Package: nws Severity: grave Tags: security This message about the error concerns a few packages at once. I've tested all the packages on my Debian mirror. (post|pre)(inst|rm) and config scripts were tested.
In some packages I've discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system file. I set Severity into grave for this bug. The table of discovered problems is below. +------------------+-----------------+---------------------------------- | package | script | file for attack +------------------+-----------------+---------------------------------- | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) | | | | nws-2.13 | postinst | /tmp/nws.debug (cp) | | | | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) | | postinst | /tmp/ppp-errors (rm -f, pipe) | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) | | | | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) +------------------+-----------------+---------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
