Control: severity -1 serious

On Thu, 19 Sep 2024 20:11:32 +0200 Helmut Grohne <[email protected]> wrote:
Source: binutils-mipsen
Version: 12+c1
Severity: important
Justification: violates policy 10.9 "should"
Tags: security

Multiple binary packages built from binutils-mipsen have their files
(including e.g. /, /usr, /usr/bin and /usr/bin/TOOL) owned by user
"buildd" or user "sbuild". They really should be owned by root. Likely,
dh_fixperms or something similar is missing here or a repacking step
fails to reset ownership information back to root.

This also poses a possible vulnerability. If there happens to be a user
thus named on the system, they can modify tools below /usr/bin and thus
escalate their privileges.

Helmut





Using `dpkg-deb --root-owner-group --build ...` when assembling the deb should do.

Best regards,
Niels

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Reply via email to