[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arla/heimdal/krb4/cyrus-sasl2 ?

Various Cc's dropped, perl@packages added.

bod: we're talking about the grave perl bug, ie the patch for improving
the security model.

On Thu, Nov 13, 2003 at 03:28:35PM -0500, Matt Zimmerman wrote:
> On Thu, Nov 13, 2003 at 02:22:43PM -0600, Steve Langasek wrote:
> > On Thu, Nov 13, 2003 at 09:13:37PM +0100, Adrian Bunk wrote:
> > > But that's the decision of the perl maintainer and the security team.
> > I think it's silly to claim that a flaw that's been well-known for ages
> > constitutes an RC bug that should be allowed to hold up the progress of
> > the release.  If this was really RC, it should have shown up long ago
> > and resulted in immediate removal of perl-suid.
> There was already one patch which improved the situation with suidperl.
> What is the status of the package in testing?  Does it have that preliminary
> fix, or is it equivalent to the woody version?

Some previous patches appear to have been applied to 5.8.0-20 and later,
but -18 is what's in testing.

AFAICS, the patch is about preventing some information leaks (as an
unprivleged user, you can use suidperl to find some information about
files you don't otherwise have access to - mainly whether they exist, and
if they're setuid). While that's a good thing to fix, it doesn't really
seem to "allow access to the accounts of users who use the package",
and I don't think it's entirely reasonable to classify this level of
information leakage as a critical security hole.

(If it is, a DSA needs to be prepared for stable, presumably)


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

Australian DMCA (the Digital Agenda Amendments) Under Review!
	-- http://azure.humbug.org.au/~aj/blog/copyright/digitalagenda

Attachment: pgpwGavJ1RLki.pgp
Description: PGP signature

Reply to: