Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs

To: Steve Kemp <skx@debian.org>
Cc: Silvio Cesare <silvio.cesare@gmail.com>, debian-security@lists.debian.org
Subject: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
From: Kees Cook <kees@debian.org>
Date: Tue, 18 Jan 2011 05:15:14 -0800
Message-id: <[🔎] 20110118131514.GS4979@outflux.net>
In-reply-to: <[🔎] 20110118091546.GA32497@steve.org.uk>
References: <[🔎] AANLkTim_wSs5yn83+AbxLY78CE-TQuJVDWCDiRVTXkdb@mail.gmail.com> <[🔎] 20110118091546.GA32497@steve.org.uk>

Hi,

On Tue, Jan 18, 2011 at 09:15:46AM +0000, Steve Kemp wrote:
> On Tue Jan 18, 2011 at 13:49:23 +1100, Silvio Cesare wrote:
> 
> >    lbreakout2 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608980
> 
>   That could well be a duplicate of CAN-2004-0158, which was fixed 
>  in Woody: 
> 
>     http://lists.debian.org/debian-changes/2004/02/msg00029.html

lbreakout2 drops setgid immediately after opening the highscore file. This
crash isn't a security issue. (I've updated the bug report too.)

-- 
Kees Cook                                            @debian.org

Reply to:

References:
- Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
  - From: Silvio Cesare <silvio.cesare@gmail.com>
- Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Next by Date: Re: List of SUID/SGID packages and programs in Debian
Previous by thread: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Next by thread: Re: Results of environment variable fuzzing Debian 5.05 SUID/SGIDs
Index(es):
- Date
- Thread