Bug#692929: ncpfs - ncpmount is suid root

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#692929: ncpfs - ncpmount is suid root
From: Bastian Blank <waldi@debian.org>
Date: Sun, 11 Nov 2012 00:22:35 +0100
Message-id: <[🔎] 20121110232235.6623.38367.reportbug@rockhammer.waldi.eu.org>
Reply-to: Bastian Blank <waldi@debian.org>, 692929@bugs.debian.org

Package: ncpfs
Severity: serious

ncpmount is suid root. A quick check through last patches for security
problems and the code itself don't make me believe this is save.

The code uses weird checks including calls to clone(2). As ncp is
mostly dead this is unlikely to change.

I think it is best to remove the suid flag for now and if noone wants to
do anything about it drop the package.

Bastian

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply to:

Follow-Ups:
- Bug#692929: marked as done (ncpfs - ncpmount is suid root)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#692471: ncpfs - Fails to build to times
Next by Date: Bug#692472: ncpfs - Fails with Cannot convert kernel release "3.6-trunk-amd64" to number
Previous by thread: apt-move_4.2.27-3_amd64.changes ACCEPTED into unstable
Next by thread: Bug#692929: marked as done (ncpfs - ncpmount is suid root)
Index(es):
- Date
- Thread