Debian Bug report logs - #358210
debian-installer: Possible DoS attack: World writable directory remains after installing Debian 3.1r1 from the official network install CD

version graph

Package: passwd; Maintainer for passwd is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>; Source for passwd is src:shadow (PTS, buildd, popcon).

Reported by: Ferenczi Viktor <letezo@fw.hu>

Date: Tue, 21 Mar 2006 20:03:02 UTC

Severity: grave

Tags: d-i, security

Fixed in version passwd/1:4.0.14-9

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#358210; Package debian-installer. (full text, mbox, link).


Acknowledgement sent to Ferenczi Viktor <letezo@fw.hu>:
New Bug report received and forwarded. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ferenczi Viktor <letezo@fw.hu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: debian-installer: Possible DoS attack: World writable directory remains after installing Debian 3.1r1 from the official network install CD
Date: Tue, 21 Mar 2006 20:47:15 +0100
Package: debian-installer
Severity: normal


World writable directory remains after installing
Debian 3.1r1 from the official network install CD:

/var/log/debian-installer/cdebconf

In my opinion this shuld be fixed some way
on already installed systems, since any user can
use this directory to initialte a DoS attack by
filling the /var/log partition unless a quota
limit prevents this. PHP and other WEB applications
could exploit this directory on a hosting server
if PHP allows access to this directory.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-sirius-20051219-0354
Locale: LANG=hu_HU, LC_CTYPE=hu_HU (charmap=ISO-8859-2)



Severity set to `grave'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security, d-i Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug reassigned from package `debian-installer' to `passwd'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug marked as fixed in version 1:4.0.14-9, send any further explanations to Ferenczi Viktor <letezo@fw.hu> Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 14:02:29 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:59:50 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.