-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, I've applied this patch to the upcoming release subversion repository already. Micah Ola Lundqvist wrote: > Hi > > I have read through the patch and what I can determine is that > you make sure to print an error if the user id is not a number > and change root to 0. > > Thanks for pointing me at this. I assume that this will be > applied by upstream soon enough so that we can incorporate it > when they release next version. Or do you think it is important > enough to patch to the current version? > > Regards, > > // Ola > > > On Sun, Apr 02, 2006 at 12:40:25PM +0200, David Schmitt wrote: >> Package: util-vserver >> Version: 0.30.209-2 >> Severity: important >> Tags: security patch upstream >> >> This is upstream bug #15996: suexec from root with an invalid >> ID runs as root. >> >> https://savannah.nongnu.org/bugs/?func=detailitem&item_id=15996 >> >> [EMAIL PROTECTED]:~$ sudo vserver buildd suexec david id >> uid=0(root) gid=0(root) groups=0(root) >> [EMAIL PROTECTED]:~$ sudo vserver buildd suexec 1000 id >> uid=1000(david) gid=0(root) groups=0(root) >> [EMAIL PROTECTED]:~$ >> >> There is also a patch already available at >> https://savannah.nongnu.org/patch/?func=detailitem&item_id=4966 >> >> Regards, David >> >> -- System Information: >> Debian Release: testing/unstable >> APT prefers unstable >> APT policy: (500, 'unstable') >> Architecture: i386 (i686) >> Shell: /bin/sh linked to /bin/bash >> Kernel: Linux 2.6.16-1-vserver-686 >> Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) >> >> Versions of packages util-vserver depends on: >> ii iproute 20051007-4 Professional tools to control >> the >> ii libbeecrypt6 4.1.2-4 open source C library of >> cryptogra >> ii libc6 2.3.6-4 GNU C Library: Shared libraries >> an >> ii net-tools 1.60-17 The NET-3 networking toolkit >> >> Versions of packages util-vserver recommends: >> ii binutils 2.16.1cvs20060117-1uc1 The GNU assembler, linker and >> bina >> ii make 3.80+3.81.rc2-1 The GNU version of the "make" >> util >> >> -- no debconf information >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMCZV9n4qXRzy1ioRAgBhAJ46ET5wQI6ZX5s0YMxNrCTgV0p7rwCfU3Mf HSM8/HQCblw8PhH4dDSjpXY= =UHDI -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
