IMPORTANT: New root floppy uploaded with security fix

To: debian-user@pixar.com, debian-devel@pixar.com
Subject: IMPORTANT: New root floppy uploaded with security fix
From: bruce@pixar.com (Bruce Perens)
Date: Tue, 30 Apr 96 01:13 PDT
Message-id: <[🔎] m0uEAZ8-0007hKC@mongo.pixar.com>

I have uploaded a new root floppy to the master site that fixes the
bad-permissions problem. It's in
/debian/unstable/disks-i386/root_floppy.gz . It's dated April 30. It's
available via ftp.i-connect.net, and should be on ftp.debian.org as
soon as the mirror on that system runs.

The problem was on the _root_ floppy, not the base floppies. I have a
"tiny" tool suite on that disk that allows you to have 30 common Unix
utilities and the installation system on a 522k compressed floppy
image. The tar program in that suite was broken such that files and
directories that had symbolic links pointing at them would get the
permissions of the links, which were always "rwxrwxrwx". This problem
existed from April 19 until today, when it was pointed out by beta
tester David Couture of U. of Alberta. Thanks, David!

When this floppy extracts, there will be 4 files with wide-open
permissions in /usr/doc/copyright. These are the files "GPL", "BSD",
"Artistic", and "LGPL". These are not a security problem and will be
fixed with the next upload of the base package and floppies.

I had this security problem repaired and a new root floppy uploaded
within 3 hours of notification.

What would I do differently next time:

1. Look a little harder.

2. Have my PGP key distributed so that I could PGP-sign notices about
system security problems.

	Thanks

	Bruce

Reply to:

Prev by Date: Debian 1.1 Beta : Can't install
Next by Date: Re: Debian 1.1 Beta : Can't install
Previous by thread: Re: Debian 1.1 Beta : Can't install
Next by thread: Fdisk problem during installation
Index(es):
- Date
- Thread