Re: RC status of rpath issues

[Steve Langasek <vorlon@debian.org>]

On Tue, Nov 28, 2006 at 11:03:35PM +0100, Moritz Muehlenhoff wrote:
> Steve Langasek wrote:
> > > I've seen a couple of RC bugs being filed for rpath issues in various
> > > packages. For stable-security these are only treated as DSA-worthy
> > > if the rpath points to /tmp, but not towards a directory like /build
> > > or a specific home directory, as exploiting these would require social
> > > engineering against root. While they should of course be fixed where
> > > possible I'd recommend against treating them as release critical per
> > > se. (At least not in the sense they they're a reason for removing a
> > > package from testing).

> > In the case of an rpath pointing to a "specific home directory", I disagree
> > that any social engineering is required in order to exploit it.
> > Particularly at larger installations, there's a pretty good chance of some
> > of these usernames colliding with pre-existing user accounts.  Do you think
> > this is enough reason to consider such bugs RC?

> IMO this is a corner-case. Although the real-world implications are probably
> negligable we could as well treat is as RC.

FWIW, this is still my preference, just as it is my preference to treat
"corner-case" data loss bugs as RC: the impact of such bugs on people who
actually run *into* them is not mitigated by knowing that most other people
*didn't* have their root account compromised / their partition trashed /
their thesis chewed up and turned into line noise :)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/