Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging

To: Thiemo Seufer <ths@networkno.de>
Cc: 390349@bugs.debian.org, Ralf Stubner <ralf.stubner@web.de>, Steve Langasek <vorlon@netexpress.net>
Subject: Bug#390349: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
From: Frank Küster <frank@kuesterei.ch>
Date: Sun, 01 Oct 2006 14:46:28 +0200
Message-id: <[🔎] 86wt7kdx0b.fsf@alhambra.kuesterei.ch>
Reply-to: Frank Küster <frank@kuesterei.ch>, 390349@bugs.debian.org
In-reply-to: <[🔎] 20061001000654.GE11662@mauritius.dodds.net> (Steve Langasek's message of "Sat, 30 Sep 2006 17:06:54 -0700")
References: <86r6xvgiib.fsf@alhambra.kuesterei.ch> <20060929103700.GD21205@mauritius.dodds.net> <86wt7mgb2l.fsf@alhambra.kuesterei.ch> <20060930055438.GG4726@mauritius.dodds.net> <86irj5r999.fsf@alhambra.kuesterei.ch> <20060930160554.GB30302@networkno.de> <861wptp9m0.fsf@alhambra.kuesterei.ch> <20060930171240.GC30302@networkno.de> <20060930181922.GC4508@thinkpad> <20060930225630.GD30302@networkno.de> <[🔎] 20061001000654.GE11662@mauritius.dodds.net>

Steve Langasek <vorlon@debian.org> wrote:

> The old solution was a security problem because the directories were
> world-writable -- /var/mail is not, the directory is only writable by the
> 'mail' group -- which almost certainly makes symlink attacks possible,
> looking at the source of mktexmf, as well as cache poisoning attacks.
>
> The new solution is only better if the cache is written in the home
> directory; if it's written to /tmp/texfonts for any reason, the security is
> just as bad.

It might be a bit better, since filling up /var is less severe than
filling up /tmp (unless both are on the same filesystem...).  The
symlink attacks are in fact completely hypothetical, since the things
you can do in a Metafont, TeX pk of TeX font metric file are very
limited, and the format ist strict.

What we have done is to alleviate this potential problem for most
systems and users.  For users without a writable home directory, it's
nearly as bad as it has always been (and still is in sarge).  But since
no one has ever regarded that as a relevant security problem, I don't
see why it should now be one.

Regards, Frank
-- 
Frank Küster
Single Molecule Spectroscopy, Protein Folding @ Inst. f. Biochemie, Univ. Zürich
Debian Developer (teTeX/TeXLive)

Reply to:

References:
- Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Bug#390349: [Thiemo Seufer] Re: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
Next by Date: Bug#390349: [Steve Langasek] Re: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
Previous by thread: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
Next by thread: Bug#388399: FTBFS problems on alpha, mips[el]: Please help debugging
Index(es):
- Date
- Thread