On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote: > On 13:15 Sun 24 Aug , Steve Langasek wrote: > SL> severity 496410 important > SL> thanks
> You are mistake :) > Your script places in /usr/sbin, ie it runs with root privs. > If I create symlink /etc/shadow -> /tmp/eglog and You start this script, > then your system 'll damaged. The standard for grave-severity security bugs in Debian is "can be used by an attacker to gain control of an account of a user who uses this package", not "can be used by an attacker to create a Denial of Service by breaking the system". Writing this garbage to /etc/shadow will not result in privilege escalation, it will only result in a broken system; therefore, it is my understanding that this is not a grave bug. So I don't think I've made a mistake here. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
