solsTiCe d'Hiver pisze: > hi. > are you sure it's not pacman 3.0.5-1 ? > because there is a pb with symlink and 777 permission with it. > see http://www.archlinux.org/news/334/ > > that was a huge security hole. > even after you upgrade to pacman 3.0.5-2 (which fixes the hole) > you got files with 777 permissions all other the place. > > find them with (for example) > find /usr/ /bin /sbin /opt -perm 777 ! -type l
I did that and..: /usr/lib/libarchive.so.2.2.3 /usr/lib/libalpm.so.1.0.0 # pacman -Qo /usr/lib/libarchive.so.2.2.3 /usr/lib/libarchive.so.2.2.3 jest własnością libarchive 2.2.3-2 # pacman -Qo /usr/lib/libalpm.so.1.0.0 /usr/lib/libalpm.so.1.0.0 jest własnością pacman 3.0.5-2 > one of your choice is to reinstall all package since you upgrade to 3.0.5-1 > (the buggy one) and I reinstalled them... and it's all ok now... But... I think if someone had pacman 3.0.5-1 with 'the bug' an updated to pacman 3.0.5-2 he will have always 777 permissions for file /usr/lib/libalpm.so.1.0.0, until next pacman upgrade ( till next upgrade is done with pacman without 'the bug') So now... although someone upgraded pacman to 3.0.5-2, there's still security hole in the system! Am I right? Mayby there should be pacman 3.0.5-3 release with just changed pkgrel, so the file would be 'repaired', if it's so huge security risk? -- Mac!eKs _______________________________________________ arch mailing list [email protected] http://archlinux.org/mailman/listinfo/arch
