Package: apt-cacher
Version: 1.5.3
Severity: normal
Tags: security
Apt-cacher daemon process have additional root group membership.
# cat /proc/$(cat /var/run/apt-cacher.pid)/status
Name: apt-cacher
...
Uid: 1003 1003 1003 1003
Gid: 1003 1003 1003 1003
FDSize: 64
Groups: 0
^^^
With root group access abused (by some other/future bug) apt-cacher
process for example can read passwords from /dev/input/event* ...
Simple fix:
According to `man perlvar' (/EGID) setup_ownership subroutine should do
$) = "$gid $gid";
Regards,
Kupson
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-2-xen-amd64
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages apt-cacher depends on:
ii bzip2 1.0.3-6 high-quality block-sorting file co
ii libwww-perl 5.805-1 WWW client/server library for Perl
ii perl 5.8.8-7etch1 Larry Wall's Practical Extraction
apt-cacher recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]