Hello Tzafrir, (I readded the bug log) On Sat, Jul 02, 2005 at 03:05:22PM +0300, Tzafrir Cohen wrote: > On Sat, Jul 02, 2005 at 07:57:44AM +0200, Helge Kreutzmann wrote: > > Please keep this bug open until a DSA for sarge has been issued. > > Thanks. > > > > Greetings > > What is it exactly you want to fix?!
I read "Justification: user security hole" and "An exploitable
security problem has been found". This indicates to me, that there is
a serious security problem. Since the version in stable seems
vulnerable, I added this as a reminder to be fixed.
> Are you stupid enough to give any untrusted user the ability to execute
> arbitrary CLI commands? If so, even after the fix, that user will be
Sorry, are you talking with me?
> able to execute '!sh' or '!rm -rf /var/spool/asterisk/voicemail' even
> after you've applied this fix.
>
> Please go over the changelogs of 1.0.8 and review those changes. I
> believe that there were some more relevant stability-related changes
> there.
Ok, if I understand you correctly, than this is really a no-issue,
because the user can use his elevated privileges to create havoc
anyways.
Please note, that I do not use asterisk (currently) but I see a
tendency for security related bugs to get fixed in unstable, but not
in stable. So this reopening was a reminder. If you say this was no
real security issue, fine. But the report, rated grave (not serious!),
the reply by Santiago (talking about exploitation).
Also there is the remark regarding this isue by Mark, who agrees that
a DSA should be issued.
Please do not take re-openings as a personal issue. A polite
explanation, that the bug submitter made a mistake by rating it grave,
and explaining (as you did), that the severity is such low, that no
DSA for stable needs to be made, would be fine.
Greetings
Helge
--
Dr. Helge Kreutzmann, Dipl.-Phys. [EMAIL PROTECTED]
gpg signed mail preferred
64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
Help keep free software "libre": http://www.ffii.de/
pgpObf3mWyfPD.pgp
Description: PGP signature
