diff -Nru lftp-4.8.1/debian/changelog lftp-4.8.1/debian/changelog --- lftp-4.8.1/debian/changelog 2017-09-17 19:17:03.000000000 +0000 +++ lftp-4.8.1/debian/changelog 2018-08-03 14:56:24.000000000 +0000 @@ -1,3 +1,11 @@ +lftp (4.8.1-1ubuntu0.1) bionic-security; urgency=medium + + * SECURITY UPDATE: Incorrectly sanitize remote file names + - debian/patches/CVE-2018-10196.patch: fix in src/MirrorJob.cc. + - CVE-2018-10196 + + -- Leonidas S. Barbosa Fri, 03 Aug 2018 11:56:24 -0300 + lftp (4.8.1-1) unstable; urgency=medium * new upstream release from 2017-09-13 diff -Nru lftp-4.8.1/debian/control lftp-4.8.1/debian/control --- lftp-4.8.1/debian/control 2017-09-17 19:17:03.000000000 +0000 +++ lftp-4.8.1/debian/control 2018-08-03 14:56:24.000000000 +0000 @@ -1,7 +1,8 @@ Source: lftp Section: net Priority: optional -Maintainer: Noël Köthe +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Noël Köthe Standards-Version: 4.0.0 Build-Depends: debhelper (>> 9.0.0), libncurses-dev, libreadline-dev, gettext, gawk, bison, libgnutls28-dev, pkg-config, libidn2-dev Homepage: https://lftp.tech diff -Nru lftp-4.8.1/debian/patches/CVE-2018-10916.patch lftp-4.8.1/debian/patches/CVE-2018-10916.patch --- lftp-4.8.1/debian/patches/CVE-2018-10916.patch 1970-01-01 00:00:00.000000000 +0000 +++ lftp-4.8.1/debian/patches/CVE-2018-10916.patch 2018-08-03 14:56:10.000000000 +0000 @@ -0,0 +1,70 @@ +From a27e07d90a4608ceaf928b1babb27d4d803e1992 Mon Sep 17 00:00:00 2001 +From: "Alexander V. Lukyanov" +Date: Tue, 31 Jul 2018 10:57:35 +0300 +Subject: [PATCH] mirror: prepend ./ to rm and chmod arguments to avoid URL + recognition (fix #452) +diff --git a/src/MirrorJob.cc b/src/MirrorJob.cc +index c92c34d..2002ff8 100644 +--- a/src/MirrorJob.cc ++++ b/src/MirrorJob.cc +@@ -1161,24 +1161,21 @@ int MirrorJob::Do() + } + continue; + } ++ bool use_rmdir = (file->TypeIs(file->DIRECTORY) ++ && recursion_mode==RECURSION_NEVER); + if(script) + { +- ArgV args("rm"); +- if(file->TypeIs(file->DIRECTORY)) +- { +- if(recursion_mode==RECURSION_NEVER) +- args.setarg(0,"rmdir"); +- else +- args.Append("-r"); +- } ++ ArgV args(use_rmdir?"rmdir":"rm"); ++ if(file->TypeIs(file->DIRECTORY) && !use_rmdir) ++ args.Append("-r"); + args.Append(target_session->GetFileURL(file->name)); + xstring_ca cmd(args.CombineQuoted()); + fprintf(script,"%s\n",cmd.get()); + } + if(!script_only) + { +- ArgV *args=new ArgV("rm"); +- args->Append(file->name); ++ ArgV *args=new ArgV(use_rmdir?"rmdir":"rm"); ++ args->Append(dir_file(".",file->name)); + args->seek(1); + rmJob *j=new rmJob(target_session->Clone(),args); + args->CombineTo(j->cmdline); +@@ -1186,10 +1183,7 @@ int MirrorJob::Do() + if(file->TypeIs(file->DIRECTORY)) + { + if(recursion_mode==RECURSION_NEVER) +- { +- args->setarg(0,"rmdir"); + j->Rmdir(); +- } + else + j->Recurse(); + } +@@ -1255,7 +1249,7 @@ int MirrorJob::Do() + if(!script_only) + { + ArgV *a=new ArgV("chmod"); +- a->Append(file->name); ++ a->Append(dir_file(".",file->name)); + a->seek(1); + ChmodJob *cj=new ChmodJob(target_session->Clone(), + file->mode&~mode_mask,a); +@@ -1377,7 +1371,7 @@ int MirrorJob::Do() + if(!script_only) + { + ArgV *args=new ArgV("rm"); +- args->Append(file->name); ++ args->Append(dir_file(".",file->name)); + args->seek(1); + rmJob *j=new rmJob(source_session->Clone(),args); + args->CombineTo(j->cmdline); diff -Nru lftp-4.8.1/debian/patches/series lftp-4.8.1/debian/patches/series --- lftp-4.8.1/debian/patches/series 2015-04-16 13:18:34.000000000 +0000 +++ lftp-4.8.1/debian/patches/series 2018-08-03 14:56:10.000000000 +0000 @@ -1,2 +1,3 @@ config-dns-inet6_before_inet.patch lftp_sys-stdint-kfreebsd.patch +CVE-2018-10916.patch