Re: arla/heimdal/krb4/cyrus-sasl2 ?

To: debian-release@lists.debian.org, team@security.debian.org, perl@packages.debian.org
Cc: 220486@bugs.debian.org
Subject: Re: arla/heimdal/krb4/cyrus-sasl2 ?
From: Matt Zimmerman <mdz@debian.org>
Date: Fri, 14 Nov 2003 11:36:16 -0500
Message-id: <[🔎] 20031114163616.GM9377@dijkstra.csh.rit.edu>
Mail-followup-to: debian-release@lists.debian.org, team@security.debian.org, perl@packages.debian.org, 220486@bugs.debian.org
In-reply-to: <[🔎] 20031114040115.GA11878@azure.humbug.org.au>
References: <[🔎] 3FB31687.90000@twcny.rr.com> <[🔎] 20031113150956.GI10456@fs.tum.de> <[🔎] 20031113163619.GD30101@tennyson.netexpress.net> <[🔎] 20031113201337.GO10456@fs.tum.de> <[🔎] 20031113202243.GQ30101@tennyson.netexpress.net> <[🔎] 20031113202835.GR9377@dijkstra.csh.rit.edu> <[🔎] 20031114040115.GA11878@azure.humbug.org.au>

On Fri, Nov 14, 2003 at 02:01:15PM +1000, Anthony Towns wrote:

> AFAICS, the patch is about preventing some information leaks (as an
> unprivleged user, you can use suidperl to find some information about
> files you don't otherwise have access to - mainly whether they exist, and
> if they're setuid). While that's a good thing to fix, it doesn't really
> seem to "allow access to the accounts of users who use the package", and I
> don't think it's entirely reasonable to classify this level of information
> leakage as a critical security hole.
> 
> (If it is, a DSA needs to be prepared for stable, presumably)

A DSA was in preparation, and then Paul Szabo reported further problems with
the fix which had been implemented.  An updated patch is in the BTS now, I
believe.  The previous bug was #203426, and the new one is #220426 (CC'd).

I don't think that anyone from Debian has claimed that this is a critical
bug.  It is an exposure, of course, and should be fixed.

I do not think that it should prevent the current version of perl from
entering testing at this time, but I do think that a fixed version of perl
should replace it before release, and we also need to do a DSA.

-- 
 - mdz

Reply to:

References:
- arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Nathanael Nerode <neroden@twcny.rr.com>
- Re: arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Adrian Bunk <bunk@fs.tum.de>
- Re: arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Adrian Bunk <bunk@fs.tum.de>
- Re: arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Steve Langasek <vorlon@netexpress.net>
- Re: arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Matt Zimmerman <mdz@debian.org>
- Re: arla/heimdal/krb4/cyrus-sasl2 ?
  - From: Anthony Towns <aj@azure.humbug.org.au>

Prev by Date: Re: jack 0.75 mini-freeze
Next by Date: Re: jack 0.75 mini-freeze
Previous by thread: Re: arla/heimdal/krb4/cyrus-sasl2 ?
Next by thread: Time to push qt-x11 and friends into testing?
Index(es):
- Date
- Thread