Package: publicfile-installer Version: 0.10-1 Severity: critical Tags: security Justification: root security hole
Hi Justin, On Sun, Aug 09, 2015 at 12:38:21PM +0100, Justin B Rye wrote: > > This contrib installer package downloads the source code for DJB's > publicfile, builds it, and then puts the output in a predictable > location in a world-writable directory, using an existing directory of > that name if it already exists, then (either automatically or by > telling the admin to run another script) installs whatever happens to > be in that directory. > > This can be exploited by malicious local users to get arbitrary > installscripts executed as root. <snip> I'll investigate & fix this; thanks for checking the code. Bye, Joost
signature.asc
Description: Digital signature
