begin quotation from Nicolas François (in <20111017211732.gj16...@nekral.nekral.homelinux.net>): > On Sun, Oct 16, 2011 at 05:20:31PM +0200, bubu...@debian.org wrote: > > Quoting Arne Wichmann (a...@anhrefn.saar.de): > > > This critical bug is now pending for more than 3 months. Is there any > > > update on the situation? > > > > Nicolas should actually release upstream 4.1.5 and then upload > > 4.1.5-1. Nicolas? > > Yes, this is the plan. > There are still some untested changes, and I still have a few uncommitted > changes on my tree. > > Regarding this bug > * Arne, I do not know if your ping was related to the potential security > impact, but it could help to have an assessment of the proposed solution > (and also comment 46)
Ok, let me think... - @@ -264,6 +264,11 @@ This has the effect that "su -c ... " can no longer be used to call programs which use terminals - for example dialog. This should at least be prominently documented. The rest looks like it could work. But I would not call myself a specialist on Unix tty-handling. The last sentence applies to comment 46, too. > * It did not seem that critical to me (e.g. in the pointed > comp.security.oss.general thread, there were no agreement for a CVE) I do not really want to argue about bug severity here - this assessment is better left to you. I did however use su in the past in non-interactive scripts to lower privileges - if this isn't supported it should at least be documented, again... ;-) cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de)
signature.asc
Description: Digital signature
