[mdz@debian.org: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root]
How about it, Anthony; can we dosrcanyway w3m? I think we'll then need
to remove stalin from testing in order to get a newer libgc in (due to
#216341, although I'll try to remember to talk to a buildd admin about
that), but everything else should be OK now.
--
Colin Watson [cjwatson@flatline.org.uk]
----- Forwarded message from Matt Zimmerman <mdz@debian.org> -----
Date: Wed, 5 Nov 2003 11:24:24 -0500
From: Matt Zimmerman <mdz@debian.org>
To: Colin Watson <cjwatson@debian.org>
Cc: Fumitoshi UKAI <ukai@debian.or.jp>, 200028@bugs.debian.org,
makedev@packages.debian.org, devfsd@packages.debian.org
Subject: Re: Bug#200028: w3m-img: w3mimgdisplay is setuid root
User-Agent: Mutt/1.3.28i
Delivered-To: cjwatson@master.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
riva.lab.dotat.at
X-Spam-Status: No, hits=-4.9 required=4.5 tests=BAYES_00 autolearn=ham
version=2.60
On Wed, Nov 05, 2003 at 09:54:52AM +0000, Colin Watson wrote:
> On Sat, Aug 30, 2003 at 02:08:36PM -0400, Matt Zimmerman wrote:
> > How about it, Bdale?
>
> Bdale, ping? We need to get a fixed w3m-img in order to be able to get a
> new libgc into testing, and we need that in order to upgrade libsigc++,
> etc. It's getting pretty urgent.
>
> (Alternatively: Matt, does this have to be serious, noting that woody's
> w3mimgdisplay is also setuid root, so it's not as if it's a regression? I
> suppose we could have britney ignore it on that basis.)
Right, this is not a regression, and there is not a proven security
vulnerability here, only an excess of privilege. I still believe this
should be dealt with before the sarge release, but it does not seem
necessary for it to block packages from entering testing.
--
- mdz
----- End forwarded message -----
Reply to: