On Sat, Mar 26, 2005 at 09:39:41AM -0700, LaMont Jones wrote: > On Fri, Mar 25, 2005 at 05:16:14PM -0800, Steve Langasek wrote: > > Additional con: > > - depends on a newer version of e2fsprogs than we currently have in > > testing, which requires updating roughly a half dozen frozen libraries > > Hrm, this looks like a bug in libblkid1 to me, since the shlibs were not > > updated when the new public functions were added...
> There is a security vulnerability caused by mount using the older > version of libblkid1, which didn't verify that euid=uid before blindly > using an environment variable for a file name... > One might argue that this is sufficient reason to bump the soname, but > sid and hoary are the only users of that function in that manner (inside > mount). > An alternative that is less invasive to sarge would be to drop libblkid1 > support from a t-p-u upload. Well, the version of mount currently in testing doesn't seem to use libblkid at all... :) -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature