Re: Severity of bug #259993
Hi,
> On Sun, Aug 01, 2004 at 05:07:52AM +0200, Florian Zumbiehl wrote:
>
> Certainly, a genuine security vulnerability should be release-critical. We
> must not release software with known security vulnerabilities.
Seems to make sense =:-)
> It sounds like the upstream author may have misunderstood your report, which
> led to further misunderstanding on the part of the Debian maintainer.
Yep, but that's why I explained it in the followup mail, also
archives in the BTS:
| "File operations" refers to the postscript program that is executed by
| ghostscript here. Something along the lines of -dSAFER is needed to
| make this safe, however I'm not sure as to which options are needed.
| Maybe, it can't be made safe at all if gs is run as root.
!?
[longer explanation of the problems with the invocation of gs by cups-pdf]
Do you possibly know whether -dSAFER is sufficient? Or does that still
allow arbitrary files to be read or anything else that a normal user should
not be able to do with root privileges?
> Also, there seems to be some confusion about the symlink attack (#259933),
> specifically where the output is actually written. I don't know anything
> about cups-pdf, so I don't know who is correct here.
The source code isn't that complex, if you wanna have a look ;-)
The output is written to ~/cups-pdf, which is created automatically if
it doesn't exist already, currently world-writeable, IIRC.
As we are on debian-qa: Even if this was not a security problem, this IMO
should have been made sure previous to degrading the bug and it should
have been mentioned in the mail instructing the BTS to change the
severity!?
> At least the gs issue seems like a genuine concern and justifies Severity:
> grave, so I have changed the severity of that bug. cups-pdf should not be
> released with sarge unless that bug is fixed.
Yep, that's the most obvious one, indeed.
How about splitting off the purely security-related part of this thread
to debian-security, as suggested by Frank?
Cya, Florian
Reply to: