severity 496411 grave
thanks
On Mon, Aug 25, 2008 at 10:00:33PM +0200, Thijs Kinkhorst wrote:
> The issue is present in the mentioned files. As a matter of fact, there are
> many more issues, the testset seems to be built around writing things in /tmp
> with hardcoded filenames.
>
> This is dangerous because as I understand it, these tests run as root.
> However, I would not expect people to run such a test set on production- or
> multiuser systems.
>
> So my solution to this bug would be the following: we (security team) mark
> the
> package to be supported unsupported for multi-user, production environments.
> To that effect a short README.Debian would need to be added to the package
> that states something like this:
>
> ===
> This test suite is only intended to be run on non-production, single user
> systems. The scripts use various techniques that are exploitable in a context
> of potentially malicious local users.
> ===
>
> It may seem a bit obvious but I think it's better to be explicit than sorry.
> Can you take care of uploading a version with this change and get it into
> lenny? Let me know if you need me to make an NMU.
I agree with the approach, but let's make sure it doesn't fall through the
cracks
by raising the severity to RC level again.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
