[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed patch to aptitude in stable to fix a low-impact security bug

On Sun, 2011-04-03 at 07:44 -0700, Daniel Burrows wrote: 
> The version of aptitude in stable contains a security bug that could
> theoretically allow a symlink attack in /tmp.  However, it can only be
> exploited in a very narrow set of circumstances: the user must have no
> home directory, and they must invoke the "hierarchy editor" (an old and
> mostly undocumented corner of the curses interface).  For this reason,
> the security team recommended that I ask -release to put the patch into
> a point update, rather than releasing it via the security route.
>   I've attached the patch that I'll add to the debian/patches in the
> package in stable.
>   Please let me know what the next step I need to do is.  Also, do you
> think it makes sense to patch the package in oldstable?

Thanks.  That does seem a rather narrow attack vector. :-)
Nevertheless, assuming the patch has been tested in a squeeze
environment and there aren't any other changes involved, please feel
free to upload 0.6.3-3.2+squeeze1 to stable adding that patch.

If the same patch also applies to oldstable and has been tested there,
then uploading an updated package for lenny would also be okay.



Reply to: