Le mercredi 27 décembre 2006 à 23:55 +0100, Stefan Fritsch a écrit : > Package: gconf2 > Version: 2.16.0-3 > Severity: important > Tags: security > > A vulnerability has been reported in gconfd: > > The GConf daemon (gconfd) in GConf 2.14.0 creates temporary files > under directories with names based on the username, even when > GCONF_GLOBAL_LOCKS is not set, which allows local users to cause a > denial of service by creating the directories ahead of time, which > prevents other users from using Gnome. > > See > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219279 > http://bugzilla.gnome.org/show_bug.cgi?id=167030 > > for details. Please mention the CVE id in the changelog. This is a known problem that upstream doesn't find serious enough to fix it. The solution is to turn on global locking by default - currently it is enabled with the GCONF_LOCAL_LOCKS environment variable. However, it can break when /home is on NFS with some kind servers. I intended to make this change post-etch so that we had time to see how it breaks. If the release managers want to, I can upload this change to unstable. I can also provide a backport for etch if the security team wants to issue an advisory, but be warned that this change is not harmless - although an environment variable will enable local locking if an user wants to revert to the current behavior. -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `- our own. Resistance is futile.
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=