Re: RC status of rpath issues

To: debian-release@lists.debian.org
Subject: Re: RC status of rpath issues
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 28 Nov 2006 23:03:35 +0100
Message-id: <[🔎] 20061128220335.GD4453@galadriel.inutil.org>
In-reply-to: <[🔎] 20061126124246.GD12122@mauritius.dodds.net>
References: <[🔎] slrnem9na4.3m0.jmm@inutil.org> <[🔎] 20061126124246.GD12122@mauritius.dodds.net>

Steve Langasek wrote:
> > I've seen a couple of RC bugs being filed for rpath issues in various
> > packages. For stable-security these are only treated as DSA-worthy
> > if the rpath points to /tmp, but not towards a directory like /build
> > or a specific home directory, as exploiting these would require social
> > engineering against root. While they should of course be fixed where
> > possible I'd recommend against treating them as release critical per
> > se. (At least not in the sense they they're a reason for removing a
> > package from testing).
> 
> In the case of an rpath pointing to a "specific home directory", I disagree
> that any social engineering is required in order to exploit it.
> Particularly at larger installations, there's a pretty good chance of some
> of these usernames colliding with pre-existing user accounts.  Do you think
> this is enough reason to consider such bugs RC?

IMO this is a corner-case. Although the real-world implications are probably
negligable we could as well treat is as RC.

Cheers,
        Moritz

Reply to:

References:
- RC status of rpath issues
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: RC status of rpath issues
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: frozen-bubble and pango
Next by Date: Permission to upload a new upstream pam-krb5 release
Previous by thread: Re: RC status of rpath issues
Next by thread: upload new sipcalc upstream release
Index(es):
- Date
- Thread