[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RC status of rpath issues

Hi Moritz,

On Thu, Nov 23, 2006 at 12:29:08AM +0100, Moritz Muehlenhoff wrote:
> I've seen a couple of RC bugs being filed for rpath issues in various
> packages. For stable-security these are only treated as DSA-worthy
> if the rpath points to /tmp, but not towards a directory like /build
> or a specific home directory, as exploiting these would require social
> engineering against root. While they should of course be fixed where
> possible I'd recommend against treating them as release critical per
> se. (At least not in the sense they they're a reason for removing a
> package from testing).

In the case of an rpath pointing to a "specific home directory", I disagree
that any social engineering is required in order to exploit it.
Particularly at larger installations, there's a pretty good chance of some
of these usernames colliding with pre-existing user accounts.  Do you think
this is enough reason to consider such bugs RC?

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: