On 08/02/2012 10:14 PM, Andreas Beckmann wrote: > Package: extplorer > Version: 2.1.0b6+dfsg.3-3 > Severity: grave > Tags: security > Justification: user security hole > User: debian...@lists.debian.org > Usertags: piuparts > > Hi, > > during a test with piuparts I noticed that your packages creates a world > writable directory: > > drwxrwxrwx 2 root root 60 Aug 1 07:46 /var/lib/extplorer/ftp_tmp > > There any local user may delete/replace arbitrary files that were not > created by the user himself. > > If the write permissions cannot be restricted to a user or group, the > sticky bit should be set on the directory to prevent users from > manipulating files they don't own. > > > Andreas
As much as I know, extplorer ftp mode is broken in Debian. So unless I am mistaking, we're not affected (this would have to be checked though, and fixed anyway). Thomas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
