[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#569222: risky use of mount from a random partition

On Wed, Feb 10, 2010 at 05:42:22PM -0500, Joey Hess wrote:
> > Good question.  I've been trying to dig out the history and it doesn't
> > seem especially clear even to me.  I think I must have reasoned that (a)
> > using $tmpmnt wasn't significantly worse than using /target (I hadn't
> > thought of the security risk)
> Speaking of the security risk, AFAICS via light browsing of
> packages.ubuntu.com, jaunty has os-prober that still uses third-party
> mount even when run on an installed system, *and* grub-pc depends on
> os-prober.

I can certainly arrange for a security update once we figure out what
the right behaviour is ...

However, hardly anyone used grub-pc in jaunty, and if they did it was
pretty broken anyway.  We didn't start encouraging it until karmic.  The
purpose of putting it in jaunty was to figure out what was wrong with
it, so I'm not *too* scared.

> That's an expecially bad combination (lenny's grub-pc only suggests
> os-prober).

I think Recommends is the correct relationship, which is what current
versions (of grub-common) have in both Debian and Ubuntu.  Not that
Recommends vs. Depends makes much of a difference here.

Colin Watson                                       [cjwatson@debian.org]

Reply to: