Jann, thanks for the comment; I believe the checks aren't strictly
necessary; the grep command used to extract one specific variable with
the given legal values is the more important part of this patch.
That said, /run/user is a filesystem in its own right, so cross-mount
hardlinks aren't possible
I'm not sure whether this is the right place to write this, but those
permission checks look really racy - both the file type test and the file owner
UID check.
(Besides, I think that an attacker should be able to hardlink a file created by
another user into his directory, which would also lead
This bug was fixed in the package upstart - 1.13.2-0ubuntu9
---
upstart (1.13.2-0ubuntu9) vivid; urgency=medium
* debian/upstart-bin.upstart.cron.daily: Ensure the session uid matches that
of the session file itself to stop a user forcing the logrotation of
another users log
Fixed in upstart 1.13.2-0ubuntu9, currently in the proposed pocket.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1425685
Title:
Missing input sanitation in upstart logrotation cronjob
To manage no
** Changed in: upstart (Ubuntu)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1425685
Title:
Missing input sanitation in upstart logrotation cronjob
To manage no
** Changed in: upstart (Ubuntu)
Assignee: (unassigned) => James Hunt (jamesodhunt)
** Changed in: upstart (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1
Note - this problem only affects vivid fwics. Further, it does not
affect Touch (since that uses Upstart as PID 1).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1425685
Title:
Missing input sanitat
** Branch linked: lp:~jamesodhunt/ubuntu/vivid/upstart/bug-1425685
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1425685
Title:
Missing input sanitation in upstart logrotation cronjob
To manage not
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1425685
Title:
Missing input sanitation in upstart logrotation cronjob
To manage n
