Bug#4331: security alert (tar & anon ftp)

To: heiko@lotte.sax.de, 4331@bugs.debian.org
Subject: Bug#4331: security alert (tar & anon ftp)
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Tue, 5 Nov 1996 22:03:47 +0100 (MET)
Message-id: <199611052103.WAA03772@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, 4331@bugs.debian.org
In-reply-to: <m0vGuPn-0004KZC@eremit> from "heiko@lotte.sax.de" at Oct 26, 96 00:07:43 am

Hi,

> ... so may I close this bug report, as one could assume, that nobody
> puts a tar binary in the SITE EXEC directory (is currently
> ~ftp/usr/bin/ftpexec for anon ftp and /usr/bin/ftpexec for
> real users).

I asked Alan Cox (who originally found the problem) and he explained
that indeed it was a SITE EXEC problem on RedHat.  But, GNU tar has
some fun options (like --rsh-command=, --use-compress-program=), and
I'm not sure if it is possible to misuse them by attempting to get
directories with names starting with - (might be treated as flags).
Maybe add -- (no more flags) before %s in /etc/ftpd/ftpconversions?

Marek

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Prev by Date: Bug#5272: m4 has malformed controrol file
Next by Date: Bug#5275: gpm is not 8-bit clean.
Previous by thread: Re: Bug#5272: m4 has malformed controrol file
Next by thread: Bug#5275: gpm is not 8-bit clean.
Index(es):
- Date
- Thread