Hi On Sun, Apr 02, 2006 at 03:30:29PM -0400, Micah Anderson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi, > > I've applied this patch to the upcoming release subversion repository > already.
Good to know, thanks. Regards, // Ola > Micah > > Ola Lundqvist wrote: > > Hi > > > > I have read through the patch and what I can determine is that > > you make sure to print an error if the user id is not a number > > and change root to 0. > > > > Thanks for pointing me at this. I assume that this will be > > applied by upstream soon enough so that we can incorporate it > > when they release next version. Or do you think it is important > > enough to patch to the current version? > > > > Regards, > > > > // Ola > > > > > > On Sun, Apr 02, 2006 at 12:40:25PM +0200, David Schmitt wrote: > >> Package: util-vserver > >> Version: 0.30.209-2 > >> Severity: important > >> Tags: security patch upstream > >> > >> This is upstream bug #15996: suexec from root with an invalid > >> ID runs as root. > >> > >> https://savannah.nongnu.org/bugs/?func=detailitem&item_id=15996 > >> > >> [EMAIL PROTECTED]:~$ sudo vserver buildd suexec david id > >> uid=0(root) gid=0(root) groups=0(root) > >> [EMAIL PROTECTED]:~$ sudo vserver buildd suexec 1000 id > >> uid=1000(david) gid=0(root) groups=0(root) > >> [EMAIL PROTECTED]:~$ > >> > >> There is also a patch already available at > >> https://savannah.nongnu.org/patch/?func=detailitem&item_id=4966 > >> > >> Regards, David > >> > >> -- System Information: > >> Debian Release: testing/unstable > >> APT prefers unstable > >> APT policy: (500, 'unstable') > >> Architecture: i386 (i686) > >> Shell: /bin/sh linked to /bin/bash > >> Kernel: Linux 2.6.16-1-vserver-686 > >> Locale: LANG=C, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) > >> > >> Versions of packages util-vserver depends on: > >> ii iproute 20051007-4 Professional tools to control > >> the > >> ii libbeecrypt6 4.1.2-4 open source C library of > >> cryptogra > >> ii libc6 2.3.6-4 GNU C Library: Shared > >> libraries an > >> ii net-tools 1.60-17 The NET-3 networking toolkit > >> > >> Versions of packages util-vserver recommends: > >> ii binutils 2.16.1cvs20060117-1uc1 The GNU assembler, linker and > >> bina > >> ii make 3.80+3.81.rc2-1 The GNU version of the "make" > >> util > >> > >> -- no debconf information > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iD8DBQFEMCZV9n4qXRzy1ioRAgBhAJ46ET5wQI6ZX5s0YMxNrCTgV0p7rwCfU3Mf > HSM8/HQCblw8PhH4dDSjpXY= > =UHDI > -----END PGP SIGNATURE----- > -- --- Ola Lundqvist systemkonsult --- M Sc in IT Engineering ---- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | http://www.opal.dhs.org Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
