Package: util-vserver Version: 0.30.204-5sarge2 Severity: critical Tags: sarge Justification: root security hole
Dear Ola, I found the util-vserver in sarge can not pass the test 109 and 121 of testfs.sh script[1] which provide by upstream author. After more tests, upstream author discoveried this is a security hole. 109 verifies that barrier was removed correctly, while 121 checks that it was set correctly. This bug is kernel-patch-vserver related, I have filed a bug to kernel-patch-vserver that you may have a look. Here is what I did in my tests: # dd bs=1024k count=1024 if=/dev/zero of=1gb.test # losetup /dev/loop4 ./1gb.test # ./testfs.sh -l -t -D /dev/loop4 -M /mnt [1] http://vserver.13thfloor.at/Stuff/SCRIPT/testfs.sh-0.09 PS. I confirmed the kernel-patch-vserver + linux-source-2.6.12 + util-vserver in sid are passed the test of testfs.sh -- System Information: Debian Release: 3.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-10vserver Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages util-vserver depends on: ii iproute 20041019-3 Professional tools to control the ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libgcc1 1:3.4.3-13 GCC support library ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3 ii net-tools 1.60-10 The NET-3 networking toolkit util-vserver recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]