Re: severity for bugs in ignoring TMP/TMPDIR?

To: Ben Hutchings <ben@decadent.org.uk>
Cc: Russ Allbery <rra@debian.org>, debian-devel@lists.debian.org
Subject: Re: severity for bugs in ignoring TMP/TMPDIR?
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Tue, 14 Feb 2012 12:26:22 +0000
Message-id: <[🔎] 20282.21230.345528.633536@chiark.greenend.org.uk>
In-reply-to: <[🔎] 1329143535.3048.11.camel@deadeye>
References: <[🔎] 1328410290.7032.165.camel@chianamo> <[🔎] CAKTje6GKBf2zJjvzfVHwszPzMdf6ns4MdQ1k2LxTvoO6LYKQtw@mail.gmail.com> <[🔎] CAB9B7Usje98Ym875bpa9kfBBuf67WpdHJ48-WszirvO-ssj6BQ@mail.gmail.com> <[🔎] CAKTje6FPdwiHApZH7TOkMSC59Me=ExgZgHrYXQNT8VTcka==BA@mail.gmail.com> <[🔎] 877gzursh6.fsf@windlord.stanford.edu> <[🔎] 20281.1211.909188.106171@chiark.greenend.org.uk> <[🔎] 1329143535.3048.11.camel@deadeye>

Ben Hutchings writes ("Re: severity for bugs in ignoring TMP/TMPDIR?"):
> A similar change has been implemented
> <https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Symlink_Protection> and will probably be included in wheezy.

Interesting.  That approach protects the buggy programs, but does not
detect them.

The suggestion I made earlier would break the buggy programs which is
slightly different.  I guess it's just whether we want to try to
detect these bugs so that the software ends up fixed for everyone
(including any Debian users using stock kernels), at the cost of
extra pain for us.

Ian.

Reply to:

References:
- severity for bugs in ignoring TMP/TMPDIR?
  - From: Paul Wise <pabs@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Paul Wise <pabs@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Javier Fernandez-Sanguino <jfs@computer.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Paul Wise <pabs@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Russ Allbery <rra@debian.org>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: severity for bugs in ignoring TMP/TMPDIR?
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: [DEP9] call for testing of reconf-inetd (update-inetd replacement)
Next by Date: Re: Multiarch file overlap summary and proposal (was: Summary: dpkg shared / reference counted files and version match)
Previous by thread: Re: severity for bugs in ignoring TMP/TMPDIR?
Next by thread: Re: severity for bugs in ignoring TMP/TMPDIR?
Index(es):
- Date
- Thread