Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

The new upstream version that fixes this bug introduces a lot of other changes and doesn't seem acceptable for lenny. Is anyone working on backporting the fix for a t-p-u upload? I can probably do it later this week but I don't want to duplicate work. Cheers, Stefan -- To UNSUBSCRIBE,

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Hi, the following two additional CVE ids have been assigned to symlink issues in cman redhat-cluster: CVE-2008-4579[0]: | The (1) fence_apc and (2) fence_apc_snmp programs, as used in (a) | fence 2.02.00-r1 and possibly (b) cman, when running in verbose mode, | allows local users to append to

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Hi, It looks like there are some more tempfile creation problems in the redhat-cluster source package. 1) In rgmanager/src/daemons/main.c (line 707): void dump_internal_state(char *loc) { FILE *fp; fp=fopen(loc, w+);

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

severity 496410 grave thanks SL So I don't think I've made a mistake here. You are mistake, see http://www.debian.org/Bugs/Developer.en.html#severities quote: grave makes the package in question unusable or mostly so, or causes data loss, or introduces a security hole allowing access

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

severity 496410 important thanks On Wed, Aug 27, 2008 at 07:12:29PM +0400, Dmitry E. Oboukhov wrote: _or_ _causes_ _data_ _loss_ It does not cause data loss, the admin needs to execute it. And now stop bitching around. Bastian -- Superior ability breeds superior ambition. --

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

tags 496410 security thanks On 13:15 Sun 24 Aug , Steve Langasek wrote: SL severity 496410 important SL thanks You are mistake :) Your script places in /usr/sbin, ie it runs with root privs. If I create symlink /etc/shadow - /tmp/eglog and You start this script, then your system 'll

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

On Mon, Aug 25, 2008 at 10:40:31AM +0400, Dmitry E. Oboukhov wrote: On 13:15 Sun 24 Aug , Steve Langasek wrote: SL severity 496410 important SL thanks You are mistake :) Your script places in /usr/sbin, ie it runs with root privs. If I create symlink /etc/shadow - /tmp/eglog and You

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

severity 496410 important thanks On Sun, Aug 24, 2008 at 10:05:29PM +0400, Dmitry E. Oboukhov wrote: Package: cman Severity: grave Binary-package: cman (2.20080629-1) file: /usr/sbin/fence_egenera The broken usage is: local *egen_log; open(egen_log,/tmp/eglog);

Bug#496410: The possibility of attack with the help of symlinks in some Debian packages

Package: cman Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which