On Sun, May 21, 2006 at 11:36:03AM +0200, Bill Allombert wrote: > Package: proftpd > Version: 1.3.0-7 > Severity: grave > Tags: security > > Hello Francesco, > > proftpd include a trapdoor rpath to /users/frankie/... > > %chrpath usr/sbin/proftpd > usr/sbin/proftpd: > RPATH=/users/frankie/debian/mypkgs/proftpd/current/proftpd-1.3.0/debian/tmp/usr/sbin > > This rpath allows a user with home directory /users/frankie/ to install > trojaned libraries and wait for proftpd to start.
Mmmm, nice issue, that's of course my own home directory... -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
