Debian Security Advisory
htdig -- remote exploit in htdig
- Date Reported:
- 09 Dec 1999
- Affected Packages:
-
htdig
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-1999-0978.
- More information:
-
The version of htdig that was shipped in Debian GNU/Linux 2.1 has a problem
with calling external programs to handle non-HTML documents: it calls
the external program with the document as a parameter, but does not check
for shell escapes. This can be exploited by creating files with filenames
that include shell escapes to run arbitrary commands on the machine that
runs htdig.
- Fixed in:
-
- Source:
- http://security.debian.org/dists/stable/updates/source/htdig_3.1.2-4slink6.diff.gz
- http://security.debian.org/dists/stable/updates/source/htdig_3.1.2-4slink6.dsc
- http://security.debian.org/dists/stable/updates/source/htdig_3.1.2.orig.tar.gz
- alpha:
- http://security.debian.org/dists/stable/updates/binary-alpha/htdig_3.1.2-4slink6_alpha.deb
- i386:
- http://security.debian.org/dists/stable/updates/binary-i386/htdig_3.1.2-4slink6_i386.deb
- m68k:
- http://security.debian.org/dists/stable/updates/binary-m68k/htdig_3.1.2-4slink6_m68k.deb
- sparc:
- http://security.debian.org/dists/stable/updates/binary-sparc/htdig_3.1.2-4slink6_sparc.deb
