Re: Opinions sought: mlocate appropriate for Priority: standard?

To: debian-devel@lists.debian.org
Subject: Re: Opinions sought: mlocate appropriate for Priority: standard?
From: Ian Jackson <ian@davenant.greenend.org.uk>
Date: Tue, 27 Nov 2007 20:46:56 +0000
Message-id: <[🔎] 18252.33344.145727.224156@davenant.relativity.greenend.org.uk>
In-reply-to: <[🔎] 20071110164740.GA12866@kitenet.net>
References: <[🔎] 20071110110222.GA14136@chistera.yi.org> <[🔎] 4735A204.2020606@freedesktop.org> <[🔎] 20071110164740.GA12866@kitenet.net>

Joey Hess writes ("Re: Opinions sought: mlocate appropriate for Priority: standard?"):
> Given the security history of slocate, and since mlocate has a similar
> design from a security POV, it would be good to get a thurough audit of
> mlocate, perhaps trying some of the same holes. At least it doesn't seem
> to be vulnerable to the attack described in CVE-2007-0227.

I think setgid is entirely the wrong approach here.  And these kind of
vulnerabilities are an inevitable consequence.

Ian.

Reply to:

References:
- Opinions sougth: mlocate appropriate for Priority: standard?
  - From: Adeodato Simó <dato@net.com.org.es>
- Re: Opinions sought: mlocate appropriate for Priority: standard?
  - From: Josh Triplett <josh@freedesktop.org>
- Re: Opinions sought: mlocate appropriate for Priority: standard?
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: Packages with httpd needs
Next by Date: Re: Contents-source.gz
Previous by thread: Re: Opinions sought: mlocate appropriate for Priority: standard?
Next by thread: Bug#450781: ITP: Plasmidomics -- gui for plasmid and vector map drawing with postscript export / debian-med
Index(es):
- Date
- Thread