This ftp is otherwise known as tnftp and originates with NetBSD.
It is part of their base install and is the only ftp/http client installed by default. It is the default client for installing packages.
Aside from the popen feature (-o"|utility" pipes output to utility), getting this program to segfault is quite easy. If you are concerned about security I would seek a workaround that you trust.
tnftp does not link to libfetch, but on NetBSD libfetch is still present (why? I am not sure), so a user could install fetch(1), the default ftp/http client from FreeBSD, which is available as a package, and it will work "out of the box". FreeBSD's fetch(1) does link to libfetch.
There is also example code for a libfetch-linked client in the NetBSD source tree.
Whether the fetch(1) client has security issues of it own, I do not know, but at least it does not implement the popen feature.
It is part of their base install and is the only ftp/http client installed by default. It is the default client for installing packages.
Aside from the popen feature (-o"|utility" pipes output to utility), getting this program to segfault is quite easy. If you are concerned about security I would seek a workaround that you trust.
tnftp does not link to libfetch, but on NetBSD libfetch is still present (why? I am not sure), so a user could install fetch(1), the default ftp/http client from FreeBSD, which is available as a package, and it will work "out of the box". FreeBSD's fetch(1) does link to libfetch.
There is also example code for a libfetch-linked client in the NetBSD source tree.
Whether the fetch(1) client has security issues of it own, I do not know, but at least it does not implement the popen feature.