Alexandre Rebert wrote: > We found a crash in dpkg-preconfigure contained in the cdebconf package. You > are being > contacted because your are listed as one of the maintainer of cdebconf. > > We are planning to submit the bug to the Debian bug tracking system in two > weeks. We wanted to give you a heads-up, so that you some time to assess the > seriousness of the bug before it is publicly disclosed.
Well, this is a public mailing list. :) However, this is not an exploitable security hole. It relies on running dpkg-preconfigure with an empty (or mostly empty) environment. dpkg-preconfigure is only run by root on trusted packages. Here's a more minimal version: env -i /usr/lib/cdebconf/dpkg-preconfigure 1 I don't have time to investigate the code, but it's probably expecting something in environ that's cleared. -- see shy jo
signature.asc
Description: Digital signature
