[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: List of bugs that *must* be fixed before releasing Slink

On Mon, 1 Feb 1999, Richard Braakman wrote:

> Joey Hess wrote:
> > Wichert Akkerman wrote:
> > > > general           28850  gettext: security problem when used in setuid programs [0]  (debian-devel@lists.debian.org)
> > > 
> > > Everyone who has a package with a setuid program or something that runs
> > > as root should check if it uses gettext, and if so recompile it with
> > > the latest gettext installed. Please not that this is not necessary for
> > > programs that use the gettext from libc6.
> > 
> > Could a lintian check be written to check for this, perhaps?
> Not that I can think of.  How can I check if a binary is linked statically
> to gettext?  The binaries are stripped, so I don't have symbol information.

You are right.

However, this is not the only thing that could be done.

If lintian had the ability to check source and binary packages at the same
time, a lintian check could be designed for:

1. suid binaries in the .deb, and:
2. The gettext library in the source, which is usually an "intl"
directory containing the files from /usr/share/gettext/intl.
The existence of a file named "gettext.c" in the source would be a good
enough starting point.

This would reduce the number of packages to check from 2200 to a
reasonable value.

 "27b0cee5f820cd69fc0e2078c5500d71" (a truly random sig)

Reply to: