[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[mdz@debian.org: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root]

How about it, Anthony; can we dosrcanyway w3m? I think we'll then need
to remove stalin from testing in order to get a newer libgc in (due to
#216341, although I'll try to remember to talk to a buildd admin about
that), but everything else should be OK now.

Colin Watson                                  [cjwatson@flatline.org.uk]

----- Forwarded message from Matt Zimmerman <mdz@debian.org> -----

Date: Wed, 5 Nov 2003 11:24:24 -0500
From: Matt Zimmerman <mdz@debian.org>
To: Colin Watson <cjwatson@debian.org>
Cc: Fumitoshi UKAI <ukai@debian.or.jp>, 200028@bugs.debian.org,
	makedev@packages.debian.org, devfsd@packages.debian.org
Subject: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root
User-Agent: Mutt/1.3.28i
Delivered-To: cjwatson@master.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
X-Spam-Status: No, hits=-4.9 required=4.5 tests=BAYES_00 autolearn=ham 

On Wed, Nov 05, 2003 at 09:54:52AM +0000, Colin Watson wrote:

> On Sat, Aug 30, 2003 at 02:08:36PM -0400, Matt Zimmerman wrote:
> > How about it, Bdale?
> Bdale, ping? We need to get a fixed w3m-img in order to be able to get a
> new libgc into testing, and we need that in order to upgrade libsigc++,
> etc. It's getting pretty urgent.
> (Alternatively: Matt, does this have to be serious, noting that woody's
> w3mimgdisplay is also setuid root, so it's not as if it's a regression?  I
> suppose we could have britney ignore it on that basis.)

Right, this is not a regression, and there is not a proven security
vulnerability here, only an excess of privilege.  I still believe this
should be dealt with before the sarge release, but it does not seem
necessary for it to block packages from entering testing.

 - mdz

----- End forwarded message -----

Reply to: