[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#496429: The possibility of attack with the help of symlinks in some Debian packages

Steve Langasek <vorlon@debian.org> writes:

> The example *is* wrong - the example given is never safe to run, because
> the only way to verify beforehand that /tmp/zenity is not a symlink to
> something more important is by first explicitly *creating* your file
> funder /tmp (non-destructively), then check that it's not a symlink, and
> *then* run pilot-qof.

I dunno, I'd feel quite comfortable running that command on my personal
laptop, which has no other users and no remote login access.  /tmp file
vulnerabilities are only vulnerabilities on multiuser systems.  We don't
know for *packages* whether they'll be installed on multiuser systems, so
of course we have to fix them regardless, but in examples I think it's
often reasonable to be sloppier.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: