Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages
On Sun, Aug 24, 2008 at 10:05:30PM +0400, Dmitry E. Oboukhov wrote:
> Package: initramfs-tools
> Severity: grave
> This message about the error concerns a few packages at once. I've
> tested all the packages (for Lenny) on my Debian mirror. All scripts
> of packages (marked as executable) were tested.
This is far below the quality I expect from a mass bug filing that's been
reviewed by debian-devel. Mass bugfilings at RC severity need to be held to
a much higher standard than this, particularly when we're in the middle of a
release freeze.
It was certainly not my impression that "Possible mass bug filing" as a
subject line meant that bug reports were imminent.
Problems with this report:
- the justification for "grave" severity is that it's a security hole, but
no "security" tag was set
- information is available about what versions are affected, but no Version:
pseudoheader is set
- the contents are 100% generic and requires the maintainer to search
through a list of packages/files to find out what script is supposed to be
vulnerable
- there is no information in the bug report about the /methodology/ used to
detect vulnerable scripts, leaving the maintainer no opportunity to
provide feedback about bugs in said methodology
and finally,
- this bug report is a false positive. /usr/share/initramfs-tools/init is a
script installed in the initrd, which is a single-user context; there's no
possibility that this is exploitable.
Please take responsibility for providing the missing information to the
package maintainers, and for correcting the false positives that you've
filed.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: