CVE-2010-2251

Publication date 6 July 2010

Last updated 24 July 2024


Ubuntu priority

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

Read the notes from the security team

Status

Package Ubuntu Release Status
lftp 10.04 LTS lucid
Fixed 4.0.2-1ubuntu0.1
9.10 karmic
Fixed 3.7.15-1ubuntu2.1
9.04 jaunty
Fixed 3.7.8-1ubuntu0.1
8.04 LTS hardy
Fixed 3.6.1-1ubuntu0.1
6.06 LTS dapper
Not affected

Notes


mdeslaur

dapper's lftp is too old to support server-suggested filenames