Re: RC status of rpath issues
On Thu, Nov 23, 2006 at 12:29:08AM +0100, Moritz Muehlenhoff wrote:
> I've seen a couple of RC bugs being filed for rpath issues in various
> packages. For stable-security these are only treated as DSA-worthy
> if the rpath points to /tmp, but not towards a directory like /build
> or a specific home directory, as exploiting these would require social
> engineering against root. While they should of course be fixed where
> possible I'd recommend against treating them as release critical per
> se. (At least not in the sense they they're a reason for removing a
> package from testing).
In the case of an rpath pointing to a "specific home directory", I disagree
that any social engineering is required in order to exploit it.
Particularly at larger installations, there's a pretty good chance of some
of these usernames colliding with pre-existing user accounts. Do you think
this is enough reason to consider such bugs RC?
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.