tags 662865 - patch thanks
On Wed, 7 Mar 2012 08:05:42 +0100 Gian Piero Carrubba wrote: > * [Wed, Mar 07, 2012 at 01:05:38AM +0100] Francesco Poli: [...] > >Thanks for providing a patch: if I understand correctly, you are > >proposing to move the "< /dev/tty" out of the -c argument, so that it > >applies to su, rather than to the browser command-line. > > You're right. Hello, I've got news for you, but, unfortunately, it's not good news... I managed to reproduce the issue (and this is good), but your proposed fix is not a proper solution. Moving the "< /dev/tty" out of the -c argument makes it possible to start the browser, but, at least when using a text-based web browser, such as w3m, the user is prevented from interacting with the browser itself: as soon as the user presses any key on the keyboard, w3m exits and the user is returned to the apt-listbugs prompt. Worse, it seems that the pressed keys are sent to the apt-listbugs prompt, without being visible on the terminal: this means that entering one of the possible commands will fail and print the help... Moreover, the problems caused by the security fix for the already cited CVE-2005-4890 are not limited to the issue you reported. Another bug report has been recently filed against apt-listbugs, regarding another issue due to the same behavioral change in su: see #662983, in case you are curious. At this point, I hope that a radical solution may be found to fix both this bug (#662865) and the other one (#662983). I am sorry, but I am afraid you'll have to wait a little longer than expected! :-( -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpuERktdnVjA.pgp
Description: PGP signature
