Debian Security Advisory

mirror -- Incorrect directory name handling in mirror

Date Reported:
18 Oct 1999
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2000-0354.
More information:
We have received reports that the version of mirror as distributed in Debian GNU/Linux 2.1 could be remotely exploited. When mirroring a remote site, its malicious owner could use filename-constructions like ".." that would cause mirror to work one level above the target directory for the mirrored files and thus unknowingly overwrite local data.
Fixed in:
Architecture-independent component: