Package: apt-cacher Version: 1.5.3 Severity: minor
apt-cache-report.pl does not relinquish root privileges when run. as report generation is run from cron as root, an underprivileged user could set the log file to a symlink to '/etc/shadow' and read thus get the first (typically root) and last line from shadow in the generated report. it's a longshot, but there is at least one person in the world, who could abuse this issue (yes, thats me). -- System Information: Debian Release: testing/unstable APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-2-686 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages apt-cacher depends on: ii bzip2 1.0.3-3 high-quality block-sorting file co ii libwww-perl 5.805-1 WWW client/server library for Perl ii perl 5.8.8-6.1 Larry Wall's Practical Extraction apt-cacher recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
