Caught the error again, again while running in Software Updater, but I
captured the output from the beginning. There were only four related
packages being updated.
Preconfiguring packages ...
Can't exec "/tmp/cryptsetup-initramfs.config.UaZ02N": Permission denied at
/usr/lib/x86_64-linux-gnu/perl
I will attempt to capture more details when I next observe the error so
that the correct package can be identified for this report.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to perl in Ubuntu.
https://bugs.launchpad.net/bug
On Sun, Nov 19, 2023 at 08:02:42PM -, Andrew J. Caines wrote:
> the fact remains that processes running as root created a file directly in
> /tmp not using a safe *mktemp* process
There is no evidence in this bug of unsafe temp file creation in /tmp.
--
You received this bug notification be
On Mon, Nov 20, 2023 at 08:50:05PM -, Andrew J. Caines wrote:
> You are of course quite right that the risk associated with a file
> created with a "random" six character case-insensitive alphanumeric
> suffix and run a moment later is far smaller than more obviously risky
> misuses of /tmp.
N
You are of course quite right that the risk associated with a file
created with a "random" six character case-insensitive alphanumeric
suffix and run a moment later is far smaller than more obviously risky
misuses of /tmp. Nevertheless the issue is not about evaluating the risk
of an adversary crea
I am struggling to see the vulnerability here still - the path used in
this case is /tmp/ubuntu-drivers-common.config.55GJ8b appears to have a
randomly generated suffix and so couldn't have been guessed beforehand
nor preseeded with other contents by a local attacker - so the only way
then that I c
@vorlon, Thank you for your considered response. I concur that this is
not a vulnerability in the Ubuntu perl package.
While I do not disagree with any of the points you make, the fact
remains that processes running as root created a file directly in /tmp
not using a safe *mktemp* process and late
This might in fact be debconf itself that tries to place it there, in a
system without dpkg-preconfigure aka without apt-utils installed or
where it couldn't be preconfigured
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to per
This is not a security bug, or a bug at all in perl.
Software that executes commands under /tmp is not intrinsically
insecure. Various hardening guides recommend mounting /tmp noexec
because it's harder for programmers to get security handling of files
under /tmp *right*; but an attempt to execu
9 matches
Mail list logo
