Re: Serious security problem! [Was: base system on boot floppies 2.2.3 broken]

[Erik Andersen <andersen@xmission.com>]

On Sat Jan 01, 2000 at 12:55:19PM -0700, Erik Andersen wrote:
> On Fri Dec 31, 1999 at 09:13:14AM -0700, Randolph Chung wrote:
> > 
> > > 2) any file or directory that has a symlink associated with it has 
> > > permissions of 777 this includes much of the libc, /sbin/init 
> > > /usr/sbin/adduser, and many many many more. also most of 
> > > /usr/share/doc had mode 777.
> 
> Verified.  Sigh.  This is a release critical security problem
> that leaves libc (and everything else pointed to by a symlink 
> in the base system) vulnerable after a fresh install.
> 
[----------snip---------]
> 
> everybody to take a careful look at busybox tar, ok?
> 
> I'm testing it now by:
>     cp base2_2.tgz /tmp
>     mkdir foo
>     cd foo
>     <path_to_busybox>/busybox zcat ../base2_2.tgz | <path_to_busybox>/busybox tar -xf -
>     cd ..
>     mkdir bar
>     cd bar
>     tar -xzf ../base2_2.tgz
> 
> and then comparing files from foo and bar.

Ok, I just checked in a fix. Please, could everybody check out the      
latest boot floppies and test this?                                     

/me hides in shame,

 -Erik

--
Erik B. Andersen   Web:    http://www.xmission.com/~andersen/ 
                   email:  andersee@debian.org
--This message was written using 73% post-consumer electrons--