[firstname.lastname@example.org: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root]
How about it, Anthony; can we dosrcanyway w3m? I think we'll then need
to remove stalin from testing in order to get a newer libgc in (due to
#216341, although I'll try to remember to talk to a buildd admin about
that), but everything else should be OK now.
Colin Watson [email@example.com]
----- Forwarded message from Matt Zimmerman <firstname.lastname@example.org> -----
Date: Wed, 5 Nov 2003 11:24:24 -0500
From: Matt Zimmerman <email@example.com>
To: Colin Watson <firstname.lastname@example.org>
Cc: Fumitoshi UKAI <email@example.com>, firstname.lastname@example.org,
Subject: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
X-Spam-Status: No, hits=-4.9 required=4.5 tests=BAYES_00 autolearn=ham
On Wed, Nov 05, 2003 at 09:54:52AM +0000, Colin Watson wrote:
> On Sat, Aug 30, 2003 at 02:08:36PM -0400, Matt Zimmerman wrote:
> > How about it, Bdale?
> Bdale, ping? We need to get a fixed w3m-img in order to be able to get a
> new libgc into testing, and we need that in order to upgrade libsigc++,
> etc. It's getting pretty urgent.
> (Alternatively: Matt, does this have to be serious, noting that woody's
> w3mimgdisplay is also setuid root, so it's not as if it's a regression? I
> suppose we could have britney ignore it on that basis.)
Right, this is not a regression, and there is not a proven security
vulnerability here, only an excess of privilege. I still believe this
should be dealt with before the sarge release, but it does not seem
necessary for it to block packages from entering testing.
----- End forwarded message -----