Bug#57746: marked as done (Security: Directories are kept a+w)
Your message dated Sun, 11 Jan 2004 20:38:11 +0100
with message-id <20040111193811.GA8128@preusse-16223.user.cis.dfn.de>
and subject line Bug#57746: Your Debian/tetex-Bug report: Security: Directories are kept a+w
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Feb 2000 17:57:05 +0000
Received: (qmail 4336 invoked from network); 10 Feb 2000 17:57:05 -0000
Received: from qwe4.math.cmu.edu (crosby@204.194.30.7)
by master.debian.org with SMTP; 10 Feb 2000 17:57:05 -0000
Received: from localhost (crosby@localhost)
by qwe4.math.cmu.edu (8.8.7/8.8.7) with ESMTP id MAA01168
for <submit@bugs.debian.org>; Thu, 10 Feb 2000 12:57:02 -0500
X-Authentication-Warning: qwe4.math.cmu.edu: crosby owned process doing -bs
Date: Thu, 10 Feb 2000 12:57:02 -0500 (EST)
From: Scott A Crosby <crosby@qwes.math.cmu.edu>
X-Sender: crosby@qwe4.math.cmu.edu
To: submit@bugs.debian.org
Subject: Security: Directories are kept a+w
Message-ID: <Pine.LNX.4.10.10002101249520.140-100000@qwe4.math.cmu.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Package: tetex-base
Version: 1.0-7
This package installs several of its directories a+w, which is a security
issue:
drwxrwxrwt 4 root root 1024 Jan 27 13:13
/var/spool/texmf/pk
drwxrwxrwt 6 root root 1024 Jan 27 05:55
/var/spool/texmf/pk/ljfour
drwxrwxrwt 4 crosby crosby 1024 Jan 27 05:56
/var/spool/texmf/pk/ljfour/ams
drwxrwxrwt 2 crosby crosby 1024 Jan 27 05:56
/var/spool/texmf/pk/ljfour/ams/euler
drwxrwxrwt 2 crosby crosby 1024 Jan 27 05:57
/var/spool/texmf/pk/ljfour/ams/symbols
Perhaps it should be made set-gid and the files only writable to that
group? And a script to cleanup the ownership and directory permissions.
---------------------------------------
Received: (at 57746-done) by bugs.debian.org; 11 Jan 2004 22:44:34 +0000
>From hille42@web.de Sun Jan 11 16:44:33 2004
Return-path: <hille42@web.de>
Received: from smtp04.web.de (smtp.web.de) [217.72.192.208]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AfnI4-0005kG-00; Sun, 11 Jan 2004 15:38:36 -0600
Received: from [80.184.45.234] (helo=preusse-16223.user.cis.dfn.de)
by smtp.web.de with asmtp (WEB.DE 4.99 #566)
id 1AfnI1-0006EN-00
for 57746-done@bugs.debian.org; Sun, 11 Jan 2004 22:38:35 +0100
Received: by preusse-16223.user.cis.dfn.de (Postfix, from userid 1000)
id EA9AC4721; Sun, 11 Jan 2004 20:38:11 +0100 (CET)
Date: Sun, 11 Jan 2004 20:38:11 +0100
From: Hilmar Preusse <hille42@web.de>
To: 57746-done@bugs.debian.org
Subject: Re: Bug#57746: Your Debian/tetex-Bug report: Security: Directories are kept a+w
Message-ID: <20040111193811.GA8128@preusse-16223.user.cis.dfn.de>
References: <20030718171118.GA1304@preusse-16223.user.cis.dfn.de> <873ch0qrb5.fsf@alhambra.bioz.unibas.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <873ch0qrb5.fsf@alhambra.bioz.unibas.ch>
User-Agent: Mutt/1.3.28i
Organization: Hilmar Preusse Inc.
X-Uptime: 18:17:39 up 7:57, 4 users, load average: 1.01, 1.01, 1.00
X-Operating-System: Linux 2.4.24 i686
X-www.distributed.net: OGR: 1 packet (61.10 stats units) [3.13 Mnodes/s]
X-Face: .n=jHnz:2pu0c0)ef]4O#1FE{Vak?h89!g7_#2+PzSRoIU[pJFNnz>gLhn}UMwv}4/j{X.. 2E+>U>P!`PYk
X-Confirmation-Request: yes
X-Confirm-Reading-To: "Hilmar Preusse" <hille42@web.de>
Sender: hille42@web.de
Delivered-To: 57746-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin
2.60-master.debian.org_2003_11_25-bugs.debian.org_2004_1_5
(1.212-2003-09-23-exp) on master.debian.org
X-Spam-Status: No, hits=-1.8 required=4.0 tests=FROM_ENDS_IN_NUMS,
HAS_BUG_NUMBER autolearn=no
version=2.60-master.debian.org_2003_11_25-bugs.debian.org_2004_1_5
X-Spam-Level:
On 21.07.03 Frank Küster (frank@kuesterei.ch) wrote:
Hi all,
> 3 years ago you reported a bug in tetex to the Debian bug report
> system. You critized:
>
> > This package installs several of its directories a+w, which is a security
> > issue:
> >
> > drwxrwxrwt 4 root root 1024 Jan 27 13:13
> > /var/spool/texmf/pk
> > drwxrwxrwt 6 root root 1024 Jan 27 05:55
> > /var/spool/texmf/pk/ljfour
> > drwxrwxrwt 4 crosby crosby 1024 Jan 27 05:56
> > [...]
>
> Since then, the bug has not really been addressed. The directories have
> been moved, but now /var/cache/fonts are a+w. However, it is not clear
> to me which security risks you see in this case. I am not familiar
> enough with TeX's font handling to know wether malformed files there
> could lead to a buffer overflow or the like?
>
> I would be glad if you could elaborate a little on that. Note that I am
> not the maintainer of tetex and also not subscribed to get all
> tetex-related mails, so please keep me in the Cc, as well as Hilmar.
>
No reaction from the submitter for half a year, closing. I personally
think, that the whole story is not that important.
H.
--
sigmentation fault
Reply to: