Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Jun 2010 23:04:30 +0300
From: Henri Salo <>
To:, "Steven M. Christey"
Subject: CVE request - pyftpd insecure usage of temporary directory

Pyftpd creates log-file to a temporary directory using predictable
name. This allows a local attacker to create a denial of service
condition and discloses sensitive information to unprivileged users.
For example accounts of other users connecting to server and paths they

One should use tempfile.mkstemp
<> or
use /var/log/ -directory instead of /tmp/ and use proper file system
modes for the log-file.

This affects version: 0.8.4

Can I have CVE-identifier for this issue?

Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ