[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arla/heimdal/krb4/cyrus-sasl2 ?

On Fri, Nov 14, 2003 at 02:01:15PM +1000, Anthony Towns wrote:

> AFAICS, the patch is about preventing some information leaks (as an
> unprivleged user, you can use suidperl to find some information about
> files you don't otherwise have access to - mainly whether they exist, and
> if they're setuid). While that's a good thing to fix, it doesn't really
> seem to "allow access to the accounts of users who use the package", and I
> don't think it's entirely reasonable to classify this level of information
> leakage as a critical security hole.
> (If it is, a DSA needs to be prepared for stable, presumably)

A DSA was in preparation, and then Paul Szabo reported further problems with
the fix which had been implemented.  An updated patch is in the BTS now, I
believe.  The previous bug was #203426, and the new one is #220426 (CC'd).

I don't think that anyone from Debian has claimed that this is a critical
bug.  It is an exposure, of course, and should be fixed.

I do not think that it should prevent the current version of perl from
entering testing at this time, but I do think that a fixed version of perl
should replace it before release, and we also need to do a DSA.

 - mdz

Reply to: