On Sat, Sep 01, 2007 at 12:42:19PM +0200, Thomas de Grenier de Latour wrote: > The checkrestart program from debian-goodies (both latest 0.33 and > stable 0.27) allows arbitrary command execution with root privileges.
Thanks. I was not aware of this bug. > Since this program is likely launched as a daily root cron job on some > systems, I think this is a grave security hole. Actually, it should not be executed as a daily cron job, but should be run manually by an admin. > This way, the command arguments are all well separated, without any > shell interpretation. Thanks, I will test out the patch and fix this as soon as possible. > PS: sorry for any mistake i may have done in the way i've reported this > bug. I'm not a Debian user, so i'm not used to your system. Actually, (...) The bug has been reported just fine. Regards Javier
signature.asc
Description: Digital signature