[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages

On Sun, Aug 24, 2008 at 10:05:30PM +0400, Dmitry E. Oboukhov wrote:
> Package: initramfs-tools
> Severity: grave

> This message about the error concerns a few packages  at  once.   I've
> tested all the packages (for Lenny) on my Debian mirror.  All  scripts
> of packages (marked as executable) were tested.

This is far below the quality I expect from a mass bug filing that's been
reviewed by debian-devel.  Mass bugfilings at RC severity need to be held to
a much higher standard than this, particularly when we're in the middle of a
release freeze.

It was certainly not my impression that "Possible mass bug filing" as a
subject line meant that bug reports were imminent.

Problems with this report:

- the justification for "grave" severity is that it's a security hole, but
  no "security" tag was set
- information is available about what versions are affected, but no Version:
  pseudoheader is set
- the contents are 100% generic and requires the maintainer to search
  through a list of packages/files to find out what script is supposed to be
- there is no information in the bug report about the /methodology/ used to
  detect vulnerable scripts, leaving the maintainer no opportunity to
  provide feedback about bugs in said methodology

and finally,

- this bug report is a false positive.  /usr/share/initramfs-tools/init is a
  script installed in the initrd, which is a single-user context; there's no
  possibility that this is exploitable.

Please take responsibility for providing the missing information to the
package maintainers, and for correcting the false positives that you've

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to: