Bug#796635: nvi init script still needed?

To: 796635@bugs.debian.org
Subject: Bug#796635: nvi init script still needed?
From: Bryan Quigley <bryan.quigley@canonical.com>
Date: Wed, 2 Sep 2015 10:21:27 -0400
Message-id: <[🔎] CAML-E+v0YTMP2z+b0sDGPRNvxnzOh_biZryeaPgET7Fw4di9rA@mail.gmail.com>
Reply-to: Bryan Quigley <bryan.quigley@canonical.com>, 796635@bugs.debian.org
In-reply-to: <CAML-E+szAv3SrO_rN8TGc-TDxrv5-cHyrgU-EA4VLUWBR7e9GQ@mail.gmail.com>
References: <CAML-E+szAv3SrO_rN8TGc-TDxrv5-cHyrgU-EA4VLUWBR7e9GQ@mail.gmail.com>

Depending on how it's modified to fix that bug, I think it could
introduce a security issue as it:
 * doesn't seem like an upstream script designed to run as root
 * seems racy (especially after checking if something is a symlink)
 * handles user content as root

AFAICT being at runlevel S at least stops racy issues.  I wasn't
actually able to exploit anything myself, but if say there is an
exploit in awk, this could allow the attacker to get root at the next
reboot.

Reply to:

Prev by Date: Bug#797772: irda-utils: Upgrading the package compains on nonexistant /dev/MAKEDEV
Next by Date: Bug#643208: marked as done (luakit: FTBFS: dpkg-buildpackage: error: dpkg-source -b luakit-2011.07.22-r1 gave error exit status 2)
Previous by thread: Bug#797772: irda-utils: Upgrading the package compains on nonexistant /dev/MAKEDEV
Next by thread: Bug#643208: marked as done (luakit: FTBFS: dpkg-buildpackage: error: dpkg-source -b luakit-2011.07.22-r1 gave error exit status 2)
Index(es):
- Date
- Thread