Package: lftp Version: 4.6.0-1 Severity: normal Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
>From the src/SSH_Access.cc file: 47: const char *y="(yes/no)?"; 73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len)) 74: { 75: pty_recv_buf->Put("yes\n"); 76: pty_send_buf->Put("yes\n"); 77: return m; 78: } Not only does it make a particular SFTP file transfer insecure, but also any future connection via any SSH client. After enabling debug (the "yes" answer generated automatically): #v+ $ lftp sftp://mszewczyk@localhost:22203 Password: lftp mszewczyk@localhost:~> debug lftp mszewczyk@localhost:~> ls ---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp) ---> sending a packet, length=5, type=1(INIT), id=0 <--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established. <--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d. <--- Are you sure you want to continue connecting (yes/no)? yes <--- <--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts. #v- --- System information. --- Architecture: amd64 Kernel: Linux 3.16.0-4-amd64 Debian Release: 8.0 500 testing security.debian.org 500 testing ftp.pl.debian.org 500 stable security.debian.org 500 stable ftp.pl.debian.org --- Package information. --- Depends (Version) | Installed ===================================-+-============== libc6 (>= 2.17) | libgcc1 (>= 1:4.1.1) | libgnutls-deb0-28 (>= 3.2.10-0) | libreadline6 (>= 6.0) | libstdc++6 (>= 4.1.1) | libtinfo5 | zlib1g (>= 1:1.1.4) | netbase | Package's Recommends field is empty. Package's Suggests field is empty. -- Marcin Szewczyk http://wodny.org mailto:marcin.szewc...@wodny.borg <- remove b / usuń b xmpp:wo...@ubuntu.pl xmpp:wo...@jabster.pl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org