Hi, On Fri, Oct 07, 2005, Martin Schulze wrote: > Could somebody explain the security implication for me?
You can record in the utmp/wtmp logs something which is wrong, for example that an user is currently connected to a display while he isn't. I'm not the one to argue with though. > being able to write arbitrary strings into valid records without > overwriting any other data in utmp/wtmp can hardly be classified > as a security vulnerability. I have no idea, I'll let you judge of such things. Since gnome-pty-helper seemed to have some special permission to write to utmp (because it is sgid), I took the problem seriously. Whether this issue is to be considered a security vulnerability or not, I couldn't tell for sure, and in doubt I selected security, but I agree that it's a minor issue anyway. > (Apart from that, I'm only slightly annoyed as I had to learn about > this via MITRE / GNOME Bugzilla instead of a mail from the maintainer > to the security team?) For my defense (as I am the one which followed more or less this bug), I'd claim that a/ this was reported against a GNOME 1 package (and it was later discovered that the GNOME 2 package is affected too) which was in the process of being orphaned, b/ this seemed like a very minor issue, c/ I thought you were tracking "tags + security" bugs, and d/ I didn't want to start bothering the security team for an issue not discussed with upstream and without any patch. Of course, there's also e/ I don't have any security background or training, but that's obvious. My usual way of handling of sec bugs is i/ tag the bug security, connect the relevant CVE ids, upstream bugs, available patches, ii/ talk with upstream, check the affected versions, check the patch causes no regression, check the patch applies everywhere, check the patch fixes the issue iii/ proposed a diff to the security team. I know realize I should have contacted the security team quite immediately, and will do so in the future. I have more important things to track right now that this vulnerability, and I didn't have any response from upstream yet. Cheers, -- Loïc Minier <[EMAIL PROTECTED]>