[VIM] Slackware security a tad behind..

security curmudgeon jericho at attrition.org
Mon May 16 17:57:34 EDT 2005

In the past I've noted vendors who are slow to patch. Slackware may win 
the record with a two and a half year delay..

Date: Sun, 15 May 2005 23:54:44 -0700 (PDT)

fixes a vuln in NcFTP and references:

That changelog entry:

3.1.5, 2002-10-13	<---

Security: Problem fixed where a malicious or trojaned FTP server could send 
back pathnames with directories different from the directory requested. For 
example, if you did:

cd /pub
get *.zip

the malicious server could send back a pathname like 
../../../some/other/dir/filename.here rather than pathnames such as 
filename.zip, and trick NcFTP into writing into a different local pathname if 
your user privileges had permission to write it.

This problem affects many other FTP client programs. We were asked not to post 
this item in the change log until these other programs could be fixed. That is 
why this item in the change log was added two months after the initial posting 
of version 3.1.5.

More information about the VIM mailing list