Bug#368301: proftpd binary set trapdoor rpath to /users/frankie

Mon, 29 May 2006 02:51:30 -0700 

Bill Allombert wrote:
> Package: proftpd
> Version: 1.3.0-7
> Severity: grave
> Tags: security
> 
> Hello Francesco,
> 
> proftpd include a trapdoor rpath to /users/frankie/...
> 
> %chrpath usr/sbin/proftpd
> usr/sbin/proftpd: 
> RPATH=/users/frankie/debian/mypkgs/proftpd/current/proftpd-1.3.0/debian/tmp/usr/sbin
> 
> This rpath allows a user with home directory /users/frankie/ to install
> trojaned libraries and wait for proftpd to start.

Sarge is not affected.

Cheers,
        Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to