Hi Ola,
On Sun, Nov 18, 2018 at 10:30:16PM +0100, Ola Lundqvist wrote:
> > > What I did was to check CVE-2016-10729 and my conclusion that I cannot
> > > reproduce the problem.
> > can you reproduce the bug in sid or stretch?
> I have not tried, but I doubt I will succeed. I think the same security
> measurements are applicable also in sid and stretch.
> I'm suspecting that the necessary thing needed to exploit this is if anyone
> have login permission to the backup user. But you cannot login to that user
> on a Debian machine.
well, (AIUI) for that you need to find another bug in amanda (or some tool
amanda is using, like cron, or whatever, eg a totally unrelated root exploit),
so that you then can get access to uid backup, and then you can exploit
CVE-2016-10729 to compromise amanda clients.
I dont think the fact that you cannot login as backup is a viable
protection.
> > but only do this if you are really sure, else leave it at undetermined.
> I'm not 100% sure yet so I'll leave it as is for now. :-)
I agree thats better.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Attachment:
signature.asc
Description: PGP signature