Re: A bug in lftp 2.5.1

[Glenn Maynard]

On Mon, May 13, 2002 at 09:32:02PM +0400, Alexander V. Lukyanov wrote:
   Thanks! I have applied the patch. I wonder, how this condition can be true?
   Is it related to dns server reply forgery?
  
  Did you apply this to lftp-2-4?
 
 Now I did. Thanks for reminder!

I've pulled this patch out and filed it with Debian to get it applied to
Woody.

-- 
Glenn Maynard

Re: A bug in lftp 2.5.1

[Alexander V. Lukyanov]

On Mon, May 13, 2002 at 12:39:44PM -0400, Glenn Maynard wrote:
 On Mon, May 13, 2002 at 06:46:48PM +0400, Alexander V. Lukyanov wrote:
  Thanks! I have applied the patch. I wonder, how this condition can be true?
  Is it related to dns server reply forgery?
 
 Did you apply this to lftp-2-4?

Now I did. Thanks for reminder!

-- 
   Alexander.

Re: A bug in lftp 2.5.1

[Solar Designer]

On Mon, May 13, 2002 at 06:46:48PM +0400, Alexander V. Lukyanov wrote:
 On Sun, May 12, 2002 at 02:19:00AM +0400, Solar Designer wrote:
  Alexander, -- I don't remember whether we have submitted other fixes
  we have in the lftp package on Owl.  I've attached the important
  security fix now, don't know if it's still relevant to 2.5.1 (sorry;
  just ignore it if it isn't).  This patch is by Michail Litvak
  [EMAIL PROTECTED].
  
  switch(family)
  {
  case AF_INET:
  +  if(sizeof(add-in.sin_addr) != len)
  +  {   
  + addr_num--;
  + return;
  +  }
 memcpy(add-in.sin_addr,address,len);
 
 Thanks! I have applied the patch. I wonder, how this condition can be true?
 Is it related to dns server reply forgery?

Yes, either that, or one of the DNS servers themselves may be
malicious.

If you connect to an FTP server, that doesn't mean you trust that FTP
server's domain owner to execute arbitrary code on your machine.

-- 
/sd