Hi Joey, On Thursday 05 May 2005 22:02, Joey Hess wrote: > This bug is not RC and is not a security issue. The piece of policy > quoted is intended to warn against attacks such as symlink attacks that > can be performed on unsafely created temp files. The program in question > is run during a fai install, before the system is multiuser, and so its > unsafe temp files cannot be created.
This is not true/right, since fai 2.8 "fai" can run on a running system, so there might be ways to exploit this. The new feature in question is called "softupdate", see http://liw.iki.fi/lists/debconf5-team%40lists.debconf.org/msg00349.html for a short explaination or have a look into the fai guide if you're interested to learn more. As the patch description says: * BUGFIX: create /tmp/fai only when DO_INIT_TASKS /tmp/fai was created, but not used when performing softupdates and not removed afterwards DO_INIT_TASKS is not defined for (grammar: at?) softupdates. If you agree, please raise the severity again. (I haven't done this cause I dont want to argue thru the BTS..) Thanks :-) regards, Holger
pgp8Pd81hqBNY.pgp
Description: PGP signature