[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#496386: The possibility of attack with the help of symlinks in some Debian packages



On Mon, 2008-08-25 at 10:09 +0200, Thijs Kinkhorst wrote:
> On Sunday 24 August 2008 22:00, Steve Langasek wrote:
> > Please take responsibility for providing the missing information to the
> > package maintainers, and for correcting the false positives that you've
> > filed.
> 
> Yes, please. I think the only way the damage of this bad bug filing can be 
> mitigated is if you, Dmitry, review all bugs you filed and provide for each 
> bug the exact piece of code that you think has the problem and an assessment 
> of the exploitability in the context of the specific package.
> 
> I expect you start working on this immediately?

It might be best to first downgrade (if not close) all bugs filed under
the first attempt so that packages are not removed from testing in the
time it will take to reassess the actual risk from the pattern matches.

Once you have added to the bug report specific information on the
precise piece of code that can be shown to be used in the normal use of
the program and in such a way as to be available, by default, on a
multi-user system, then you can think about raising the severity again.

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/


Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: