"Dmitry E. Oboukhov" <[EMAIL PROTECTED]> writes: > Package: lintian > Tags: patch, security > Severity: wishlist > > Hello, lintan maintainers! > please, see full discussion in -devel: > http://lists.debian.org/debian-devel/2008/08/msg00271.html > for example, see the bug > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648 > (if attacker makes symlink from /tmp/twiki to /etc/shadow, then > he takes full access to the system (when twiki installs or > upgrades)) > > I wrote the check script for the lintian package. This additional check > verifies the debian packages for the presents of the discussed bug.
Lintian already checks for this. If the current check is not sufficient (which is certainly believable), it should be improved, rather than adding a new, separate check. See possibly-insecure-handling-of-tmp-files-in-maintainer-script. This, like various other checks, should be extended to more than just maintainer scripts, which requires some additional infrastruture work on the lintian script checking. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
