+++ This bug was initially created as a clone of Bug #591580 +++ The draft advisory from oCERT follows: The lftp, wget and lwp-download applications are ftp/http clients and file transfer tools supporting various network protocols. The lwp-download script is shipped along with the libwww-perl library. Unsafe behaviours have been found in lftp and lwp-download handling the Content-Disposition header in conjunction with the 'suggested filename' functionality. Additionally unsafe behaviours have been found in wget and lwp-download in case of HTTP 3xx redirections during file dowloading. The two applications automatically use the URL's filename portion specified in the Location header. Implicitly trusting the suggested filenames results in a saved file that differs from the expected one according to the URL specified by the user. This can be used by a malicious attacker to silently write hidden and/or initialization files under the user's current directory (e.g. .login, .bashrc). The impact of this vulnerability is increased in the case of lftp/lftpget as the default configuration allows file overwrite without prompting confirmation to the user. In case of lftp the get1 command is affected. This command can be invoked directly by the user from lftp's command line interface or indirectly by using the lftpget script, packaged within lftp distribution. Affected version: lftp <= 4.0.5 wget <= 1.12 libwww-perl <= 5.834 Fixed version: lftp >= 4.0.6 wget N/A libwww-perl >= 5.835 Credit: Vulnerability discovered and reported by Hank Leininger and Solar Designer under the Openwall Project, with further analysis by Daniele Bianco of oCERT. MITRE has assigned the name CVE-2010-2253 to this issue.
Created attachment 448870 [details] lwp-download patch Patch from upstream: commit 2f7ce2e0fc25c85806295142f9ec8d082c072c56 Author: Gisle Aas <gisle> Date: Mon Feb 8 21:59:28 2010 +0100 lwp-download now needs the -s option to honor the Content-Disposition header
This issue is not planned to be fixed in Red Hat Certificate System v7.2 and 7.3 where only qualified security errata of critical impact are addressed. http://www.redhat.com/security/updates/certificate/
lwp-download is a sample application shipped with perl-libwww-perl which is affected by this vulnerability. However the libwww perl library is not affected. Perl scripts would use LWP library in order to download files, hence the scope of this vulnerability is limited to the sample script.
Created perl-libwww-perl tracking bugs for this issue Affects: fedora-all [bug 637788]
This issue affects the versions of the perl-libwww-perl package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. -- This issue affects the versions of the perl-libwww-perl package, as shipped with Fedora release of 12 and 13.
Statement: This issue affects the versions of the perl-libwww-perl package, as shipped with Red Hat Enterprise Linux 4, 5 and 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2010-2253