Re: arla/heimdal/krb4/cyrus-sasl2 ?
On Fri, Nov 14, 2003 at 02:01:15PM +1000, Anthony Towns wrote:
> AFAICS, the patch is about preventing some information leaks (as an
> unprivleged user, you can use suidperl to find some information about
> files you don't otherwise have access to - mainly whether they exist, and
> if they're setuid). While that's a good thing to fix, it doesn't really
> seem to "allow access to the accounts of users who use the package", and I
> don't think it's entirely reasonable to classify this level of information
> leakage as a critical security hole.
> (If it is, a DSA needs to be prepared for stable, presumably)
A DSA was in preparation, and then Paul Szabo reported further problems with
the fix which had been implemented. An updated patch is in the BTS now, I
believe. The previous bug was #203426, and the new one is #220426 (CC'd).
I don't think that anyone from Debian has claimed that this is a critical
bug. It is an exposure, of course, and should be fixed.
I do not think that it should prevent the current version of perl from
entering testing at this time, but I do think that a fixed version of perl
should replace it before release, and we also need to do a DSA.