Bug 1180209 - lftp: saves unknown host's fingerprint in known_hosts without any prompt
Summary: lftp: saves unknown host's fingerprint in known_hosts without any prompt
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1180214
Blocks: 1180211
TreeView+ depends on / blocked
 
Reported: 2015-01-08 16:02 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:50 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:37:37 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-01-08 16:02:27 UTC 
It was reported [1] that lftp saves unknown host's fingerprint in known_hosts without any prompt:

Original report:

From the src/SSH_Access.cc file:
47: const char *y="(yes/no)?";
73: if(s>=y_len && !strncasecmp(b+s-y_len,y,y_len))
74: {
75:     pty_recv_buf->Put("yes\n");
76:     pty_send_buf->Put("yes\n");
77:     return m;
78: }

Not only does it make a particular SFTP file transfer insecure, but also
any future connection via any SSH client.

After enabling debug (the "yes" answer generated automatically):
#v+
$ lftp sftp://mszewczyk@localhost:22203
Password: 
lftp mszewczyk@localhost:~> debug
lftp mszewczyk@localhost:~> ls
---- Running connect program (ssh -a -x -s -l mszewczyk -p 22203 localhost sftp)
---> sending a packet, length=5, type=1(INIT), id=0
<--- The authenticity of host '[localhost]:22203 ([::1]:22203)' can't be established.
<--- RSA key fingerprint is 84:a2:ec:3d:98:1e:95:e6:e4:68:d9:a4:31:92:f7:8d.
<--- Are you sure you want to continue connecting (yes/no)? yes
<--- 
<--- Warning: Permanently added '[localhost]:22203' (RSA) to the list of known hosts.
#v-

This was reported to upstream as well:
https://github.com/lavv17/lftp/issues/116

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774769
Comment 1 Vasyl Kaigorodov 2015-01-08 16:07:25 UTC 
Created lftp tracking bugs for this issue:

Affects: fedora-all [bug 1180214]
Comment 2 Tomáš Hozza 2015-01-13 16:15:19 UTC 
https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec
Comment 4 Ján Rusnačko 2015-02-11 13:13:24 UTC 
Steps to reproduce:

$ lftp sftp://user@localhost

lftp user@localhost:~> debug
lftp user@localhost:~> ls

(see comment 1)
Comment 5 Fedora Update System 2015-03-05 12:39:18 UTC 
lftp-4.5.4-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-03-09 08:25:11 UTC 
lftp-4.5.4-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-03-09 08:31:04 UTC 
lftp-4.6.1-4.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Vasyl Kaigorodov 2015-03-12 16:51:04 UTC 
Upstream fix:
https://github.com/lavv17/lftp/commit/bc7b476e782d77839765f56bbdb4cee9f36b54ec
Comment 9 Vasyl Kaigorodov 2015-03-16 13:01:28 UTC 
This issue affects the versions of lftp as shipped with Red Hat Enterprise Linux 5, 6 and 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue.
For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates.
For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Note You need to log in before you can comment on or make changes to this bug.