Bug#4465: security hole in netdiag package

To: submit@bugs.debian.org
Subject: Bug#4465: security hole in netdiag package
From: "Peter Tobias" <tobias@server.et-inf.fho-emden.de>
Date: Tue, 10 Sep 1996 14:13:15 +0200 (MET DST)
Message-id: <[🔎] 199609101213.OAA08252@server.et-inf.fho-emden.de>
Reply-to: tobias@et-inf.fho-emden.de, 4465@bugs.debian.org

Package: netdiag
Version: 0.2-3

The postinst script copies the tcpdump binary from the tcpdump
package and the traceroute binary from the netstd package to /usr/bin
and makes them setuid root.adm. This allows all users in the existing
adm group to use tcpdump to get the unencrypted passwords that are
transmitted over the network.

IMHO the netdiag package shouldn't use tcpdump/traceroute
(neither as binaries nor as links). Copying/linking binaries from
other packages just to have them in /usr/bin is a bad idea. Maybe
something like this should be added to the guidelines.


Thanks,

Peter

-- 
 Peter Tobias                                EMail:
 Fachhochschule Ostfriesland                 tobias@et-inf.fho-emden.de
 Fachbereich Elektrotechnik und Informatik   tobias@debian.org
 Constantiaplatz 4, 26723 Emden, Germany     tobias@linux.de

Reply to:

Follow-Ups:
- Re: Bug#4465: security hole in netdiag package
  - From: Christoph Lameter <clameter@waterf.org>
- Bug#4465: security hole in netdiag package
  - From: Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>

Prev by Date: Bug#4457: popclient conflicts with netstd
Next by Date: Re: Bug#4465: security hole in netdiag package
Previous by thread: Bug#4463: fspd uses incorrect file location
Next by thread: Re: Bug#4465: security hole in netdiag package
Index(es):
- Date
- Thread