Bug#4331: security alert (tar & anon ftp)
> ... so may I close this bug report, as one could assume, that nobody
> puts a tar binary in the SITE EXEC directory (is currently
> ~ftp/usr/bin/ftpexec for anon ftp and /usr/bin/ftpexec for
> real users).
I asked Alan Cox (who originally found the problem) and he explained
that indeed it was a SITE EXEC problem on RedHat. But, GNU tar has
some fun options (like --rsh-command=, --use-compress-program=), and
I'm not sure if it is possible to misuse them by attempting to get
directories with names starting with - (might be treated as flags).
Maybe add -- (no more flags) before %s in /etc/ftpd/ftpconversions?
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com