Bug 15716

Summary: lftp new security issue CVE-2014-0139
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: stormi-mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/592586/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: lftp-4.5.6-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-16 18:52:17 CEST 
Upstream has released version 4.6.2 today (April 16):
http://lftp.yar.ru/news.html

It fixes an issue with hostname verification when validating TLS/SSL certificates, which was previously fixed in curl in Bug 12476.  lftp uses a local copy of the same code from curl, which is why it has the same CVE.

The upstream fix was in this commit:
https://github.com/lavv17/lftp/commit/6357bed2583171b7515af6bb6585cf56d2117e3f

Mageia 4 and Mageia 5 are affected.

Upstream patch added in Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-16 18:52:23 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-17 18:02:28 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated lftp packages fix security vulnerability:

lftp incorrectly validates wildcard SSL certificates containing literal
IP addresses, so under certain conditions, it would allow and use a wildcard
match specified in the CN field, allowing a malicious server to participate
in a MITM attack or just fool users into believing that it is a legitimate
site (CVE-2014-0139).

lftp was affected by this issue as it uses code from cURL for checking SSL
certificates.  The curl package was fixed in MGASA-2014-0153.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139
http://advisories.mageia.org/MGASA-2014-0153.html
http://lftp.yar.ru/news.html
========================

Updated packages in core/updates_testing:
========================
lftp-4.4.14-1.1.mga4
liblftp0-4.4.14-1.1.mga4
liblftp-devel-4.4.14-1.1.mga4

from lftp-4.4.14-1.1.mga4.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/592586/
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 David Walser 2015-04-17 21:07:06 CEST 
You can do a simple check of https functionality with:
lftp https://fedorahosted.org/released/abrt/

and then run "ls" at the lftp prompt (as in Bug 4176).

Works fine for me on Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 3 Samuel Verschelde 2015-04-20 19:38:55 CEST 
Testing as in comment #2: ls works but get fails. I don't know if it's expected.

lftp fedorahosted.org:/released/abrt> get satyr-0.16.tar.xz 
get: /mnt/other/boot/satyr-0.16.tar.xz: Permission non accordée

I connected to a ftp server of mine that activates SSL and everything worked fine.

CC: (none) => stormi

Samuel Verschelde 2015-04-20 19:39:08 CEST

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 David Walser 2015-04-20 20:07:42 CEST 
get satyr-0.16.tar.xz worked for me.  Maybe try again?
Comment 5 Samuel Verschelde 2015-04-20 20:36:18 CEST 
It works now, probably a transient server issue.
Comment 6 claire robinson 2015-04-22 17:52:11 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-04-23 23:15:12 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0165.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED