Hello,
I have done a quick and brutal fix to this. Patch file is attached.
The fix:
- terminate, if run setuid. So only root can mount. Reason: davfs2 does
not enforce mount control by fstab. So if run setuid, any user could
mount with the uid of any other user.
- set uid and gid according to
also sprach Roger Leigh <[EMAIL PROTECTED]> [2005.05.28.1420 +0200]:
> I don't want to do that without the maintainer's consent. If the
> package has severe security issues that won't be fixed in the
> short-term, do we really want this in Debian?
It is only Debian *unstable*, but before I come a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
martin f krafft <[EMAIL PROTECTED]> writes:
> also sprach Roger Leigh <[EMAIL PROTECTED]> [2005.05.28.1208 +0200]:
>> If the security problems in the package can't be resolved soon, please
>> could you request removal from sid in addition to removal f
Package: davfs2
Version: 0.2.3-2
Severity: grave
Tags: security
Justification: user security hole
It appears that davfs2 does not enforce unix permissions. I just
mounted a DAV share as root. When I list permissions in the root of the
mount, I see
% ls -ld .
drwxr-xr-x 1 root root 512
4 matches
Mail list logo