> Well, this is a public mailing list. :) I realize now that many emails, about 20% in our case, that listed as package maintainers, are public mailing lists. That's unfortunate, but hopefully most reported bugs will not be security critical.
> I have a fix which I plan to push tonight along with a couple of other patches. That's great! I'm impressed by how quickly you were able to produce a patch. > One thing I noticed, however, is that, because some of the programs are > only expected to be run as root, they return immediately if getuid() > returns non-zero (e.g. dpkg-reconfigure from cdebconf) and do not > actually get tested beyond this point. Alexandre, I don't know if this > issue showed up already in your experiment. You raised a good point. This is happening quite a bit, especially when analyzing /sbin. We are not able to analyze those programs yet, as we run as a normal user. This is on our todo list though. Thanks, The mayhem Team On Wed, Jun 26, 2013 at 4:00 PM, Regis Boudin <[email protected]> wrote: > Hi everyone, > > On 26/06/13 19:41, Alexandre Rebert wrote: > > Hi, > > > > We found a crash in dpkg-preconfigure contained in the cdebconf package. > You are being > > contacted because your are listed as one of the maintainer of cdebconf. > > > > We are planning to submit the bug to the Debian bug tracking system in > two > > weeks. We wanted to give you a heads-up, so that you some time to assess > the > > seriousness of the bug before it is publicly disclosed. > > > > The bug report that will be submitted to the bug tracker is available at > the > > following url: > > > > > http://www.forallsecure.com/bug-reports/0b490c9cde588da20fd322f4f05ead920e705eb8/ > > I just had a look, and the problem was pretty simple to fix. I was > missing a check on $PATH being NULL before calling strdup() on it. I > have a fix which I plan to push tonight along with a couple of other > patches. > > One thing I noticed, however, is that, because some of the programs are > only expected to be run as root, they return immediately if getuid() > returns non-zero (e.g. dpkg-reconfigure from cdebconf) and do not > actually get tested beyond this point. Alexandre, I don't know if this > issue showed up already in your experiment. > > Regis >
