Sam Hartman <[EMAIL PROTECTED]> writes:
>>>>>> "Russ" == Russ Allbery <[EMAIL PROTECTED]> writes:
> Russ> I think the web page is actually the problem here and should
> Russ> be fixed, although Sam can speak to this better than I. The
> Russ> version of send-pr that comes with krb5 has /tmp file
> Russ> vulnerabilities, so it would need some work before shipping
> Russ> it with the Debian pacakge (see Bug#278271).
> Help me understand why you care about /tmp vulnerabilities in
> krb5-send-pr. It's not an application that you expect to be run in an
> automated manner and it seems very hard to usefully exploit.
It's something that one cares about just as a matter of course. In this
case, it's probably not easily exploitable, but if you know that a user is
running krb5-send-pr, you can do nasty things.
This is:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0971
and got security releases from Gentoo, Red Hat, and Trustix.
> I think it is. I think we'd rather people file things with send-pr so
> fields in the bug get populated and the version reported gets set.
> However I think that for Debian bugs should go through reportbug.
> In principle I don't have a problem with adding a krb5-send-pr that
> suggests reportbug.
Seems like there are three options:
1. Apply the patch to krb5-send-pr that everyone else is using and install
it, which seems to be what most distributions are doing.
2. Install a krb5-send-pr script that just says to use reportbug.
3. Don't install anything at all (status quo).
It seems like you're expressing a preference for the second option,
although I'm not positive. I'm happy to do whatever; I'd like to close
out both of the bugs. :)
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
