See below.
hi,
On Sun, Nov 18, 2018 at 02:01:38PM +0100, Ola Lundqvist wrote:
> What I did was to check CVE-2016-10729 and my conclusion that I cannot
> reproduce the problem.
(I havent looked at CVE-2016-10729.)
> It may be so that the checks are not in place but there are obviously
> something preventing the exploit to be reproducible. Either that or that
> you have to be logged in as backup, which is not possible.
can you reproduce the bug in sid or stretch?
if so, I think you can conclude that the exploit really doesnt work on
jessie.
I have not tried, but I doubt I will succeed. I think the same security measurements are applicable also in sid and stretch.
I'm suspecting that the necessary thing needed to exploit this is if anyone have login permission to the backup user. But you cannot login to that user on a Debian machine.
> My question to you is how to properly mark this vulnerability. Is it so
> that it should be "undetermined" or should I mark it in some other way?
see b990a51a15d in security-tracker.git for an example how to mark
something as not affecting jessie. in short: <not-affected> which an
explaination why.
but only do this if you are really sure, else leave it at undetermined.
I'm not 100% sure yet so I'll leave it as is for now. :-)
// Ola
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C