[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: List of bugs that *must* be fixed before releasing Slink



Previously Brian White wrote:
> You know, I don't see this as "grave".  It means that a user can
> effectively "export to the world" any file readable by www-data.  In
> general, this means only things that can be read by public.  So,
> the user can't intentionally export anything that he/she couldn't already
> do by other means.

But there is a big difference between the local public that you might
trust and the big evil world outside your system.. I see two solutions
two this: enforce SymLinksIfOwnerMatch or don't allow userdirs.

> The problem comes with unintentional exports...  Well, it's a bug.  I
> don't see it as being a security hole.

You only hide information but don't disable any security issues, so it
is indeed not a real security hole in the canonical sense of the term.

> > It's important but I wouldn't call this one release-critical.
> 
> I looked at that one time, but I wasn't sure.  Is it possible that during
> an upgrade to "stable" we get dpkg and dpkglib to be out-of-step?

I don't think so; when dpkg upgrades itself and replaces the library it
still has the old library opened via a mmap() which means it won't
suddenly start using another incompatible library. This becomes a real
issue only when the library is split into its own package and the two
are upgraded independantly.

> Done.  Excludes list is now:
> 	1797,20401,25405,25537,27381,27604,27738,27641,30087,
> 	30184,31717,31806,32092,32364

I have a couple less, but then again I removed contrib and non-free from
the list when the deep-freeze started.

> > Everyone who has a package with a setuid program or something that runs
> > as root should check if it uses gettext, and if so recompile it with
> > the latest gettext installed. Please not that this is not necessary for
> > programs that use the gettext from libc6.
> 
> That needs to be re-filed against all those packages, then.

Yes, but the problem is getting a list of all those packages..

Wichert.

-- 
==============================================================================
This combination of bytes forms a message written to you by Wichert Akkerman.
E-Mail: wakkerma@cs.leidenuniv.nl
WWW: http://www.wi.leidenuniv.nl/~wichert/

Attachment: pgp5xxPdmk9O1.pgp
Description: PGP signature


Reply to: