Re: setuid/setgid binaries contained in the Debian repository.

To: debian-devel@lists.debian.org
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Matt Zimmerman <mdz@debian.org>
Date: Sun, 3 Aug 2003 03:14:23 -0400
Message-id: <[🔎] 20030803071423.GC24128@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 871xw3o63b.fsf@glaurung.green-gryphon.com>
References: <[🔎] 20030802011210.GA14970@dragon.kitenet.net> <[🔎] 87u190r7ur.fsf@glaurung.green-gryphon.com> <[🔎] 20030802170909.GZ24128@alcor.net> <[🔎] 87r844osq5.fsf@glaurung.green-gryphon.com> <[🔎] 20030802185016.GH24128@alcor.net> <[🔎] 87y8ybooek.fsf@glaurung.green-gryphon.com> <[🔎] 20030802205512.GL24128@alcor.net> <[🔎] 87ptjnofbi.fsf@glaurung.green-gryphon.com> <[🔎] 20030803004826.GN24128@alcor.net> <[🔎] 871xw3o63b.fsf@glaurung.green-gryphon.com>

On Sat, Aug 02, 2003 at 08:58:00PM -0500, Manoj Srivastava wrote:

> 	Given the last review of a setgid program, I wonder if two
>  people are enough.

Surely two people would be an improvement over the current situation, where
there is no review at all.  Our demonstration has shown how one person can
discover some common flaws with a relatively brief review.

This bug and others existed in your package for over four years (and still
exist in stable today).  We might still not know about it if you had not
brought the package to my attention for review.  Steve Kemp might have
eventually discovered it in the course of his auditing, but I don't know
whether he is spending his time on non-free software such as angband.

Keep in mind that there are also potentially more than two people interested
in this review process.  Another person besides myself has already
volunteered in just the first day of discussion, and I find this very
encouraging.

>  The mistake was simple, human, and undesrtandable, but the review does
>  not in fact talk about any flaws in the current version of angband

The review, simplistic though it was, uncovered flaws in the package in
stable which were overlooked by the maintainer.  This kind of situation is
often preventable through discussion and code review, as you have seen.  I
would like to promote this beneficial process within Debian in order to
reduce the workload of the security team and the presence of vulnerabilities
in our stable releases.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Steve Kemp <skx@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Joey Hess <joeyh@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: CUPS should be the default print service in Debian/Sarge
Next by Date: Re: libraries being removed from the archive
Previous by thread: Re: setuid/setgid binaries contained in the Debian repository.
Next by thread: Re: setuid/setgid binaries contained in the Debian repository.
Index(es):
- Date
- Thread