Bug#286379: Lintian insecure removal bug (#286379)

To: Martin Schulze <joey@infodrom.org>
Cc: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 286379@bugs.debian.org, team@security.debian.org
Subject: Bug#286379: Lintian insecure removal bug (#286379)
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Tue, 21 Dec 2004 15:34:54 +0100
Message-id: <[🔎] 20041221143454.GX18313@A-Eskwadraat.nl>
Reply-to: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 286379@bugs.debian.org
In-reply-to: <[🔎] 20041221142612.GU7329@finlandia.infodrom.north.de>
References: <[🔎] 20041220193126.GF380@A-Eskwadraat.nl> <[🔎] 20041220194353.GB7329@finlandia.infodrom.north.de> <[🔎] 20041220195701.GT18313@A-Eskwadraat.nl> <[🔎] 20041221043929.GD7329@finlandia.infodrom.north.de> <[🔎] 20041221121603.GH380@A-Eskwadraat.nl> <[🔎] 20041221142612.GU7329@finlandia.infodrom.north.de>

On Tue, Dec 21, 2004 at 03:26:12PM +0100, Martin Schulze wrote:
> I haven't verified that this code is executed for each lintian execution.
> However, if it is, then its an issue since the process does not fail if
> mkdir fails, instead the directory is used.

This is simply not true, see [1]. This code is executed every lintian
invocation, but a failing mkdir _will_ abort lintian.

The current discussion is about whether or not it is okay for lintian to
use a directory made with current umask, since for example an umask of
02 would render you vulnerable to attacks by members of the same
group[2].

In my opinion, this is a user-error having 02 umask with
untrusted members of the same group[3], but the bug submitter
disagrees[4].

Sorry for the mess that this buglog is, at the moment...

--Jeroen

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=12
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=24
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=27
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=36

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

References:
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Martin Schulze <joey@infodrom.org>
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Martin Schulze <joey@infodrom.org>
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: Bug#286379: Lintian insecure removal bug (#286379)
Next by Date: Bug#286842: lintian: Please enforce the ./debian/copyright "Copyright of" line
Previous by thread: Bug#286379: Lintian insecure removal bug (#286379)
Next by thread: lintian: r387 - in trunk: checks debian
Index(es):
- Date
- Thread