FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 08-25-2008, 01:44 AM
Russ Allbery
 
Default Bug#496429: The possibility of attack with the help of symlinks in some Debian packages

Steve Langasek <vorlon@debian.org> writes:

> The example *is* wrong - the example given is never safe to run, because
> the only way to verify beforehand that /tmp/zenity is not a symlink to
> something more important is by first explicitly *creating* your file
> funder /tmp (non-destructively), then check that it's not a symlink, and
> *then* run pilot-qof.

I dunno, I'd feel quite comfortable running that command on my personal
laptop, which has no other users and no remote login access. /tmp file
vulnerabilities are only vulnerabilities on multiuser systems. We don't
know for *packages* whether they'll be installed on multiuser systems, so
of course we have to fix them regardless, but in examples I think it's
often reasonable to be sloppier.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-25-2008, 10:24 AM
"Martin Langhoff"
 
Default Bug#496429: The possibility of attack with the help of symlinks in some Debian packages

On Mon, Aug 25, 2008 at 10:17 PM, Dmitry E. Oboukhov <unera@debian.org> wrote:
> NW> Because it is in the documentation, not the script. Didn't you read the
> NW> reply? It is not a route of attack, it is AN EXAMPLE in the
> NW> documentation!
> This script marked as executable.
> User can start its.
>
> if it is an example, please chmod a-x to it

NO. It is in POD, and POD documentation embedded in code - effectively
a comment in Perl code that gets turned into documentation.

It is _not_ a good reason to file a grave bug.

See

- http://en.wikipedia.org/wiki/Plain_Old_Documentation
- http://perldoc.perl.org/perlpod.html

Dmitry, you seem to be wasting a lot of people's time.



m
--
martin.langhoff@gmail.com
martin@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org