Package: pyftpd Version: 0.8.4.6 Severity: critical Justification: causes serious data loss
*** Please type your report below this line *** Pyftpd creates log-file to a temporary directory using predictable name. This allows a local attacker to create a denial of service condition and discloses sensitive information to unprivileged users. For example accounts of other users connecting to server and paths they visit. One should use tempfile.mkstemp <http://docs.python.org/library/tempfile.html#tempfile.mkstemp> or use /var/log/ -directory instead of /tmp/ and use proper file system modes for the log-file. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pyftpd depends on: ii python 2.5.2-3 An interactive high-level object-o ii python-central 0.6.8 register and build utility for Pyt Versions of packages pyftpd recommends: ii python-tk 2.5.2-1 Tkinter - Writing Tk applications pyftpd suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
