数据，可导致触发缓冲区溢出，精心构建提交数据可能以lftp进程权限在系统上执行任意指令。

<*来源：Ulf Harnhammar （ulfh@update.uu.se）
  
  链接：http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0070.html
        https://www.redhat.com/support/errata/RHSA-2003-403.html
        http://www.linux-mandrake.com/en/security/2003/2003-116.php
*>

建议：

---

厂商补丁：

MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告（MDKSA-2003:116）以及相应补丁:
MDKSA-2003:116：Updated lftp packages fix buffer overflow vulnerability
链接：http://www.linux-mandrake.com/en/security/2003/2003-116.php

补丁下载：

Updated Packages:

Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/lftp-2.6.0-1.1.C21mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/lftp-2.6.0-1.1.C21mdk.src.rpm

Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/lftp-2.6.0-1.1.90mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/lftp-2.6.0-1.1.90mdk.src.rpm

Mandrake Linux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/lftp-2.6.4-2.1.91mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/lftp-2.6.4-2.1.91mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/lftp-2.6.4-2.1.91mdk.src.rpm

Mandrake Linux 9.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/RPMS/lftp-2.6.6-2.1.92mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm

Mandrake Linux 9.2/AMD64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/RPMS/lftp-2.6.6-2.1.92mdk.amd64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/amd64/9.2/SRPMS/lftp-2.6.6-2.1.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi.  The verification
of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php


上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载：
http://www.mandrakesecure.net/en/ftp.php

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2003:403-01）以及相应补丁:
RHSA-2003:403-01：Updated lftp packages fix security vulnerability
链接：https://www.redhat.com/support/errata/RHSA-2003-403.html

补丁下载：

Alexander V. Lukyanov lftp 2.4.9:

RedHat Patch lftp-2.4.9-2.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/lftp-2.4.9-2.i386.rpm

RedHat Patch lftp-2.4.9-2.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/lftp-2.4.9-2.ia64.rpm

RedHat Patch lftp-2.4.9-2.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/lftp-2.4.9-2.i386.rpm

Alexander V. Lukyanov lftp 2.5.2:

RedHat Patch lftp-2.5.2-6.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/lftp-2.5.2-6.i386.rpm

Alexander V. Lukyanov lftp 2.6.3:

RedHat Patch lftp-2.6.3-4.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/lftp-2.6.3-4.i386.rpm

Alexander V. Lukyanov lftp 2.6.5:

Fedora Upgrade lftp-2.6.10-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/lftp-2.6.10-1.i386.rpm

Fedora Upgrade lftp-debuginfo-2.6.10-1.i386.rpm
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/i386/debug/lftp-debuginfo-2.6.10-1.i386.rpm

Alexander V. Lukyanov
---------------------
lftp 2.6.10已经修正此漏洞：

http://lftp.yar.ru/get.html

另外2.6.9版本的补丁也可以从如下地址获得：

http://labben.abm.uu.se/~ulha9485/lftp-advisory-data.tar.gz

浏览次数：4390
严重程度：0（网友投票）