Re: Proposed patch to aptitude in stable to fix a low-impact security bug
On Sun, 2011-04-03 at 07:44 -0700, Daniel Burrows wrote:
> The version of aptitude in stable contains a security bug that could
> theoretically allow a symlink attack in /tmp. However, it can only be
> exploited in a very narrow set of circumstances: the user must have no
> home directory, and they must invoke the "hierarchy editor" (an old and
> mostly undocumented corner of the curses interface). For this reason,
> the security team recommended that I ask -release to put the patch into
> a point update, rather than releasing it via the security route.
> I've attached the patch that I'll add to the debian/patches in the
> package in stable.
> Please let me know what the next step I need to do is. Also, do you
> think it makes sense to patch the package in oldstable?
Thanks. That does seem a rather narrow attack vector. :-)
Nevertheless, assuming the patch has been tested in a squeeze
environment and there aren't any other changes involved, please feel
free to upload 0.6.3-3.2+squeeze1 to stable adding that patch.
If the same patch also applies to oldstable and has been tested there,
then uploading an updated package for lenny would also be okay.