Bug#4465: security hole in netdiag package
Package: netdiag
Version: 0.2-3
The postinst script copies the tcpdump binary from the tcpdump
package and the traceroute binary from the netstd package to /usr/bin
and makes them setuid root.adm. This allows all users in the existing
adm group to use tcpdump to get the unencrypted passwords that are
transmitted over the network.
IMHO the netdiag package shouldn't use tcpdump/traceroute
(neither as binaries nor as links). Copying/linking binaries from
other packages just to have them in /usr/bin is a bad idea. Maybe
something like this should be added to the guidelines.
Thanks,
Peter
--
Peter Tobias EMail:
Fachhochschule Ostfriesland tobias@et-inf.fho-emden.de
Fachbereich Elektrotechnik und Informatik tobias@debian.org
Constantiaplatz 4, 26723 Emden, Germany tobias@linux.de
Reply to: